On 24 June 2022, the National Information Security Standardization Technical Committee officially released the Certification Requirements for Cross-border Transfer of Personal Information (hereinafter referred to as the Requirements). As a certification support to the Personal Information Protection Law (PIPL), the Requirements may improve the transfer efficiency for normal data processors (i.e. non-Critical Information Infrastructure Operators, non-major-processors) and ensure equal protection of the personal information transferred abroad.

The Requirements specify the application scenarios, certification subjects, basic principles, and the protection of the personal information rights owners. Compared with the draft for comments previously issued in April 2022, the final version of the Requirements incorporates certain adjustments. Firstly, it specifies that the Requirements only apply to the information processors and offshore receivers – which can be seen as a clarification of the term “stakeholders” originally included in the draft for comments. Secondly, the Requirements clearly state that applicants of the certification have to be in compliance with the GB/T 35273 Information security technology - Personal information security specification. Thirdly, cross-border transfer activities among related entities are now included as one of the applicable scenarios of the Requirements, although the definition of ‘related entities’ is yet to be clarified. Fourthly, the information owners enjoy the right of revoking the consent to the cross-border transfer of personal information. Fifthly, the final version introduces a new obligation for information processors and offshore receivers in case of incidents threatening the security of the information, i.e. they shall take immediate remedial action and inform the competent authorities in case that information leakage, tempering or loss are taking place or may possibly take place.

The following is a summary of the key points that foreign companies processing data must pay particular attention to:

l Certification structure. The Requirements clearly specify the obligations of the two parties 

Please register our membership to read more ...