China: Implemented Rules for the Implementation of Personal Information Protection Certification including data protection regulations

On 4 November 2022, the Cyberspace Administration of China (CAC) published and implemented the “Rules for the Implementation of Personal Information Protection Certification”, including data protection regulations. The Rules are issued in accordance with the Chinese Regulations on Certification and Accreditation which outline the general principles for the certification of data controllers, both with regard to data controllers of information in China and data controllers that carry out cross-border data transfer activities. Certificates for data controllers carrying out processing activities in China are issued if they are found to comply with the "Information security technology — Personal Information Security Specification". The Rules regulate the technical verification, audits, and post-certification supervision procedures that certification agencies should carry out regarding the data controllers applying for certification. Certifications will have a validity of three years.