China’s Standard Contract for the Outbound Cross-border Transfer of Personal Information is in Effect

Alert
|
12 min read

China's Cybersecurity Law ("CSL"), Personal Information Protection Law ("PIPL") and Data Security Law ("DSL") set a series of rules and requirements for the cross-border transfer of personal information located in China. These rules and requirements have strong impacts on the business activities of companies operating in or investing in China. Under the current legal framework, there are basically three routes for the outbound transfer of personal information located in China: (1) a mandatory data security assessment by the Cyberspace Administration of China (the "CAC"); (2) the certification of personal information protection by a professional institution; and (3) the signing of the standard contract for the outbound cross-border transfer of personal information with an overseas recipient (the "Standard Contract"). The CAC and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region just signed a Memorandum of Understanding on Facilitating Cross-boundary Data Flow Within the Guangdong-Hong Kong-Macao Greater Bay Area (the "MoU") on June 29, 2023 aimed to facilitate the data flow in the Greater Bay Area, although the full text of the MoU is not publicly available yet and it is unclear how the data flow mechanism under the MoU may fit into the three routes mentioned above.

On February 22, 2023, the CAC issued the much-anticipated final version of the Standard Contract and the Measures for the Standard Contract for the Outbound Cross-Border Transfer of Personal Information (the "Measures for the Standard Contract"). Both the Measures for the Standard Contract and the Standard Contract became effective on June 1, 2023. To guide the proper filing of Standard Contract records, on May 30, 2023, the CAC issued the Guidance on Filing for the Standard Contract for Outbound Cross-border Transfer of Personal Information (First Edition) (the "Filing Guidance").

This client alert focuses on the key provisions of the Standard Contract and its Filing Guidance and discusses implications and practical tips for companies to comply with them. The Measures for the Standard Contract provide a grace period until December 1, 2023, for companies to rectify any non-compliance with the Measures in any activities for the outbound cross-border transfer of personal information initiated before June 1, 2023. Therefore, it is important for companies to use this grace period to assess their activities relating to the cross-border transfer of personal information.

Scope of Application for the Standard Contract

The Measures for the Standard Contract and the Filing Guidance provide that a personal information processor can choose the Standard Contract to legitimize its outbound transfer of personal information if the following criteria are met:

  • the personal information processor is not a critical information infrastructure operator;
  • the personal information processor has processed the personal information of fewer than one million individuals;
  • the personal information processor has cumulatively provided the personal information of fewer than 100,000 individuals to overseas recipients since January 1 of the previous year; and
  • the personal information processor has cumulatively provided the sensitive personal information of fewer than 10,000 individuals to overseas recipients since January 1 of the previous year.1

Both the Measures for the Standard Contract and the Filing Guidance emphasize that personal information processors must not adopt any method, such as splitting up the amount of personal information, to transfer the personal information overseas through a Standard Contract for the purpose of evading the mandatory data security assessment.

It is worth noting that the Filing Guidance clarifies that the following actions are deemed as exporting personal information overseas:

  • a personal information processor transmits or stores personal information collected or generated in operations within China outside of China;
  • personal information collected or generated within China by a personal information processor is made available for query, retrieval, download or export by any overseas institution, organization or individual; and
  • other activities of outbound cross-border transfers of personal information as stipulated by the CAC.

Therefore, for multinational companies, if the personal information collected or generated within China is saved on overseas servers or is accessible to an overseas headquarters, it is deemed as exporting personal information overseas.

