China: Draft standard contract provisions - Operationalising data transfers under PIPL: Part two
On 30 June 2022, the Cyberspace Administration of China ('CAC') released the Standard Contract Provisions for the Export of Personal Information (Draft for Comment) ('the Draft Standard Contract Provisions'). The Draft Standard Contract Provisions are intended to implement Article 38(1)(3) of the Personal Information Protection Law ('PIPL') and provides for one of the lawful methods for the transfer of personal information outside of China. The Draft Standard Contract Provisions contain a standard contract akin to Standard Contractual Clauses ('SCCs') and establish requirements for personal information processors as well as overseas recipients. In part two, OneTrust DataGuidance Research examines the standard contract provisions provided by the CAC.
The standard contract clarifies that definitions including personal information, sensitive personal information, and personal information processor will have the same meaning as stipulated in the PIPL (Article 1). Personal information subjects, on the other hand, is defined as a natural person identified or associated with the personal information. Along similar lines, overseas recipient is defined as an organisation or individual located outside the People's Republic of China ('PRC') who receives personal information from a personal information processor, and finally, supervisory authority refers to the CAC at or above the provincial level (Article 1).
In regard to subsequent laws and regulations as well as sectoral regulations, the standard contract clarifies that the meaning of undefined terms within will be consistent with the meanings stipulated in the subsequent and sectoral laws and regulations (Article 1). In addition, where the standard contract conflicts with any other agreement already existing between the parties at the time of its conclusion or signing, the terms of the standard contract will take precedence (Article 9). On this point, the standard contract will be governed by the relevant laws and regulations of the PRC (Article 9).
Warranties of the personal information processor (Article 2)
The standard contract requires personal information processors to ensure personal information is collected and used in accordance with relevant laws and regulations, and that personal information exportation is limited to the minimum necessary to achieve the purpose of processing. In addition, the personal information processor must ensure that the personal information subject has been informed of the following:
- the name(s) of the overseas recipient(s) including their contact information;
- the information outlined in the Personal Information Export Instructions in Appendix I;
- the manner and procedure for exercising their rights;
- the personal information subject is a third-party beneficiary as stipulated in the contract between the personal information processor and overseas recipient, pursuant to which the subject may have a basis to exercise their rights should they not expressly reject it within 30 days; and
- a copy of the standard contract upon request – relevant contents may be appropriately obscured where necessary to protect trade secrets or other confidential information, but the personal information processor must undertake to provide an effective summary to help the personal information subject understand the contents of the standard contract.
Moreover, the standard contract state that personal information processors must make a reasonable effort to ensure that the overseas recipient can fulfil their obligations under the standard contract and take the technical and organisational measures such as encryption, anonymisation, and de-identification; taking into account, among other things, the type, quantity, scope, and sensitivity of personal information, the quantity and frequency of transmission, as well as the duration of transmission and retention of personal information by the overseas recipient.
On the point of consent, the standard contract stipulates that personal information processors must ensure that the individual's consent has been obtained, except where the relevant laws and regulations do not require consent. Notably, where sensitive personal information is involved, the personal information subject must be informed of the need to transmit sensitive personal information and the impact that the transfer will have on the individual. In cases where the personal information of a minor under 14 years of age is involved, the consent of the minor's parents and/or other guardians is required. Further to the above, where written consent is required by law or administrative regulations, such types of consent must be obtained, except where relevant laws and regulations provide written consent is not required.
Personal information processors are responsible for responding to inquiries from regulatory authorities relating to the processing activities of the overseas recipient. This will not apply where both parties have agreed that the overseas recipient will respond. Nevertheless, where the overseas recipient does not respond within the requested time limit, the personal information processor will be required to respond within a reasonable time limit based on the information reasonably available to it.
Importantly, the personal information processor bears the burden of proof that the obligations of the standard contract has been fulfilled. In addition, the personal information processor is required to provide the CAC with necessary information as required by relevant laws and regulations including all audit results, as supplied and facilitated by the overseas recipient pursuant to Article 3(10).
