On 16 December 2022, the National Information Security Standardisation Technical Committee (TC260) circulated the 2.0 version of the Technical Certification Specification for Certification of Personal Information Cross-border Processing (Certification Specification 2.0).
The Certification Specification explicitly requires PI processors, who will apply for the certification, to comply with the requirements of the non-binding national standards Information Security Technology – Personal Information Security Specification published by the TC260 (Security Specification).
The Certification Specification 2.0 provides for who are qualified to apply for the PI Export Certification:
The basic requirements under the Certification Specification include:
Some essential elements of the certification regime are not addressed by the Certification Specification, such as the accredited certification bodies, the certification procedure and the effective period of the certification, which we expect to be covered by future regulations and guidelines. As such, a more practical option for companies to export PI at this stage is to opt for Standard Contract if companies will not be subject to the Security Assessment.
The Certification Specification 2.0 is a useful attempt of the TC260 towards establishing the certification regime for data export in China, but the regime will not be completed in the absence of higher-level mandatory regulations. In addition, many questions like how the Certification Specification applies to PI processor subject to the extraterritorial effect of the PIPL need to be further explained.
*Information is accurate up to 27 November 2023