China: Overview of the finalised Standard Contract Measures for Exporting Personal Information
On 24 February 2023, the Cyberspace Administration of China ('CAC') promulgated the finalised Standard Contract Measures for Exporting Personal Information1 ('the Measures'), along with the Personal Information Export Standard Contract ('the Standard Contract'). The Measures will take effect on 1 June 2023. Most companies which transfer personal information out of China will need to adopt responsive measures in order to comply.
In this Insight article, Richard Qiang, Partner at DaHui Lawyers, provides a summary of the key takeaways from the Measures and the Standard Contract.
Who needs to comply with the Measures
A personal information handler (which is similar to a data controller under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')) transferring personal information out of China will need to comply with the Measures, unless such personal information handler:
- falls within the scope of, and is required to, carry out a mandatory security assessment under the Data Export Security Assessment Measures ('the Security Assessment Measures');
- completes a personal information protection certification with a qualified certification institution designated by the CAC; or
- satisfies other requirements provided by laws, administrative regulations, or the rules of the CAC.
Since the option of certification is still pending for further implementation guidance and designation by the CAC, and because so far there have not been other requirements provided by law or the CAC, the Standard Contract is expected to become the primary option for most personal information handlers to export personal information out of China going forward.
For the reader's reference, a personal information handler who meets any of the following thresholds will have to carry out the mandatory security assessment (rather than via entry into a contract based on the Standard Contract) in order to transfer personal information outside of China, namely if the personal information handler:
- is a critical information infrastructure operator;
- has processed personal information of 1 million individuals or more;
- has exported personal information of 100,000 individuals to overseas parties on a cumulative basis since 1 January of the preceding year;
- has exported sensitive personal information of 10,000 individuals on a cumulative basis to overseas parties since 1 January of the preceding year;
- is to export personal information which constitutes important data; or
- falls within any other specific circumstances set by the CAC which require a security assessment.
Furthermore, personal information handlers are expressly prohibited from selectively allocating the personal information that is processed or exported across different operating entities, so as to avoid triggering the above thresholds and thereby circumventing security assessments.
Primary obligations under the Measures
Execution of contracts with overseas recipients
Personal information handlers that are subject to the Measures must execute export contracts with the overseas recipients, which must be concluded strictly based on the Standard Contract. Such export contracts may include additional terms which do not contradict the Standard Contract. Covered personal information handlers are not allowed to export personal information before the export contracts with respective overseas recipients take effect.
Personal Information Protection Impact Assessment ('PIPIA')
Covered personal information handlers must conduct a PIPIA before entering the export contracts with the overseas recipients. The PIPIA is required to focus on evaluating the following:
- the legality, legitimacy, and necessity of the purposes, scope, and methods of personal information processing by the personal information handler and the overseas recipient;
- the scale, scope, types, and sensitivity of personal information to be exported, as well as the potential risks to personal information rights and interests resulting from the export of personal information;
- the obligations of the overseas recipient and whether the recipient's management and technical measures and capabilities can ensure the security of personal information to be exported;
- risks, such as tampering, destruction, leakage, loss, or illegal use, of personal information after it has been exported, and whether channels for protecting individual information rights and interests are unimpeded;
- the impact of personal information protection policies and regulations in the country or region where the overseas recipient is located on the fulfilment of the export contract to be concluded with the overseas recipient based on the Standard Contract; and
- other matters that may affect the security of the personal information to be exported.
Filing of contracts and PIPIA reports
Covered personal information handlers must file both, with their local provincial cyberspace authorities within ten business days of such export contract taking effect:
- each of the export contracts concluded with the overseas recipients; and
- the corresponding PIPIA report.
