On November 18, 2022, the State Administration for Market Regulation ("SAMR") and the Cyberspace Administration of China ("CAC") jointly issued the "Announcement on the Implementation of Personal Information Protection Certification" and the annex " Implementation Rules for Personal Information Protection Certification" (referred to as "Certification Rules"), with the intention of encouraging personal information handlers to enhance their personal information protection capabilities and improve cross-border rules for personal information through certification.

According to the "Certification Rules", the certification mode of personal information protection certification is: Technical Verification + On-site Examination + Post-certification Supervision. The certification process is generally divided into four steps:

  1. The certification agency determines the certification plan on the basis of the certification materials submitted by the personal information handler, including the type and quantity of personal information, the scope of personal information processing activities involved, and the information of the technical certification agency;
  2. The technical verification agency will implement technical verification in accordance with the certification plan and issue a technical verification report;
  3. The certification agency will conduct on-site examination of personal information handlers and issue on-site examination reports;
  4. The certification agency will conduct a comprehensive evaluation on the basis of the certification entrustment materials, technical verification reports, on-site examination reports and other relevant materials and information, and make the final certification decision.

If the certification requirements are met, the certification certificate valid for three years shall be issued. The certification agency will continuously supervise personal information handlers within the validity period.

The "Certification Rules" specifies the application, basic principles, and basic requirements of being "certified by a specialized agency for protection of personal information in accordance with the provisions of the Cyberspace Administration of China" as stipulated in Article 38(2) of the "Personal Information Protection Law". For the promulgation of the "Certification Rules", we believe that it not only effectively supports the implementation basis for the "certification" path in the cross-border transfers of personal information, but also provides an effective implementation plan for the certification service in the "socialized service system for personal information protection" in Article 62(4) of the "Personal Information Protection Law".

According to the "Certification Rules", for personal information handlers who carry out cross-border processing activities, they should not only meet the requirements of GB/T 35273 "Information Security Technology—Personal Information Security Specification";, they should also meet the requirements of TC260-PG-20222A "Security Certification Specifications for Cross-Border Processing of Personal Information". In other words, the second compliance path "Certification path" for cross-border transfers of personal information needs to meet the requirements of the two aforementioned national standards at the same time.

GB/T 35273 "Information Security Technology—Personal Information Security Specification" is a national recommended standard jointly issued by the SAMR and the Standardization Administration ("National Information Security Standardization Technical Committee"). The latest version is the 2020 version, which is one of the most important reference bases for enterprises to build a personal information protection compliance system before the promulgation of the Personal Information Protection Law. while TC260-PG-20222A "Security Certification Specifications for Cross-Border Processing of Personal Information" is a technical specification document issued by the National Information Security Standardization Technical Committee, which ended the second draft for comments in mid-November and has not yet been officially promulgated. In addition, "Information Security Technology—Requirements for Certification of Cross-border Transfers of Personal Information" is also being formulated in accordance with the "List of Requirements for National Standards on Cybersecurity in 2022" and the "List of Projects for National Standards on Cybersecurity in 2022" published by the National Information Security Standardization Technical Committee, with the purpose of supporting the work of security certification for cross-border provision of personal information under Article 38 of the "Personal Information Protection Law".

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.