Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

China: Standard contract provisions - Operationalising data transfers under PIPL: Part one

On 24 February 2023, the Cyberspace Administration of China ('CAC') released the Standard Contract Provisions for the Export of Personal Information ('the Standard Contract Provisions'). The Standard Contract Provisions are intended to implement Article 38(1)(3) of the Personal Information Protection Law ('PIPL') and provide for one of the lawful methods for the transfer of personal information outside of China. The Standard Contract Provisions contain a standard contract akin to Standard Contractual Clauses ('SCCs') and establish requirements for personal information processors, as well as overseas recipients, notably the obligation to carry out Data Protection Impact Assessments ('DPIAs'). OneTrust DataGuidance Research breaks down the Standard Contract Provisions.

dk1234 / Signature collection / istockphoto.com

Introduction

The Standard Contract Provisions are intended to regulate outbound transfers of personal information and protect the rights and interests of individuals in line with the PIPL (Article 1). The Standard Contract Provisions require that personal information processors who enter into agreements with overseas recipients to provide personal information outside the People's Republic of China ('PRC') sign a standard contract for the export of personal information in accordance its provisions (Article 2).

In line with the above, personal information processors and overseas recipients must adhere to the requirements associated with independent contracting and record management to protect the rights and interests of individuals, prevent risks, and ensure the cross-border security and free flow of personal information (Article 3). Personal information processors and overseas recipients that sign other contracts related to personal information outbound transfers must ensure they do not conflict with standard contracts as provided by the CAC (Article 2).

Importantly, personal information processors may agree on other terms with overseas recipients, but such terms must not conflict with the standard contract. More generally, the Standard Contract Provisions stipulate that the contract must be concluded in strict accordance with its annexes, although the CAC may adjust the appendix according to the actual situation.

Scope of application

The Standard Contract Provisions establish that personal information processors may provide personal information overseas by signing a standard contract if they meet the following requirements (Article 4):

  • they are operators of non-critical information infrastructure ('CII');
  • they handle the personal information of less than 1 million people;
  • since January 1 of the previous year, the cumulative amount of personal information provided overseas has not reached 100,000 people; and
  • since January 1 of the previous year, the cumulative amount of sensitive personal information provided overseas is less than 10,000 people.

Importantly, where laws, administrative regulations, or the CAC provide otherwise, those provisions should be followed. Furthermore, personal information processors must not use methods, such as quantity splitting, to provide personal information overseas that should go pass through security assessment according to the law, when signing a standard contract.

Obligations for personal information processors

DPIAs

More specifically on DPIAs, the Standard Contract Provisions stipulate that before providing personal information overseas, a personal information processor must conduct a DPIA in advance, focusing on the following (Article 5):

  • the legality, legitimacy, and necessity of the purpose, scope, and method of processing by the personal information processor and overseas recipient;
  • the quantity, scope, type, and degree of sensitivity of the personal information going abroad, and the risks that the export of personal information may bring to the rights and interests of individuals;
  • whether the overseas recipient's responsibilities and obligations, as well as the technical and organisational measures for fulfilling such responsibility and obligations can ensure the safety of personal information leaving the country;
  • the risk of leakage, destruction, tampering, and misuse, among other things, of personal information after the departure of personal information, and whether the channels for individuals to protect the rights and interests of personal information are open;
  • the impact of personal information protection policies and regulations of the country or region of the overseas recipient on the performance of the standard contract; and
  • other matters that may affect the safety of personal information out of the country.

Filing with the CAC

On filing, the personal information processors must file the following information with the local provincial CAC within ten working days from the date when the standard contract takes effect, namely:

  • the standard contract; and
  • the DPIA.

On this point, the personal information processors will be responsible for the accuracy of the filed materials. Importantly, where any of the following situations occur within the validity period of the standard contract, the personal information processor must supplement or re-sign the standard contract and perform the corresponding filing procedures (Article 8):

  • the purpose, scope, type, sensitivity, quantity, method, storage period, storage location, purpose, and method of processing personal information of overseas recipients have changed, or the overseas storage period of personal information has been extended;
  • changes in the personal information protection policies and regulations of the country or region where the overseas recipient is located may affect the rights and interests of personal information; and
  • other circumstances that may affect the rights and interests of individuals.

Complaints and violations

Any organisation or individual who finds that a personal information processor violates the Standard Contract Provisions has the right to file a complaint or report to the CAC at or above the provincial level (Article 10).

In addition, where the CAC at or above the provincial level finds that there are relatively large risks in personal information transfer activities or personal information security incidents have occurred, they may conduct interviews with personal information processors in accordance with the PIPL. On this point, personal information processors are expected to make rectifications as required to eliminate hidden dangers (Article 11).

Penalties

Persons who violate the provisions of the Standard Contract Provisions will be dealt with in accordance with the PIPL and other laws and regulations. Where a violation constitutes a crime, criminal responsibility will be investigated according to the law (Article 12).

Conclusion

Furthermore, the standard contracts must be concluded in strict accordance with the annexes of these Standard Contract Provisions. Importantly, the personal information processors may agree on other terms with overseas recipients, but they must not conflict with the standard contract.

Finally, transfers of personal information based on the SCCs can only be carried out after the standard contract takes effect, on 1 June 2023.

Keshawna Campbell Privacy Research Manager
[email protected]