Where there are any changes to the outbound data transfer activities between the personal information handlers and the overseas recipient (e.g. any changes to the purpose, scope, storage period, or storage location of personal information, or any changes to the relevant personal information regulations of the country or region that the overseas recipient is located in which would impact the interest of data subjects), the personal information handlers must:
- conduct a fresh PIPIA and prepare an updated PIPIA report;
- execute a new export contract or a supplementary contract regarding such changes; and
- file the updated PIPIA report and the new export contract or supplemental contract to the competent provincial cyberspace authority.
The Measures set forth a grace period of six months (i.e. until 1 December 2023) for covered personal information handlers who have already engaged in outbound cross-border transfers of personal information before the Measures take effect to adopt rectification measures (except if such personal information handlers complete a personal information protection certification by then, or otherwise trigger and go through the mandatory security assessment). If a covered personal information handlers fails to do so, such personal information handler will likely have to cease export of personal information by 1 December 2023 in order to stay compliant with the Measures and the Personal Information Protection Law of the People's Republic of China ('PIPL').
Terms of the Standard Contract
The Standard Contract has only one universal template (drafted in Chinese), no matter whether the overseas recipient is a data controller or data processor. The terms of the Standard Contract would give effect to the detailed requirements and principles applicable to the handling of personal information under the PIPL, for example:
- the 'minimum necessity' principle;
- detailed disclosure of overseas data recipients;
- requirements concerning specific consent;
- reiteration of the PIPIA requirements noted above; and
- the rights and interests of data subjects.
Highlighted below are several of the key terms set out in the Standard Contract which merit attention.
Details of personal information to be exported
The Standard Contract requires the parties to specify various details of the personal information to be exported, including:
- the purpose of the personal information export;
- processing method(s);
- the scale of the personal information to be exported;
- types of personal information and sensitive personal information to be exported;
- recipient(s) of onward transfers;
- method(s) of the export;
- the retention period of the personal information exported; and
- storage locations.
Impact of local law
Both the exporter and the overseas recipient must ensure that they have exercised 'reasonable care' when concluding the contract and are not aware of any policies and regulations for the protection of personal information in the country or territory of the overseas recipient (including any requirements to provide personal information or provisions authorising public authorities to access personal information) that would affect the overseas recipient's performance of its obligations under the contract.
Data subjects of the exported personal information are third-party beneficiaries under the Standard Contract, and in addition to the existing rights of data subjects under the PIPL, are entitled to:
- the right to request a copy of the contract between the exporter and the overseas recipient; and
- the right of action against both the exporter and the overseas recipient, in case the exporter or the overseas recipient fails to perform their respective obligations under the contract.
Consent to supervision and administration by Chinese regulatory authorities
Overseas recipients are required to consent to the supervision and administration authority of relevant Chinese regulatory authorities in respect of procedures aimed at monitoring the performance of the contract, such as responding to regulatory inquiries, cooperating with regulatory inspections, adhering to the measures taken or decisions made by Chinese regulatory authorities, and providing written confirmation that necessary actions have been taken.
Governing law and dispute resolution
The governing law must be Chinese law. In case of disputes, parties can only choose Chinese arbitration, Chinese court proceedings, or international arbitration under the New York Convention.
Retention of records
The overseas recipient must keep records of personal information processing activities, and such records must be retained for at least three years. It is required to provide such records to relevant Chinse regulatory authorities as required by relevant laws and regulations, either directly by itself or via the exporter.
Many of the companies currently engaged in outbound cross-border transfers of personal information will be impacted by the Measures and will need to be prepared to take appropriate actions in response. These may include, in addition to what has been described above, updating internal privacy policies, deciding whether to modify or stay with current personal information processing activities and IT infrastructure after proper assessment, and amending existing agreements where necessary, many of which may take quite some time.
Thus, it is advisable for the in-scope companies, especially multinational corporations operating in China which are not required to perform security assessments under the Security Assessment Measures, to promptly familiarise themselves with the requirements under the Measures and work out the most suitable compliance plans with their legal counsel.
Richard Qiang Partner
DaHui Lawyers, Beijing
1. Available at: http://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm (only available in Chinese)