Authors: Carolyn Bigg, Amanda Ge, Venus Cheung, and Gwyneth To

It’s now the time to focus on the steps that data controllers need to take to legitimize overseas processing of China personal information via the CAC certification route.

Background: While most PRC data controllers should have already identified whether to follow the CAC assessment/approval route (see our summaries click here and click here), the China SCCs route (see our summary here) or a specific route for regulated industries, and have started complying with the requirements of that route, until now non-PRC data controllers processing China personal information have known they likely have to follow the CAC certification route, but not understood what that entails.

Now, closely following the China SCCs being finalised, the Draft Guidelines on Certification Requirements for Cross-Border Transfers of Personal information (“Draft Guidelines”) – the final one of the three main routes to legitimizing cross-border transfers – were published for public consultation on 16 March 2023.

Who may go through the CAC certification route:

1. non-PRC data controllers of China personal information; and
2. a limited number of PRC data controllers who only transfer China personal information outside of Mainland China to its group companies (and no onward transfers beyond the group) and who do not meet the thresholds for the other three cross-border data transfer (“CBDT”) routes.

By way of reminder of the other CBDT routes:

• organisations that meet the thresholds for the CAC assessment/approval route are: (1) organisations designated as a Critical Information Infrastructure Operator; (2) organisations that export “important data”; (3) organisations that process personal information of more than one million individuals and intend to export some of it; or (4) personal information controllers that transfer overseas (i) personal information of more than 100,000 individuals in aggregate, or (ii) sensitive personal information of more than 10,000 individuals in aggregate, where “in aggregate” means in the period from 1 January of the preceding year;
• organisations that meet the China SCCs route are PRC data controllers that do not meet the CAC assessment/approval thresholds and transfer data outside of China beyond just their own group of companies; and
• certain regulated industries will need to follow a route specified by their industry regulator.

What is the CAC certification route: those that must follow the CAC certification route will have to take the following five steps to legitimize the cross-border transfer of China personal information:

1. Legally binding agreement: a DPA containing prescribed obligations must be put in place by the data controller with the overseas recipient of the China personal information to ensure the rights and interests of data subjects are adequately protected. The agreement should at a minimum include:
   • • basic information about the data controller and overseas recipient;
     • purpose, scope, type, sensitivity, quantity, method, retention period, storage location of cross-border data processing;
     • the responsibilities and obligations of data controllers and overseas recipients in protecting personal information;
     • data subject rights, and the means of safeguarding such rights;
     • relief, termination, liability for breach, dispute resolution etc.;
     • the overseas recipient undertaking to comply with the same set of obligations as the data controller for CBDT, and that the level of protection does not fall below the standards stipulated by the requirements under PRC laws and regulations;
     • the overseas recipient undertaking to be subject to ongoing monitoring of cross-border processing of personal information by the CAC certification body (see below);
     • the overseas recipient undertaking to accept the jurisdiction of PRC data protection laws and regulations;
     • a clearly specified legal entity within the PRC being responsible for fulfilling obligations to protect personal information;
     • the data controller and overseas recipient undertaking to assume civil liability for the infringement of personal information rights, and clearly agreeing on the civil liability assumed by each party; and
     • other obligations under applicable laws and regulations.

Data subjects are given third party beneficial rights under the legally binding agreement, which enable them to exercise their data subject rights and seek recourse directly from the overseas recipient.

Organisations may consider entering into the China SCCs as a starting point, and supplementing them as appropriate (i.e. including requirements such as ongoing monitoring by the CAC certification body).

2. Organisational management: the data controller must:
   • • appoint a DPO: the Draft Guidelines set out the scope of responsibilities of the DPO, but do not clarify where (i.e. inside or outside of Mainland China) the DPO should reside, and how this aligns with the “legal representative” concept for non-PRC data controllers in the Personal Information Protection Law (“PIPL”) (and mentioned above in connection with the legally binding agreement); and
     • establish a “Personal information Protection Agency” within its organisation to fulfil the obligations of personal information protection (most notably conducting PIIAs, regular compliance audits, and cooperating with the certification body as part of their ongoing supervision of cross-border processing activities). Again, the Draft Guidelines unfortunately don’t specify where and how this should be established for non-PRC data controllers.
3. General rules for handling personal information: putting in place a data protection compliance programme to ensure that China personal information is processed to standards akin to the PIPL and other China data protection laws, such as data security and data retention.
4. PIIAs: undertake a personal information impact assessment (“PIIA”, China’s version of the GDPR DPIA) for each overseas transfer.
5. Certification process: the Draft Guidelines do not elaborate on the actual “certification” process and timelines, save that the certification bodies are being appointed by local CAC branches to undertake ongoing supervision of those that must follow the CAC certification route. This indicates that some form of registration or more will be required, and somewhat surprisingly suggests that monitoring will be of both the data controller and overseas recipients of the China personal information.

CAC certification is not the only CBDT compliance step: taking the above CAC certification steps alone do not legitimize the cross-border transfers of personal information. If you are subject to the CAC certification framework, do not forget the need to obtain separate, explicit consent from data subjects for the cross-border data transfer (on top of general consent to data processing and other separate consents for processing of (inter alia) sensitive personal information).

Next steps

Public consultation on the Draft Guidelines closes on 15 May 2023. It is not uncommon for changes to be made to the Draft Guidelines before they are finalised, so organisations should closely monitor developments over the coming months. In the meantime, organisations should press ahead with the other CBDT compliance steps outlined immediately above in anticipation of the CAC certification process being finalised.

Please contact Carolyn Bigg (Partner) or Amanda Ge (Of Counsel) if you have any questions or to see what this means for your organisation.