Warranties of the overseas recipient (Article 3)
As established by the personal information processor, overseas recipients are required to ensure that the processing of personal information is in accordance with the stipulated scope outlined in the Personal Information Export Instructions in Appendix I, unless prior consent is obtained from the personal information subject. Overseas recipients are also responsible for ensuring that personal information exportation is limited to the minimum necessary to achieve the purpose of processing. In addition, overseas recipients must provide the personal information subject a copy of the standard contract upon request; in which case relevant contents may be appropriately obscured where necessary to protect trade secrets or other confidential information, provided that an effective summary is included to help the personal information subject understand the contents of the standard contract.
In relation to the storage of personal information, the standard contract stipulates that the storage period must be the minimum time necessary to achieve the purpose of processing, highlighting that once the storage period is complete, personal information (including all backups) must be deleted or anonymised unless separate consent is obtained from the personal information subject. On this point, the standard contract clarifies that the overseas recipient is required to provide an audit report to the personal information processor once deletion or anonymisation is complete.
Secure handling of personal information
Overseas recipients are expected to adopt effective technical and management measures to ensure the security of personal information, including the prevention of accidental or unlawful destruction, loss, falsification, or unauthorised provision of, or access to, personal information. In order to fulfil this obligation, the overseas recipients should adopt the technical and organisational measures specified in the Data Protection Impact Assessment ('DPIA') are taken. In addition, the overseas recipients must conduct regular checks to ensure that the adopted measures continue to maintain an appropriate level of security.
Overseas recipients must also ensure that personnel authorised to process personal information comply with their confidentiality obligations, and there is an established minimum authorised access control policy to guarantee that only authorised personnel can access the minimum personal information necessary, to the minimum extent required to complete their duties.
Data breach reporting
In the event of a data breach, the overseas recipient must promptly take appropriate remedial measures to mitigate the adverse effects on the personal information subject. In addition, the overseas recipient must immediately notify the personal information processor, personal information subject (where required), and the CAC as required by laws and regulations. The notification must contain the following:
- the reason for the leakage of personal information;
- the type of personal information leaked and the possible harm caused;
- the remedial measures that have been taken;
- measures that the individual can take to mitigate the harm;
- contact information of the person in charge or the team in charge of handling the data leakage.
On this point, the overseas recipient must document and retain all facts related to the data breach and its effects, including all remedial measures taken.
Onward transfers and sub processors
Onward transfers of personal information outside of the PRC are prohibited, unless the following requirements are also met:
- there is a genuine business need to provide personal information;
- the personal information subject has been informed of:
- the identity of the third party;
- their contact information;
- the purpose of processing;
- the manner of processing;
- the type of personal information; and
- the manner and procedure for exercising their rights; and
- the individual's consent has been obtained, except where the relevant laws and regulations do not require consent.
In addition, and in line with the requirements for personal information processor, where sensitive personal information is involved, the personal information subject must be informed of the necessity of transferring the sensitive personal information and the impact on the individual. Specific to minors, where the personal information of a minor under 14 years of age is involved, the consent of their parents and/or other guardians must be obtained. Finally, written consent must be obtained if required by laws and administrative regulations, except where stipulated that written consent is not required. In the event that it is difficult to inform or obtain the consent of the personal information subject, the overseas recipient should promptly seek the assistance of the personal information processor.
Overseas recipients should reach an agreement with third parties to ensure that the level of personal information protection is not lower than the standard stipulated in the laws and regulations of the PRC. In addition, the overseas recipient and third party will assume joint and several responsibility for any potential damage to the personal information subject due to sub-processing, and the overseas recipient is required to supervise the personal information handling activities of the third party. Moreover, the overseas recipient must provide a copy of the agreement to the personal information processor and obtain their prior consent. Similar to the requirements outlined above, the subcontracted third-party must not handle personal information beyond the purpose and manner agreed the Personal Information Export Instructions in Appendix I.
