A MoFo Privacy Minute Q&A: China PIPL Edition (Issue 4)

This is issue #4 of A MoFo Privacy Minute Q&A: China PIPL Edition, where we answer questions about China’s Personal Information Protection Law (PIPL) in sixty seconds or less.

Question: What does a PI export certification involve and have implementing rules been issued?

Answer: Securing a PI protection certification from a specialized agency is a mechanism recognized under PIPL that permits an eligible PI handler (broadly akin to a “controller” in GDPR parlance) to export personal information (PI). This mechanism is distinct from the requirement to obtain an approval for a security assessment from the Cyberspace Administration of China (CAC), which is mandatory for certain categories of PI handler.

Detailed rules were recently made available in relation to the certification mechanism, including both regulations setting forth the application procedure and a certification specification defining technical certification standards and criteria. An established State-owned certification agency, the China Cybersecurity Review Technology and Certification Center (CCRC), has also formally launched a certification service, with details explained on its webpage and a standard template application form (both in Chinese language).

Notable points include the following:

• The certification is available to intra-group PI transfers and potentially other transfer scenarios.
• The certification will be with regard to overall PI protection arrangements and not simply those arrangements relevant to PI exports.
• The applicant for certification must be a legal person. A branch or representative office is not eligible to apply for a certification. This also suggests that PRC authorities are likely to look to companies on an integrated basis (and not separately to company branches) to comply with PI export restrictions.
• CCRC’s template application form suggests that certification will involve an in-depth review of the applicant’s data handling and export activities, including an onsite audit.
• After the obtaining of a certification, the certification agency will then conduct ex-post supervision at reasonable intervals (determined by the certification agency) to ensure that the certified party continues to meet certification requirements.

Visit our newly launched China Privacy and Data Security Resource Center to stay up to date on legal and business analysis related to the latest China privacy and data topics. Explore our Privacy + Data Security page for additional information from our Privacy Library and Resource Centers form Cybersecurity, U.S. State Privacy Laws, and the GDPR + European Privacy.