On 24 June 2022, China’s National Information Security Standardization Technical Committee released the “Practice Guide on Cybersecurity Standards – Specification on Security Certification for Cross-border Processing of Personal Information” (网络安全标准实践指南—个人信息跨境处理活动安全认证规范, hereinafter referred to as “Practice Guide”).
According to the Personal Information Protection Law (PIPL), Chinese personal information processors who need to provide PI outside the borders of the People’s Republic of China shall undergo personal information protection certification conducted by a specialized authority.
The Practice Guide aims to provide a legal basis for the specialized authority to implement personal information protection certification, as well as a reference for personal information processors to help them regulate the cross-border processing of personal information.
The Practice Guide applies to the following circumstances:
(1) cross-border processing of personal information within multinational companies, or subsidiaries or affiliates of the same economic or business entity; and
(2) cross-border processing of personal information to which Paragraph 2 of Article 3 of the PIPL applies, i.e., “the activities of processing the personal information of natural persons in China,” including:
- (a) activities aimed at providing products or services to natural persons in China;
- (b) activities of analyzing or evaluating the behavior of natural persons in China; OR
- (c) other circumstances specified in laws and regulations.
Cover Photo by Xu A on Unsplash
Contributors: CJO Staff Contributors Team