Notably, the standard contract addresses automated decision-making, noting that overseas recipients making use of personal information in this way must ensure transparency, as well as fair and equitable outcomes that do not apply unreasonable differential treatment in terms of transaction prices and other trading conditions. Push notifications and direct marketing facilitated through automated decision-making must also include options that do not target personal characteristics or provide a convenient way to reject the same.
Overseas recipients should provide personal information processors with all necessary information to demonstrate compliance with the obligations of the standard contract, allowing the personal information processor to access data files and documents, or to conduct audits in relation to processing activities covered by the contract. On this point, overseas recipients should facilitate audits conducted by personal information processors themselves or entrusted to third parties and provide personal information processors with certification of the qualifications they hold regarding personal information protection as requested.
On record retention, overseas recipients are required to keep objective records of personal information processing activities carried out for at least three years and must provide relevant record documents to the CAC directly or through the personal information processor as required by relevant laws and regulations. Finally, overseas recipients must accept supervision and management by the CAC in line with the relevant procedures for monitoring the implementation of the standard contract, including but not limited to responding to inquiries, cooperating with inspections, obeying the measures taken or decisions, and providing written evidence of necessary actions taken.
Assessment of personal information protection policies and regulations in the third country (Article 4)
On compliance with the terms of the standard contract, both parties are required to guarantee that, after reasonable efforts, they are not aware of personal information protection policies and regulations in the country or region where the overseas recipient is located (including any requirements for providing personal information or provisions authorising public authorities to access personal information) which will prevent the overseas recipient from performing its obligations under the standard contract.
The following elements must be taken into account in line with the above:
- the specific circumstances of the export, including:
- the type, quantity, scope, and sensitivity of the personal information involved in the transmission;
- the scale and frequency of transmission;
- the duration of the transfer and retention period;
- the purpose of personal information processing;
- the previous experience of the overseas recipient in the cross-border transfer and processing of similar personal information, whether the overseas recipient has had data security related events and whether it has been handled in a timely and effective manner; and
- whether the overseas recipient has received a request for personal information from a public authority in the country or region and the response of the overseas recipient.
- the personal information protection policies and regulations of the country or region, where the overseas recipient is located, must include the following elements:
- current personal information protection laws and regulations and generally applicable standards in the country or region;
- regional or global organisations for personal information protection that the country or region has joined, as well as binding international commitments made; and
- the mechanism in place for personal information protection in the country or region, such as whether there are supervision and law enforcement agencies and relevant judicial institutions for personal information protection; and
- the overseas recipient's security management system and technical capabilities.
In line with the above, the overseas recipient should confirm that it has done its best to provide the personal information processor with necessary and relevant information when making an assessment in accordance with the above. In addition, both parties must record the evaluation process and results. Finally, where the overseas recipient is unable to perform the standard contract due to changes in the personal information protection policies and/or changes to the regulations of the country or region where the overseas recipient is located (including changes in laws or compulsory measures in the country or region where the overseas recipient is located), the personal information processors should be immediately notified once becoming aware of the aforementioned changes.
Personal information subject rights (Article 5)
The parties must acknowledge personal information subjects' right to enforce the obligations in the standard contract including their third-party beneficiary rights. More specifically, the personal information subject has the right to know, make decisions, restrict, or refuse other processing of their personal information, consult, copy, correct, supplement, delete, as well as request the interpretation of their personal information processing rules. In addition, where the personal information subject requests to exercise their rights on personal information that has left the country, the personal information subject can request the personal information processor take appropriate measures to realise this, or directly make a request to the overseas recipient.
Importantly, where the personal information processor cannot realise the exercising of the personal information subject's rights, it must notify and require the overseas recipient to assist in realising the same. On this point, the overseas recipient must, in accordance with the notice of the personal information processor or the request of the personal information subject, realise the rights exercised by the personal information subject. In addition, the overseas recipient must truthfully, accurately, and completely provide the personal information subject with relevant information in a prominent way using clear and understandable language.