Key Provisions of the Standard Contract

The Standard Contract is greatly influenced by the EU Commission's Standard Contractual Clauses ("EU SCCs"), although it also has its unique features, such as the filing for records requirement. The terms in the Standard Contract cannot be changed, but a personal information processor and an overseas recipient may agree on additional terms, provided that such terms do not conflict with the terms of the Standard Contract. The Standard Contract sets out the following key provisions:

  • the basic information of the personal information processor and the overseas recipient, such as name, address, contact information and the title of the point of contact;
  • the purpose, category, sensitivity, quantity, method, overseas recipient, retention period, storage location, etc., of the personal information for outbound transfer (as detailed in Annex 1 of the Standard Contract);
  • the respective responsibilities and obligations of the personal information processor and the overseas recipient to protect personal information, as well as technical and management measures to prevent security risks that may arise from the outbound transfer of personal information;
  • the impact of the personal information protection policies and laws of the country or region where the overseas recipient is located on compliance with the terms of the Standard Contract
  • the rights of data subjects, and the ways and means for data subjects to protect such rights; and
  • other terms such as remedies, termination, liability and dispute resolution.

More Detailed Guidance on the Personal Information Protection Impact Assessment Report ("PIPIA Report")

Before the outbound transfer of personal information, a personal information processor should carry out a PIPIA with a focus on the following matters2 and the PIPIA Report needs to be submitted for filing together with the Standard Contract and other required materials:

The legality, legitimacy and necessity of the purpose, scope and method of the personal information processing by the personal information processor and the overseas recipient.

  • the quantity, scope, type and sensitivity of personal information to be transferred overseas, and the risk that the outbound cross-border transfer may pose to personal information rights and interests;
  • the responsibilities and obligations that the overseas recipient undertakes to assume, and whether the management, technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations are sufficient to ensure the security of the personal information to be transferred;
  • the risk of the personal information being tampered with, sabotaged, disclosed, lost or illegally used after it is transferred overseas, and whether there is a smooth channel for protecting the rights and interests in the person whose personal information is being transferred;
  • the impact of personal information protection policies and regulations in the country or region where the overseas recipient is located on the performance of the Standard Contract; and
  • other matters that may affect the security of the personal information to be transferred overseas.

The template PIPIA Report attached to the Filing Guidance gives more direction on the information required for PIPIA, such as the corporate structure and investments of the personal information processor and the information systems, cloud solutions, data centers and network paths involved in the outbound transfer. Compared with the PIPIA required in the case of the mandatory data security assessment, the PIPIA required for using the Standard Contract puts more emphasis on the protection of and impact on personal information rights and interests instead of national security and public interests. The PIPIA must be completed within three months prior to the filing date, and there needs to be no material changes up to the filing date.

Clarification on the Application Scope of Specific Consent for Outbound Personal Information Transfers

As we discussed in our previous alert, China's Personal Information Protection Law Will Become Effective Soon, it was unclear under the PIPL whether the outbound transfer of personal information processed on the basis of consent and all other legal bases under Article 13 of the PIPL,3 such as the necessity for the conclusion or performance of a contract and for human resources management, would all require specific consent from personal information subjects.4 The Standard Contract clarifies this point by providing in Article 2 (3) of the Standard Contract that specific consent is required for the outbound transfer of personal information where the processing of the information is based on the consent of the individual data subject.5 This provision suggests that a personal information processor is not required to obtain specific consent for the outbound transfer where the processing is based on other legal grounds, such as the necessity for the conclusion or performance of a contract. In addition, Article 2(3) of the Standard Contract provides that if any personal information of a minor under the age of 14 is involved, specific consent from the minor's parents or other guardians must be obtained.

Filing Requirement

A personal information processor is required to file for records with the provincial-level CAC where it is domiciled within 10 working days from the effective date of a Standard Contract's execution.6 The provincial-level CAC shall complete the review of the materials and notify the personal information processor of the filing within 15 working days.7 It is worth noting that the result of the filing can be "Pass" or "Fail." Usually, filing for records is considered a matter of procedure, but in the case of a Standard Contract filing, it seems that the authority may perform substantive review because the filing may not pass. Based on the Measures for the Standard Contract, it appears that the result of the filing is not supposed to affect the outbound transfer of personal information because the Measures provide that an outbound transfer of personal information can be carried out after the Standard Contract for such transfer takes effect and filing for records is not a condition to the effectiveness of the Standard Contract.

