[China] "Expert interpretations" on Personal Information Protection Certification System

On 3 Jan 2025, together with issuing the draft Certification Measures, the CAC published five “expert interpretations” (专家解读) relating to the Measures, written by:

1. Guo Zhenhuan, Director of Data and Technology Support Center, CAC; Jiang Songhao, Engineer at Data and Technology Support Center, CAC

2. Chen Shixiang, Director of the Fifth Division of Cybersecurity Review at the China Cybersecurity Review Technology and Market Surveillance Big Data Center [The Center is a professional certification body.]

3. Wang Hui, Senior Engineer at the National Computer Network Emergency Response Technical Team/Coordination Center of China

4. Wu Shenkuo, Doctoral Supervisor at Beijing Normal University Law School and Deputy Director of the Research Center at the Internet Society of China

5. Zhang Jinping, Director of Numerical Law Teaching and Training Office, Central Financial University

Further below are the key / interesting points from each, together with the original Chinese and machine-translated English versions. And before that, here are my top takeaways:

1. Some of the writers say that China's "international exchange and cooperation" and mutual recognition of certification, demonstrates China's "inclusive and open attitude" towards international cooperation in CBDF.

   I respectfully think that in order for China's certification system to gain credibility outside of China, they need to go further than creating this transfer mechanism to demonstrating how it actually works, since it appears to work differently from the Global/APEC CBPR system, as well achieving mutual recognition with a country other than the regions in the Greater Bay Area.

2. In China's eyes, the purpose of certification does not appear to be the diversification of transfer mechanisms in order to give companies options (options is something that Singapore tries to give companies), but

   1. to let companies get help from professional certification institutions on improving their CBDT compliance

   2. to lighten the government’s workload in helping companies with CBDT compliance as well as processing standard contract filings.

3. Based on wording used by one of the authors, it still seems that what is being certified is data transfers, whether one or many, than the entity per se.

4. In my Substack post analysing the draft Certification Measures, I raised the question whether overseas entities receiving personal data directly from individuals in China would be required to obtain certification. The Opinions do not clarify this, but one of the authors said that once the overseas PI processor obtains certification, "PI can legally flow across borders within the scope and validity period of the certification, regardless of whether the transfer is initiated by the domestic or overseas party".

   If China's overall intent is to ensure that PI continues to be protected even when overseas (and some authors talk about this), then requiring overseas entities to obtain certification plugs the gap where locals' PI is transferred directly to overseas entities. China will be the first country in the world to have such a requirement, and this would be quite a concerning development.

Guo Zhenhuan, Director of Data and Technology Support Center, CAC; Jiang Songhao, Engineer at Data and Technology Support Center, CAC

Establishing a Personal Information (PI) Export Protection Certification System to Ensure Secure and Orderly Cross-border Flow of PI

1. The authors say that certification is an internationally accepted rule for cross-border transfers, and refer to Articles 42 and 43 of the EU GDPR, and the APEC CBPR and PRP as well as Singapore’s recognition of them. [The concept of certification is accepted in many countries, but based on the operational differences between the versions from China, EU, and Global/APEC CBPR, I would caveat that there is no global consensus on how certification should work.]

2. China promotes international exchange and cooperation in certification and mutual recognition of certification, demonstrating China's inclusive and open attitude towards international cooperation in cross-border data flows, and laying the foundation for establishing cross-border data flow mechanisms with other countries, regions, and international organisations. [With respect, in order for its certification system to gain credibility outside of China, I think China needs to go further than this and demonstrate how its system works (since it appears to be different from how e.g., Global/APEC CBPR works), as well as achieve mutual recognition with a country other than the regions in the Greater Bay Area.]