Public opinion sought on cross-border personal data sharing

The Cyberspace Administration of China, the country's top internet regulator, is soliciting opinions from the public for a series of newly drafted guidelines on the cross-border flow of personal information.

The draft of the personal information cross-border protection certification measures, formulated in accordance with the Personal Information Protection Law and other Chinese laws and regulations, was released on Friday for consultation, with a deadline for public comments set for Feb 3.

According to the draft, the proposed measures aim to enhance the secure and efficient flow of personal information across borders, establishing a clear framework for the certification process.

According to the draft, the certification should be managed by authorized professional organizations that have received approval from the State Administration for Market Regulation. These organizations would assess the personal information handling practices of companies transferring data overseas.

Under the new rules, any organization that needs to transfer personal information from China to overseas entities must undergo a certification process. This includes cases in which personal information collected and generated in China is transmitted abroad or stored domestically but made accessible to foreign parties. Certification would also be required for foreign entities processing Chinese personal data.

Key criteria for certification will focus on the legality and necessity of the cross-border data transfer, as well as the impact of data protection standards in the destination country on personal information overseas, according to the draft.

The certification process will also evaluate whether the foreign data processor's practices align with Chinese data protection laws and whether binding legal agreements between Chinese companies and foreign entities clearly define data protection responsibilities, it added.

The evaluations will include the organizational and technical measures in place to safeguard data security and individuals' privacy rights.

Meanwhile, the draft establishes strict conditions for domestic personal information processors seeking to transfer personal data abroad, setting quantitative limits on the scale of data transfers.

It stipulates that certification applies to entities transferring non-sensitive data of more than 10,000 but fewer than 100,000 individuals annually, or sensitive personal data of fewer than 10,000 individuals.

To oversee the process, CAC and relevant authorities will establish standards, technical regulations, and evaluation procedures to monitor and manage the certification of cross-border personal information flow. The SAMR and CAC will jointly determine the implementation rules, including issuing unified certificates and official marks.

Organizations and individuals who believe that certified entities are violating the new rules and improperly transferring personal data abroad are encouraged to report the violations to provincial-level internet authorities or other relevant government agencies, the draft said.

Ma Qingquan, a lawyer from Wincon Law Firm in Qingdao, Shandong province, said in an article explaining the draft that the introduction of these measures provides clear compliance pathways and responsibilities for personal information handlers involved in cross-border data transfers, offering clear guidance for their international operations.

For certification agencies, the measures standardize each step of the process to ensure the professionalism and fairness of the certification work, while offering specific supervisory frameworks for regulatory authorities to enhance effectiveness, Ma added.