Latham & Watkins February 28, 2023 | Number 3055 | Page 3
Certification Scope and Requirements
Scope of Application
The Certification Rules apply to all types of PI Processors’ processing activities, including: collection,
storage, use, processing, transmission, provision, disclosure, deletion, and cross-border data transfer. In
order to obtain a Certification for cross-border data transfers, PI Processors must comply with the
following standards, notwithstanding that they are only a voluntary national standard and technical
committee guidance, respectively:
•
Information Security Technology — Personal Information Security Specification (GB/T 35273-2020), a
voluntary national standard issued by SAMR and the Standardization Administration of the PRC (see
official English translation
).
•
Security Certification Specification for Cross-border Processing of Personal Information (TC260-PG-
20222A). On December 16, 2022, the National Information Security Standardization Technical
Committee (TC 260) released the second version of the Network Security Standards Practice Guide
— Technical Specifications for the Security Certification of Personal Information Cross-Border
Processing (Certification Specification V2.0) (see Chinese version
). It supersedes and replaces the
first version which was released on June 24, 2022 (Certification Specification V1.0). If a Certification
is required in circumstances other than cross-border data transfers, PI Processors do not need to
comply with Certification Specification V2.0 or its later version.
Unlike the Certification Rules published by SAMR and CAC, which are legally binding, the specifications
above do not have the force of law. However, the Certification Rules expressly refer to the latest version
of Information Security Technology — Personal Information Security Specification (GB/T 35273-2020)
and the latest version of Certification Specification V2.0 as the basis of the Certification and require a PI
Processor’s compliance in order to transfer personal information outside of the PRC. This reference
appears to indirectly elevate the legal status of GB/T 35273-2020 and Certification Specification V2.0.
The Certification Specification V2.0 significantly expands the Certification’s scope of application to cover
any and all cross-border transfers of personal information. In comparison, the Certification Specification
V1.0 states that the Certification mechanism may only apply in two scenarios, namely intra-group data
transfers and cross-border data transfers by an overseas PI Processor.
Certification Applicant Requirements
The Certification Specification V2.0 also clarifies who may qualify as applicants for the Certification
mechanism:
1.
Branches and representative offices are excluded:
The applicant for the Certification must be a
PRC entity with a valid legal personality, normal operations, and good credit and reputation. While
“normal operations” and “good credit and reputation” remain undefined, it is clear that branches and
representative offices in the PRC do not qualify as applicants for obtaining a Certification.
2.
Local representative to apply for cross-border data transfers:
The Certification Specification V2.0
distinguishes between two scenarios and who may act as the applicant for each. For intra-group data
transfers, the applicant must be the PRC entity (i.e., the domestic subsidiary), and for cross-border
data transfers by overseas PI Processors, the applicant must be the local representative appointed by
the overseas PI Processor in the PRC, in accordance with Article 53 of the PIPL.