- A data processor needs to carefully evaluate whether the Standard Contract is the applicable mechanism for the cross-border transfer of personal information outside mainland China or whether a mandatory security assessment administered by the authority will apply.
- When the Standard Contract mechanism applies, the data processor is still required to conduct a self-assessment on personal information protection impact assessment and file the executed Standard Contract and such self-assessment report with the provincial regulatory authority.
- The Measures provide a grace period until December 1, 2023 for compliance.
The Cyberspace Administration of China (CAC) issued the final version of the Measures on the Standard Contract for the Cross-border Transfer of Personal Information (Standard Contract Measures) on February 24, 2023, which includes a template standard contract (Standard Contract). The Measures will take effect on June 1, 2023, but set forth a six-month grace period until December 1, 2023, to provide companies with time to take actions for compliance.
The Personal Information Protection (PIP) Law of the People’s Republic of China (PRC) provides three legal mechanisms for a personal information processor (data controller) in the mainland PRC to transfer personal information outside mainland China. (See our detailed analysis of the PIP Law here.)
Those legal mechanisms are:
- Undergo a mandatory CAC-administered security assessment (CAC Security Assessment);
- Obtain a personal information protection certification from a CAC-recognized professional institution (Security Certification); or
- Enter into a Standard Contract with overseas recipients.
A CAC Security Assessment is mandatory if any of the required scenarios is met. For example, a CAC Security Assessment would apply when (i) a data processor in China transfers “important data” outside China, (ii) a critical communication infrastructure (CII) operator in China transfers personal information outside China, (iii) a data processor in China that processes personal information of one million or more individuals exports any personal information outside China, or (iv) a data processor in China who, since January 1 of the preceding year, has cumulatively transferred personal information of more than 100,000 individuals or sensitive personal data of more than 10,000 individuals, transfers personal information outside China. See our more detailed discussions of the mandatory CAC Security Assessment here.
Where the cross-border data transfer activities do not trigger the mandatory CAC Security Assessment, data processors may choose Security Certification or Standard Contract as a mechanism to transfer personal information overseas. On December 16, 2022, the National Information Security Standardization Technical Committee issued the Practical Guide to Cybersecurity Standards—Specifications on Security Certification for Cross-Border Personal Information Processing Activities (V2.0-202212) (Certification Specifications V2.0), specifications which function as the best industry practice and provide the basis for qualified professional institutions to carry out Security Certification for cross-border personal information processing activities.
However, since the identification of the professional certification institutions and the details of the certification procedure have not been clarified and published by the CAC, the Standard Contract mechanism may be more efficient for multinational companies to adopt for cross-border transfer of personal information. The finalization and promulgation of the Standard Contract Measures signal an important step forward in the establishment of China’s cross-border data transfer framework.
When Do the Standard Contract Measures Apply?
Based on the Standard Contract Measures, a personal information processor (PI Processor) may choose to use the Standard Contract approach to comply with the cross-border data transmission requirements under the PIP Law only when it fulfills all of the four conditions below:
- It is not a CII operator. A CII operator refers to a business entity that operates important network facilities and information systems in important industries and fields, such as public communication and information services, energy, transportation, water resources, finance, public services, e-government affairs, science, technology and industry for national defense, as well as other important network facilities and information systems of which destruction, loss of function and data divulgence may seriously endanger national security, people’s livelihoods and public interests;
- It processes personal information of less than one million people;
- It has cumulatively transferred personal information of less than 100,000 people overseas since January 1 of the previous year; and
- It has cumulatively transferred sensitive personal information of less than 10,000 people overseas since January 1 of the previous year.
The Standard Contract Measures explicitly prohibits splitting large amounts of data into batches to circumvent the requirements above.
The Standard Contract Measures also require a PI Process to enter into contracts with overseas recipients “strictly in accordance with the Standard Contract,” and any additional provisions agreed by the parties shall not contradict the Standard Contract.
Personal Information Protection Impact Assessment
Before transferring personal information overseas, the PI Processor must conduct a personal information protection impact assessment (PIPIA) and prepare a PIPIA report. Such assessment must at least evaluate the following aspects of the transfer:
- The legality, legitimacy and necessity of the purpose, scope and method of the personal information processing by the PI Processor and the recipient;
- The volume, scope, category and sensitivity of personal information to be transferred abroad, and the potential risks brought by the cross-border transfer to the personal information rights and interests;
- The obligations that the overseas recipient promises to undertake, and whether the management and technical measures and capabilities of the overseas recipient are able to ensure the security of the personal information to be transferred;
- Risks of personal information tampering, damage, leakage, loss and abuse after being transferred, and whether protection for the personal information rights and interests is accessible;
- The impact by the applicable policies and regulations in the jurisdiction of the overseas recipient; and
- Other factors that may affect the security of the personal information.
The PIPIA report must be retained for at least three years according to the Standard Contract.
Notable Compliance Obligations
A PI Processor must file (i) the executed Standard Contract and (ii) the PIPIA report to the provincial level counterpart of CAC within 10 working days after the Standard Contract comes into effect.
The governing law of the Standard Contract shall be the law of the PRC.
If the purpose, type, scope, sensitivity or other key aspects of the transferred personal information are changed, or the laws or regulations governing personal information protection change in the jurisdiction where the transfer recipient is located, the parties to the Standard Contract can supplement, revise, or enter into a new information transfer/sharing agreement. Further, the PI Processor in China must complete a new data protection impact assessment report and re-file the report with the CAC.
The Standard Contract includes a clause that requires the overseas recipient of the personal information to respond to inquiries and requests from Chinese authorities regarding the personal information processing activities undertaken by such overseas recipient.
Also, the Standard Contract includes a clause that requires the overseas recipient of the personal information to immediately inform the China PI processor who transfers the data overseas if it receives a request to disclose the transferred personal information from the authorities in the jurisdiction where the overseas recipient is located.
The Standard Contract Measures will become effective on June 1, 2023. Therefore, any cross-border transfer of personal information on and after June 1, 2023, must comply with the requirements thereunder.
For any cross-border transfer of personal information prior to June 1, 2023, the Standard Contract Measures provide a grace period of six months for compliance. PI Processors should review their current practice of cross-border transfer of personal information and take necessary actions to comply with the new measures.