The PRC issued Cross-Border Personal Information Handling Security Certification Specifications—one of three ways institutions of higher education can transfer personal information outside PRC borders—on December 16, 2022.
The Certification Specifications describe the requirements institutions of higher education must follow if they wish to transfer personal information outside of the PRC on the basis of personal information protection certification.
As 2022 came to a close, the People’s Republic of China (PRC) Secretariat of the National Information Security Standardization Technical Committee presented the world with another piece of the Personal Information Protection Law (PIPL) compliance puzzle: the Cross-Border Personal Information Handling Security Certification Specifications (Certification Specs), effective December 16, 2022. The Certification Specs shed light on the requirements U.S. colleges and universities will need to fulfill if they wish to transfer or share personal information (PI) outside PRC borders on the basis of PI protection certification, one of three potential PIPL cross-border transfer mechanisms available to U.S. colleges and universities.
PIPL Cross-Border Transfer Mechanisms
When a U.S. college or university obtains PI from an individual or entity within the PRC, it triggers the PIPL’s cross-border transfer obligations. For example, when a prospective student in the PRC applies to a U.S. university, if the university downloads, retrieves, or otherwise accesses the application data within the U.S., such access is considered a cross-border transfer that subjects the university to the PIPL’s cross-border transfer obligations. Likewise, if the university receives PI from a third party located in the PRC, such as a PRC cooperative education program partner institution, then the transfer of PI from the third party to the U.S. university is also subject to to the PIPL’s cross-border transfer obligations (regardless of whether the PI subject is located within the PRC).
To access or receive PI collected directly from PI subjects located within PRC borders, or to access or receive any PI from a third party located within PRC borders, PIPL article 39 usually requires the transferor to obtain consent from the PI subject, and PIPL article 38 additionally requires the transferor to implement one of the following cross-border transfer mechanisms:
Passing a security assessment conducted by the PRC National Cyberspace Department;
Entering into standard contractual clauses (issued by the PRC National Cyberspace Department) with the PI recipient; or
Obtaining PI protection certification from a local PRC certification authority.
In a cross-border transfer where a U.S. college or university receives PI from a third party (e.g., when a U.S. university receives research data collected by a PRC university), the PIPL’s cross-border transfer obligations are imposed upon the third party providing the PI to the U.S. college or university. Meaning, the PIPL requires the third party, rather than the U.S. college or university, to obtain consent and implement one of the above cross-border transfer mechanisms. However, if the third party’s chosen transfer mechanism is security assessment or PI protection certification, then the U.S. college or university will be subject to investigation by PRC authorities pursuant to the assessment or certification process.
Even when the PIPL’s cross-border transfer obligations are imposed upon a third party, rather than a U.S. university itself, failure to comply with the PIPL’s cross-border transfer obligations could nevertheless adversely impact U.S. universities. For example, in March 2023, China National Knowledge Infrastructure (CNKI), the largest academic database in China, suddenly suspended U.S. universities’ access to large portions of CNKI’s database, citing the need to “take actions to ensure [CNKI’s] cross-border services are in compliance with the law.” When a PRC vendor or partner institution faces regulatory pressure from local PRC authorities, it is understandable that they may suddenly suspend PI transfers to U.S. colleges and universities, no matter how disruptive and costly such suspension may be to the U.S. institution’s operations.
Outside the limited circumstances requiring a security assessment, PI handlers are free to choose which of the three cross-border transfer mechanisms they will use on a case-by-case basis. For most transfers/sharing, U.S. colleges and universities will likely find it least burdensome to enter into standard contractual clauses with the recipient.
However, there may be certain transfer/sharing arrangements where the standard contractual clauses, which were released in February 2023, are unsuitable for use. For example, the clauses, which cannot be amended, may not always accurately reflect the allocation of responsibilities between the U.S. college or university and the PI recipient, particularly when the parties are affiliated entities (e.g., when a U.S. university’s foundation in the PRC shares PI with the U.S. university). U.S. colleges and universities may seek PI protection certification to transfer/share PI outside PRC borders in such situations requiring more flexibility than allowed under the unamendable standard contractual clauses.