Nevertheless, where the personal information subject puts forward too many or unreasonable requests, especially repeated request, the overseas recipient can charge reasonable fees or refuse to act according to its requirements after taking into account the implementation and operation costs. Furthermore, where the overseas receiving party intends to refuse a request, it must communicate the reason for the refusal, and the method for the personal information subject to lodge a complaint with the relevant regulatory authorities and seek judicial relief.
As the third-party beneficiary of the contract, the personal information subject also has the right to claim and require the performance of terms related to their rights from either the personal information processor or the overseas recipient, with certain exceptions, for example Article 2(4), (5), (6), and (7).
Remedies (Article 6)
The overseas recipient must identify a contact person within the organisation who is authorised to respond to inquiries or complaints regarding the processing of personal information and must promptly address any inquiries or complaints from the personal information subject. The overseas recipient must also inform the personal information processor and personal information subject of said person's contact information, notifying the latter in an easy-to-understand manner through a separate notice or announcement on the website. The notice or announcement must include the contact person and contact information, e.g. office phone number or email address.
The parties must agree that in the event of a dispute between the personal information subject and one of the parties to the contract, they will notify each other of the situation and cooperate to resolve the dispute in a timely manner. Where the dispute is not resolved amicably and the personal information subject can exercise their rights as a third-party beneficiary in accordance with Article 6(2), and the overseas recipient must accept their right to file a complaint with the CAC or file a lawsuit with the court specified in Article 9(4).
Furthermore, the overseas recipient must agree that the dispute resolution of the personal information subject will be based on the relevant laws and regulations of the PRC, and that the choice made by the personal information subject to defend their rights will not derogate from their substantive or procedural rights to seek remedies under other laws and regulations.
Cancellation and/or breach of contract
Cancellation of contract (Article 7)
The standard contract outlines requirements associated with breach and the cancellation of the contract. Specific on breach of contract, where the overseas recipient violates its obligations under the standard contract, the personal information processor can suspend the transmission of personal information until the violation is corrected or the standard contract is terminated. In addition, personal information processors will have the right to cancel the standard contract where:
- the CAC makes a decision in accordance with relevant laws and regulations, such as the security assessment of the export of personal information, which makes the execution of the standard contract impossible; and
- both parties agree to terminate the contract, although the termination of the contract does not relieve them of their obligations to protect personal information in the course of personal information handling.
In addition to the above, the personal information processor has the right to terminate the standard contract and notify the CAC where:
- the personal information processor suspends the transmission of personal information to the overseas recipient for more than one month in accordance with the provisions of Article 7(1);
- the overseas recipient's compliance with the standard contract would violate the legal provisions of the country in which it is located;
- the overseas recipient is in serious or persistent violation of its obligations under the standard contract;
- the overseas recipient or the personal information processor violates the provisions of the standard contract according to a final and non-appealable decision of the overseas recipient's competent court or supervisory authority; and
- the overseas recipient becomes bankrupt, dissolved, or liquidated.
In the case of one, two, or four above, the overseas recipient may also cancel the agreement.
Once the contract is cancelled the overseas recipient must promptly return, destroy, or anonymise the personal information it has received under the agreement and provide an audit report that the personal information has been destroyed or anonymised.
Breach of contract (Article 8)
The standard contract explains liability between the parties in regard to damage suffered. In addition, the standard contract clarifies liability of the parties in relation to infringements on the personal information subject rights as a third-party beneficiary as well as such subject's entitlement to compensation. Importantly, the standard contract notes that where the personal information processor and the overseas recipient are jointly responsible for material or non-material damage caused to the personal information subject as a result of a breach of the agreement, they will be jointly and severally liable to the personal information subject.
Please note the standard contract also outline requirements associated with indemnification and highlights that the parties must agree that the personal information processor will be entitled to recover damages from the overseas recipient if it is liable for damages caused by the overseas recipient pursuant to Article 8(6).
The draft standard contract is an important step in implementing the data transfers requirements under the PIPL. The Draft Standard Contract Provisions are currently open for public comments until 29 July 2022.
Keshawna Campbell Lead Privacy Analyst