If the result is "Fail," the personal information processor will be notified of the unsuccessful filing and the reason, and if additional materials are required, the personal information processor should complete the materials and resubmit them within 10 working days. Therefore, in practice, it is advisable for companies to conduct adequate PIPIA and proactively evaluate and remediate any compliance gaps in personal information security and management for a successful filing.

The Valid Term of the Standard Contract, Supplemental Filing and Re-Filing

The Measures for the Standard Contract do not specify any mandatory time limit on the valid term of the Standard Contract. This means that parties can agree on the term of the Standard Contract, subject to its termination conditions. If any of the following circumstances occurs during the valid term of a Standard Contract, the personal information processor must conduct a PIPIA again, and supplement the existing Standard Contract or execute a new Standard Contract, as well as submit supplemental materials to file or refile a new Standard Contact, as the case may be.

  • There is any change in the purpose, scope, category, sensitivity, method or storage location of the personal information transferred overseas, or any change in the purpose or method of the personal information processing of the overseas recipient, or an extension of the overseas retention period of the personal information
  • There is any change in the personal information protection policies and regulations in the country or region where the overseas recipient is located that may affect personal information rights and interests
  • Other circumstances that may affect personal information rights and interests

The authority shall review materials submitted for supplemental filing or re-filing within 15 working days.

Legal Liabilities

The Measures for the Standard Contract provide that any violations shall be dealt with according to the PIPL and other Chinese laws. This means that violations may result in administrative, civil and criminal penalties. For example, companies that fail to comply can be subject to penalties under the PIPL that range from correction orders and the suspension of personal information transfers to financial penalties up to RMB 50 million or five percent of a personal information processor's revenue of the previous year. Any organization or individual that finds that a personal information processor provided personal information to any overseas recipient in violation of the Measures for the Standard Contract may report the case to a cybersecurity authority at or above the provincial level.

The issuance of the Standard Contract and the Filing Guidance is an important step in implementing the PIPL for the outbound transfer of personal information. This route for the outbound transfer of personal information through the Standard Contract is similar to international practice and facilitates the outbound transfer of personal information. However, vague areas remain for its enforcement in practice. For example, it seems unclear whether a group company can conduct a combined filing for outbound personal information transfers by all its subsidiaries and affiliates in the group. Nonetheless, it is important for companies to use the grace period to conduct data mapping, assess their data security and management systems, conduct PIPIA, and put technical and organizational measures in place to ensure the personal information is processed and transferred in compliance with Chinese laws.

1 The Measures for the Standard Contract, Article 4; the Filing Guidance, Article 1.
2 The Measures for the Standard Contract, Article 5.
3 Article 13 of the PIPL provides that a personal information processor may process personal information of an individual only under any of the following circumstances:

1. Where consent is obtained from the individual;
2. Where it is necessary for the conclusion or performance of a contract to which the individual is a contracting party, or where it is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded;
3. Where it is necessary for performing a statutory responsibility or statutory obligation;
4. Where it is necessary for responding to a public health emergency, or for protecting the life, health or property safety of the natural person in the case of an emergency;
5. Where the personal information is processed within a reasonable scope to carry out any news reporting, supervision by public opinions or any other activity for public interest purposes;
6. Where the personal information, which has already been disclosed by the individual or otherwise legally disclosed, is processed within a reasonable scope and in accordance with this Law; or
7. Any other circumstance as provided by law or administrative regulations. Personal consent shall be obtained for the processing of personal information as required by the other provisions of this Law, but where any of the preceding Items 2 to 7 is applicable, personal consent is not required.

4 The PIPL, Articles 23, 25, 29, 39.
5 The Standard Contract, Article 2(3).
6 The Measures for the Standard Contract, Article 7; the Filing Guidance, Article 2.
7 The Filing Guidance, Article 3 (2).

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2023 White & Case LLP

Top