The Final version of the Standard Contract for the Export of Personal Information is Released

On February 24, 2023, the Cyberspace Administration of China (“CAC”) released the long-awaited Measures on Standard Contract for Personal Information Export (“Measures”) together with the final version of the Personal Information Export Standard Contract (“Standard Contract”). 

The Measures supplement Article 38 of the Personal Information Protection Law (the “PIPL”) which provides three main pathways to legally transfer personal information from mainland China to overseas, including (i) passing a security assessment organized by the CAC; (ii) obtaining a personal information protection certificate issued by a qualified institution; and (iii) concluding the Standard Contract formulated by the CAC with the overseas recipient.  

The Measures will take effect on June 1, 2023. A six-month grace period will apply for organizations and enterprises to rectify the in-scope cross-border transfer of personal information from the effective date of the Measures.  This means rectification needs to be completed by the end of 2023.

Below are the key aspects of the final Standard Contract, comparisons with the draft released earlier by the CAC in June 2022 for public consultation and the key implications for organizations and enterprises.

I. Which organizations should focus on the Standard Contract pathway?

In general, any organization that transfers personal information from mainland China to overseas due to business needs and does not trigger the threshold  for security assessment could choose to sign the Standard Contract to legitimize its cross-border transfers of personal information if it does not want to take the certification path.  As to whether a Standard Contract is required under certain circumstances (e.g., providing a very small amount of business contact information to overseas business partners when communicating or exchanging emails), this remains uncertain and needs to be further examined. 

II. What data export scenarios are covered by the Standard Contract?

Firstly, a Standard Contract only applies to the cross-border transfer of personal information. If a cross-border transfer of important data is involved, the security assessment path must be applied.  In addition, if the data transferred contains data from a special industry or field, the laws and regulations of such special industry or field also need to be considered.

Unlike the Standard Contractual Clauses (“SCC”) under the General Data Protection Regulation (“GDPR”)  which provides four modules (i.e., controller to controller, controller to processor, processor to controller and processor to processor), China’s Standard Contract has only one version and this version can be used in two scenarios: “personal information processor (akin to a ‘controller’ under the GDPR) to personal information processor” and “personal information processor to entrusted party (akin to a “processor” under the GDPR)”.

There may be scenarios where an entrusted party in China provides personal information to an overseas recipient (either an overseas personal information processor or an overseas sub-entrusted party).  In these scenarios, it remains uncertain how a China-based entrusted party legitimizes its necessary data transfer activities with the overseas recipients and this remains to be interpreted by the CAC. 

III. Can the Standard Contract be modified?

The Measures require the Standard Contract to be concluded in strict accordance with the final form of the Standard Contract released by the CAC.  The Standard Contract leaves space in Appendix II for data exporters to supplement additional terms agreed to by the overseas recipients regarding the cross-border transfer, provided that the additional terms are not contradictory to the main body of the Standard Contract.  The Measures also specify that CAC can adjust the content of the Standard Contract according to the actual situation.

IV. What are the main differences between the final version of the Standard Contract and the former draft Standard Contract?

Compared with the earlier draft of the Measures and Standard Contract released in June 2022, the structure and key requirements of the final Standard Contract remain generally aligned.  There are still a number of changes, with some key points summarized below, that have been adopted which reflect the regulator's consideration of various aspects such as the Standard Contract implementation, the regulatory requirements, and concern for the rights and interests of the personal information subjects following consultation. 

1. Emphasis on means such as splitting cross-border transfer scenarios must not be used to circumvent the security assessment path

The Measures add a provision stating that "personal information processors shall not resort to quantity splitting and other means to transfer personal information that should pass a security assessment outside the country by entering into a standard contract."  The specific interpretation of this clause added to the Measures is subject to further explanation provided by the CAC, and companies need to be prudent and assess and determine the data export route, especially in cases where several group companies in China are involved in the cross-border transfer.

2. Clarification on the separate consent requirement

The final Standard Contract clarifies that a separate consent must only be obtained when the cross-border transfer of personal information relies on an individuals’ consent.  This important clarification suggests that if the cross-border transfer of personal information is not based on “consent” but other legal bases (e.g., performance of contract or human resource management), then the organization does not have to obtain the separate consent specific to the data export activities.

However, if an organization considers providing personal information abroad based on a legal basis other than “consent”, sufficient factual and legal analysis should be carried out to confirm that such legal basis could indeed be applied in order to waive the requirement of “separate consent”.

3. The requirement for overseas recipients to provide audit reports proving the deletion of personal information has been removed.

In the former draft Standard Contract, the overseas recipient must provide the data exporter with an audit report to prove that it has deleted or anonymized the personal information after the overseas recipient deletes or anonymizes the personal information.  The requirement for an audit report has been removed in the final version of the Standard Contract and instead, the overseas recipients are only required to provide a written explanation that the personal information has been returned to the data exporter or has been deleted, which is more feasible compared with an audit report. 

4. Notification obligations on government access requests

The final Standard Contract added a new obligation for overseas recipients to immediately notify the data exporter when it receives a data access request from a local government department or judicial authority.  This requirement aligns with Article 41 of the PIPL which requires personal information processors not to provide personal information to foreign judicial or law enforcement bodies without the approval of the competent authority. 

5. The obligation to notify personal information breaches has been enhanced

Under the final Standard Contract, overseas recipients are not only required to notify the data exporter of a personal information breach that has occurred, but also notify the data exporter if any personal information breach incidents are “likely” to occur.

In addition to the above changes and differences, the final Standard Contract has adjustments to the terms regarding the protection of personal information subject rights, contract termination and liability for breach of contract, etc. 

V. What are the processes to complete the Standard Contract path?

Organizations need to follow the basic processes to adopt a Standard Contract:

(a) pre-assessment: completing a personal information protection impact assessment (“PIPIA”) before providing personal information abroad;

(b) contract signing: entering into a Standard Contract for personal information exports with overseas recipients;

(c) post filing: filing an executed Standard Contract along with a PIPIA report with the local cybersecurity administration within 10 working days from the effective date of the Standard Contract;

(d) re-assessment, contracting and filing: If a re-assessment is required during the term of the Standard Contract, the organization must re-conduct the PIPIA, supplement or re-sign the Standard Contract and complete the filing procedures. 

It usually takes at least three to four months to complete the above procedures.

VI. What else do organizations need to do after the filing of a Standard Contract and a PIPIA report?

After completing the filing of a Standard Contract and a PIPIA report, organizations still need to monitor their cross-border transfer practice to ensure continued compliance.

Firstly, organizations should monitor any further guidance or clarifications from the CAC regarding cross-border data transfers and pay attention to further adjustments or updates of the Standard Contract made by the CAC.

Secondly, organizations should monitor the purpose, scope and type of personal information, the sensitivity of the personal information, the methods for processing and the storage location of personal information provided to overseas recipients.  If any changes occur, it is necessary to consider whether it is required to re-assess the cross-border data transfer, or supplement or re-sign, and re-file the Standard Contract.  It is also necessary to monitor any updates of personal information protection laws and regulations as well as law enforcement in the country or region where the overseas recipient is located.

Thirdly, organizations need to pay close attention to the requirements for the exercise of the rights of the personal information subjects, form a legal and reasonable processing process, and at the request of the personal information subject, provide them with the contract signed with the overseas recipients after removing trade secrets, confidential business information or other sensitive information.

Finally, organizations should pay attention to  personal information breach incidents and government access requests, and  handle these in accordance with the Chinese laws and regulations.

Please click here for a more detailed analysis in Chinese.