China: Implemented Rules for the Implementation of Personal Information Protection Certification including cross-border data transfer regulation

On 4 November 2022, the Cyberspace Administration of China (CAC) published and implemented the “Rules for the Implementation of Personal Information Protection Certification”, including cross-border data transfer regulation. The Rules are issued in accordance with the Chinese Regulations on Certification and Accreditation which outline the general principles for the certification of data controllers, both with regard to data controllers of information in China and data controllers that carry out cross-border data transfer activities. Certificates for data controllers cross-border data processing activities are issued if they are found to comply with both the "Information security technology — Personal Information Security Specification" and the "Security Certification Specifications for Cross-Border Processing of Personal Information". The Rules regulate the technical verification, audits, and post-certification supervision procedures that certification agencies should carry out regarding the data controllers applying for certification. Certifications will have a validity of three years.