China Solicits Opinion for the Certification of the Exit of Personal Information
Published 8 January 2025
Fei Dang
On January 3, 2025, the Cyberspace Administration of China (the CAC) issued a draft of the Regulation regarding the Personal Information Protection and Certification on the Exit of the Personal Information (the Drafted Regulation) for public opinion.
According to the Drafted Regulation, the Personal Information Protection and Certification of the Exit of the Personal Information herein refers to the personal information protection and certification on the exit of personal information by the processors of the personal information, which are professional certificating institutions that are qualified with the personal information certification approved by the market regulation departments and established in accordance with the law.
The exit of the personal information above refers to acts of processors of personal information to provide personal information outside the People’s Republic of China due to business demand, etc, including but not limited to: 1) personal information processors transfer overseas the personal information collected and generated within China; 2) personal information processors store the collected and generated personal information within China whereas overseas institutions, organizations, and persons can search, retrieve, download, and export; 3) other personal information processing activities of dealing with the domestic personal information overseas that fulfill the circumstances provided in Article 3.2 of the PRC Personal Information Protection Law. (Article 3.2 of the PRC Personal Information Protection Law provides that “This Law also applies to activities outside the People's Republic of China that deal with the personal information of natural persons in the People's Republic of China under any of the following circumstances: (1) For the purpose of providing products or services to natural persons within the territory; (2) Analyzing and evaluating the behavior of natural persons within the territory; (3) Other circumstances stipulated by laws and administrative regulations”.
The Drafted Regulations also provides that the personal information processor within China that provide personal information in the manner herein shall simultaneously fulfill following circumstances: 1) non-critical information infrastructure facility operators; 2) since January 1 of that year, the cumulative number of people who have provided more than 100,000 people, less than 1 million people, with personal information (excluding sensitive personal information), or less than 10,000 people with sensitive personal information to foreign countries.
Regarding the content of the certifications, the Drafted Regulations lists as follows: 1) the legality, legitimacy, and necessity of the purpose, scope, and manner of personal information leaving the country; 2) The impact of the personal information protection policies and laws of the country or region where the overseas personal information processor or overseas recipient is located and the network and data security environment on the security of outbound personal information; 3) Whether the level of protection of personal information of overseas personal information processors and overseas recipients meets the requirements of the laws and administrative regulations of the People's Republic of China and mandatory national standards; 4) Whether the legally binding agreement concluded between the personal information processor and the overseas recipient has agreed on the obligation of personal information protection; 5) Whether the organizational structure, management system and technical measures of the personal information processor and overseas recipient can adequately and effectively safeguard data security and the rights and interests of personal information; 6) Other matters that the professional certification institutions deem necessary to assess according to the standards related to personal information protection certification. In case of discovering that the exit of the personal information damages national security, public interest, or severely impacts the personal information rights and interests, the professional certification institutions shall timely report to the cyberspace administration department and other related departments.
It is commented that the issuance of the Drafted Regulations is not only a necessity to in line with the international relevant rules (e.g. GDPR from the EU), but also a way to carry out specific systems of the relevant laws. For instance, in accordance with Article 38 of the Regulations on the Management of Cyber Data Security, “personal information protection certification by professional institutions provided in regulations of the cyberspace administration departments” is one of the conditions to be fulfilled in order to provide personal information overseas. The opinion solicitation will be ended on February 3, 2025.
According to the Drafted Regulation, the Personal Information Protection and Certification of the Exit of the Personal Information herein refers to the personal information protection and certification on the exit of personal information by the processors of the personal information, which are professional certificating institutions that are qualified with the personal information certification approved by the market regulation departments and established in accordance with the law.
The exit of the personal information above refers to acts of processors of personal information to provide personal information outside the People’s Republic of China due to business demand, etc, including but not limited to: 1) personal information processors transfer overseas the personal information collected and generated within China; 2) personal information processors store the collected and generated personal information within China whereas overseas institutions, organizations, and persons can search, retrieve, download, and export; 3) other personal information processing activities of dealing with the domestic personal information overseas that fulfill the circumstances provided in Article 3.2 of the PRC Personal Information Protection Law. (Article 3.2 of the PRC Personal Information Protection Law provides that “This Law also applies to activities outside the People's Republic of China that deal with the personal information of natural persons in the People's Republic of China under any of the following circumstances: (1) For the purpose of providing products or services to natural persons within the territory; (2) Analyzing and evaluating the behavior of natural persons within the territory; (3) Other circumstances stipulated by laws and administrative regulations”.
The Drafted Regulations also provides that the personal information processor within China that provide personal information in the manner herein shall simultaneously fulfill following circumstances: 1) non-critical information infrastructure facility operators; 2) since January 1 of that year, the cumulative number of people who have provided more than 100,000 people, less than 1 million people, with personal information (excluding sensitive personal information), or less than 10,000 people with sensitive personal information to foreign countries.
Regarding the content of the certifications, the Drafted Regulations lists as follows: 1) the legality, legitimacy, and necessity of the purpose, scope, and manner of personal information leaving the country; 2) The impact of the personal information protection policies and laws of the country or region where the overseas personal information processor or overseas recipient is located and the network and data security environment on the security of outbound personal information; 3) Whether the level of protection of personal information of overseas personal information processors and overseas recipients meets the requirements of the laws and administrative regulations of the People's Republic of China and mandatory national standards; 4) Whether the legally binding agreement concluded between the personal information processor and the overseas recipient has agreed on the obligation of personal information protection; 5) Whether the organizational structure, management system and technical measures of the personal information processor and overseas recipient can adequately and effectively safeguard data security and the rights and interests of personal information; 6) Other matters that the professional certification institutions deem necessary to assess according to the standards related to personal information protection certification. In case of discovering that the exit of the personal information damages national security, public interest, or severely impacts the personal information rights and interests, the professional certification institutions shall timely report to the cyberspace administration department and other related departments.
It is commented that the issuance of the Drafted Regulations is not only a necessity to in line with the international relevant rules (e.g. GDPR from the EU), but also a way to carry out specific systems of the relevant laws. For instance, in accordance with Article 38 of the Regulations on the Management of Cyber Data Security, “personal information protection certification by professional institutions provided in regulations of the cyberspace administration departments” is one of the conditions to be fulfilled in order to provide personal information overseas. The opinion solicitation will be ended on February 3, 2025.