Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

China: Standard contract measures for data exports enter into effect

The Standard Contract Measures for Exporting Personal Information entered into effect on June 1, 2023, following their adoption on February 23, 2023. The measures clarify that they aim to implement the requirements of the Personal Information Protection Law (PIPL).

Scope

The measures stipulate that personal information processors transferring personal information overseas using standard contracts must meet the following conditions:

  • be considered non-critical information infrastructure operators;
  • handle the personal information of fewer than one million people;
  • have provided the personal information abroad of less than 100,000 people since January 1 of the previous year; and
  • have provided the sensitive personal information abroad of less than 10,000 people since January 1 of the previous year.

Importantly, the measures highlight that personal information processors are required not to use methods, such as quantity splitting, to provide personal information that should have passed exit security assessments by the law through the establishment of standard contracts.

Requirements for personal information processors

The measures require personal information processors to conduct a Personal Information Protection Impact Assessment (PIPIA) before transferring personal information overseas. The PIPIA should focus on:

  • the legality, legitimacy, and necessity of the purpose, scope, and method of processing personal information by the personal information processor and the overseas recipient;
  • the scale, scope, type, and sensitivity of the personal information exported abroad, and the risks that the export of personal information may bring to the rights and interests of data subjects;
  • whether the overseas recipient has promised to undertake the obligations, and whether the management and technical measures and capabilities to fulfill the obligations can guarantee the security of the outgoing personal information;
  • the risk of personal information being tampered with, destroyed, leaked, lost, or illegally used in the third country;
  • the impact of personal information protection policies and regulations of the third country on the standard contract; and
  • other matters that may affect personal information security.

Furthermore, personal information processors must file the following with the local Cyberspace Administration within 10 working days from the date when the standard contract takes effect:

  • the standard contract; and
  • the PIPIA report.

To this end, the personal information processors will be responsible for the authenticity of the filed materials.

Next steps

The measures confirm that where personal information export activities carried out before the implementation of the measures do not comply with the provisions of the same, rectification must be completed within six months from the date of implementation of these measures, i.e., December 1, 2023.

You can read the announcement here, the measures here, and a set of frequently asked questions on the measures here, all only available in Chinese.