On 22 February 2023, the Cyberspace Administration of China (“CAC”) adopted the Measures for the Standard Contract for Outbound Transfer of Personal Information (“Measures”). The Measures will soon come into force on 1 June 2023. With the entry into force of these Measures, execution of a Standard Contract is likely to become the most widely adopted approach for the legitimate outbound transfer of personal information.
1. What are the Measures promulgated for?
In the recent years, the Chinese government has aimed to establish practical administrative schemes for regulating outbound transfer of personal information. The PRC Personal Information Protection Law ("PIPL"), which took effect on 1 November 2021, for the first time stipulated a possible approach by a Standard Contract for outbound transfer of personal information. This approach is to execute a Standard Contract provided by the national cyberspace authority between the domestic personal information handler and the overseas recipient ("Standard Contract Approach"). The Standard Contract Approach is expected to be the most convenient and widely adopted approach for normal companies to fulfil administrative requirements on outbound transfer of personal information.
In order to fully implement the Standard Contract Approach in practice, the CAC finally on 22 February 2023 promulgated the Measures with a template Standard Contract as an annex. The Measures provide the template Standard Contract and clarify the record-filing requirements for the Standard Contract Approach for outbound transfer of personal information. As the Standard Contract Approach is likely to apply to most normal companies, the Measures deserve special attention from companies.
2. How long is the transition period under the Measures?
The Measures will take effect as of 1 June 2023. According to Article 13 of the Measures, any outbound transfer of personal information initiated before the entry into force of the Measures that does not comply with the Measures shall be rectified within six months from the effective date of the Measures. Therefore, companies, if taking the Standard Contract Approach, shall fulfil the record-filing requirement by 30 November 2023.
3. Which companies are subject to the Measures?
The PIPL has set forth three main approaches for companies' legitimate outbound transfer of personal information, i.e.:
- Pass a security assessment organized by the national cyberspace authority ("Security Assessment Approach"); or
- Obtain a certification of personal information protection by a professional institution in accordance with the regulations of the national cyberspace authority ("Certification Approach"); or
- Execute a standard contract provided by the national cyberspace authority with the overseas recipient, i.e. the Standard Contract Approach;
Among the above three approaches, the Security Assessment Approach is only mandatory for a company who:
- is a critical information infrastructure operator; or
- handles personal information of more than one million individuals; or
- has provided personal information of more than 100,000 individuals in aggregate to overseas recipients since 1 January of the previous year; or
- has provided sensitive personal information of more than 10,000 individuals in aggregate to any overseas recipients since 1 January of the previous year.
If companies are not subject to the Security Assessment Approach, they can choose either the Certification Approach or the Standard Contract Approach. For normal companies, we consider that the Standard Contract Approach will be the most practical and feasible way to fulfil the administrative requirements on outbound transfer of personal information. In particular, although several regulations and national standards have been issued for the Certification Approach, the application scope, the qualified certification agencies, etc., are still not clear. Therefore, we recommend that companies first check and determine whether to take the Standard Contract Approach for their outbound transfer of personal information.
4. What are the main requirements under the Measures?
According to Article 7 of the Measures, the main requirement under the Standard Contract Approach is to file a recordal with the provincial cyberspace authority where the personal information handler is domiciled by submitting the following materials within 10 working days from the effective date of a Standard Contract executed:
- A personal information protection impact assessment report.
As clarified by the Measures, the record-filing is not a precondition for the effectiveness of the Standard Contract, but only an ex-post requirement for regulating compliance of the outbound transfer of personal information.
5. What should companies be aware of when executing the Standard Contract?
According to Article 6 of the Measures, companies should basically execute the template Standard Contract without making any amendments. If companies have special concerns on the parties' rights and obligations, they can only add additional but not conflicting terms in the format of an appendix to the Standard Contract.
According to the template Standard Contract provided by the Measures, companies still need to fill in some provisions and detailed information for the personal information handler as well as the overseas recipient on a case-by-case basis. In the main body of the Standard Contract, the relevant personal information subjects are defined as third-party beneficiary and are entitled to sufficient protection as stipulated by the PIPL. Nevertheless, the parties to the Standard Contract can choose an arbitration institution (including foreign arbitration institutions) as the dispute resolution institution or a People's Court with jurisdiction.
In addition, personal information handlers need to fill in the detailed instruction on outbound transfer of personal information in accordance with the appendix 1 of the Standard Contract, which includes the purpose and methods of outbound transfer of personal information, the size and types of outbound personal information and/or sensitive personal information, transfer route, retention period, location of storage and any overseas third-party to which the overseas recipient further provides personal information if applicable. Therefore, we recommend that companies communicate the Standard Contract with overseas recipient and start to make preparations for the execution of the Standard Contract.
6. What should companies be aware of when conducting the Personal Information Protection Impact Assessment?
The Measures do not provide any template report for the personal information security impact assessment. According to Article 5 of the Measures, it only stipulates that a personal information security impact assessment shall be conducted before providing any personal information to an overseas recipient, and the personal information security impact assessment shall focus on the following matters:
- The legality, legitimacy, and necessity of the purpose, scope, and method of the personal information handling by the personal information handler and the overseas recipient;
- The quantity, scope, type, and sensitivity of personal information to be transferred overseas, and the risk that the outbound cross-border transfer may pose to personal information rights and interests;
- The responsibilities and obligations that the overseas recipient undertakes to assume, and whether the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations are sufficient to ensure the security of personal information to be transferred;
- The risk of the personal information being tampered with, sabotaged, disclosed, lost, or misused after the it is transferred overseas, and whether there is a smooth channel for individuals to protect their personal information rights and interests;
- The impact of personal information protection policies and regulations in the country or region where the overseas recipient is located on the performance of the Standard Contract.
For the time being, it is not clear whether the relevant authority will have special requirements for the format or structure of the personal information protection impact assessment to be recorded. Without detailed implementation rules in this regard, companies may take the national standard GB/T 39335-2020 Information Security Technology - Guidance for Personal Information Protection Impact Assessment and the template self-assessment report related to the Security Assessment Approach as a reference. We recommend that companies should keep close eyes on the actual practice of the relevant cyberspace authorities in order to properly carry out the personal information protection impact assessment.
7. How long is the validity term of the recordal of the Standard Contract?
The Measures do not specify the validity period of the recordal of a Standard Contract, therefore the recordal shall remain valid for as long as the Standard Contract remains effective and valid.
However, according to Article 8 of the Measures, in the following circumstances, the personal information handler shall conduct a personal information protection impact assessment again, and supplement the existing Standard Contract or execute a new Standard Contract, as well as file a record again:
- There is any change in the purpose, scope, type, sensitivity, method, storage location, or retention period of the personal information transferred overseas, or the purpose and method of the personal information handling of the overseas recipient;
- There is any change in personal information protection policies and regulations in the country or region where the overseas recipient is located.
After the Measures take effect, the relevant authorities will have an explicit legal basis to check whether companies have properly fulfilled the record-filing requirement with regard to outbound transfer of personal information. It will be necessary for companies which are eligible to take this approach to make preparations for the relevant requirements in advance in order to be compliant. Otherwise, at the end of the transition period of the Measures, companies that fail to comply with either the Standard Contract Approach or the Certification Approach will be subject to administrative liability for illegal processing of personal information under the PIPL.