Obtaining PI Protection Certification
Before applying for PI protection certification, a U.S. college or university first must either establish a legal entity in the PRC (e.g., a wholly foreign-owned enterprise, often referred to as a “WFOE”) or appoint a local representative in the PRC. While PIPL article 53 requires handlers outside the PRC to appoint a local representative, there has not yet been any guidance or regulations informing who may serve as a local representative, how to appoint a local representative, or obligations imposed on a local representative, making it difficult (if not impossible) for U.S. colleges and universities to comply with this requirement.
U.S. colleges or universities that have a legal entity or local representative in the PRC may apply for PI protection certification by submitting an application to a local PRC certification authority. While each certification authority has its own, separate application process, Certification Specs section 5 indicates the criteria on which authorities must base their certification decisions.
Legally Binding Agreement and Procedures
Each certification application must be accompanied by a legally binding agreement between the U.S. college or university and the PI recipient, which lays out compliance obligations, imposes legal liabilities, and otherwise fulfills the requirements under Certification Specs section 5.1. The agreement required under section 5.1 must generally contain many of the same obligations imposed by the standard contractual clauses, but parties are afforded far more flexibility in drafting specific terms and allocating specific responsibilities.
In addition to a legally binding agreement, the U.S. college or university and the PI recipient must agree upon cross-border handling procedures that more specifically describe how PI will be transferred/shared outside the PRC. For example, the procedures must describe the quantity of PI to be transferred/shared and the regions or countries through which the PI will pass during the transfer.
Responsible Person and Department
The U.S. college or university and the PI recipient also must each identify a person responsible for PI protection (e.g., Data Protection Officer, Chief Information Security Officer, etc.). Such persons must be qualified with relevant professional knowledge and experience in PI security and must possess decision-making authority within their institution.
Similarly, the U.S. college or university and the PI recipient must each establish a PI protection department within their respective organizations. Such departments must assume the responsibilities provided under Certification Specs section 5.2.2, including—among other obligations—enforcing PI protection rules, conducting PI protection impact assessments and self-audits, and responding to PI subjects’ requests to exercise their rights under the PIPL.
PI Protection Impact Assessments and Reports
Lastly, the Certification Specs require the U.S. college or university to conduct a PI protection impact assessment and prepare an assessment report that includes the information listed under section 5.4. The most probing questions under section 5.4 address the impact of PI protection laws in the country where the PI recipient is located, aiming to assess whether local laws may prevent the PI recipient from complying with the PIPL.
Of particular concern for U.S. colleges and universities, one question asks whether the PI recipient has ever received an order or request to provide PI to public authorities, and if so, how the PI recipient responded. PIPL article 41 requires PRC government approval prior to providing PI to U.S. public authorities (and any other public authorities outside the PRC). Therefore, if a U.S. college or university indicates that the PI recipient has a history of complying with orders to provide PI to public authorities outside the PRC, which could potentially be true of any PI recipient due to regulatory obligations and judicial subpoenas, this could result in rejection of the institution’s application for PI protection certification.
Recommendations for U.S. Colleges and Universities
All U.S. colleges and universities should perform extensive data mapping exercises to determine which, if any, of their PI handling activities are subject to the PIPL and which activities may trigger the PIPL’s cross-border transfer obligations. For each situation involving PI transfer/sharing subject to the PIPL’s cross-border transfer obligations, institutions should determine which PIPL cross-border transfer mechanism is most appropriate, considering factors such as the volume of PI being transferred/shared and the relationship between the parties.
If PI protection certification is determined to be the most suitable cross-border transfer mechanism, U.S. colleges and universities with an established legal entity in the PRC may obtain additional information from their local PRC certification authority to begin applying for certification. U.S. colleges and universities that have not established a legal entity in the PRC should carefully follow future developments regarding how to appoint a PRC local representative as needed to apply for PI protection certification.