On 24 February 2023, the Cyberspace Administration of China (“CAC”) released the final version of the Measures on Standard Contracts for the Export of Personal Information (“Measures”), which provides for outbound personal information transfers via the conclusion of a Standard Contract of Personal Information Export (“Standard Contract”) with an offshore importer of PI under Article 38 of the PIPL. The significance of the Measures has been noted, in particular, by legal practitioners, who consider such Measures to be the missing link in China’s cross-border data transfer regime.
While the Measures come into force on 1 June 2023, a six-month grace period is applicable to any cross-border data transfer made before that date. This means that companies will have until 30 November 2023 to complete all preparatory steps to ensure full compliance with the Measures. It is important to note that, in respect of data transfers initiated after 1 June 2023, the Measures shall apply immediately from the effective date without any grace period.
In light of the extensive scope of the Measures and their wide-ranging implications for companies conducting cross-border data transfers, even where the volume of PI handled is low, you are well advised to carry out a thorough assessment of your company’s data export processes to identify and mitigate any compliance risks accordingly.
This article details the eligibility requirements for PI processors opting for the Standard Contract route. In addition, it addresses the various points of significance under the Measures, and the arrangements that should be made so as to conform to the Measures.
Table of Contents
Three possible routes for outbound PI transfers
Article 38 of the PIPL provides for three routes through which cross-border transfers of personal data can be made legally:
- Undergoing a security assessment conducted by the CAC;
- Obtaining certification from a recognised professional body in accordance with the CAC’s regulations, and the Announcement on Implementation of Verification and Certification of Personal Information Protection released on 4 November 2022; or
- Concluding a Standard Contract, as prescribed by the CAC, with the offshore importer of PI.
Given that the security assessment is only mandatory for large PI operators, i.e., those that are designated critical information infrastructure operators* or export PI over a certain threshold, and the certification regime seems to be the preferred route for multinational enterprises conducting intra-group transfers of data between their subsidiaries, companies are most likely to adopt the Standard Contract to provide for cross-border data transfers.
The Standard Contract regime is akin to that of the European Union under the General Data Protection Regulation (“GDPR”), where the vast bulk of data exports are made via a standard contract system.
*Critical information infrastructure operators refer to systems, infrastructures and services that are integral to the proper functioning of a nation’s economy and society, such as public communication and information services, energy, water, and transport providers.
Applicable scope of the Standard Contract
While the Standard Contract route is more user friendly and straightforward, since it is a self-regulatory mechanism that does not require PI processors to seek explicit approval from an external third party, be that the CAC or a certification body, not all PI processors are eligible and can avail themselves of it.
The Standard Contract regime is only applicable to PI processors that:
- Are not deemed critical information infrastructure operators;
- Process the PI of fewer than one million individuals;
- Have exported the PI of fewer than 100,000 individuals in aggregate since 1 January of the previous calendar year; and
- Have exported sensitive PI of fewer than 10,000 individuals in aggregate since 1 January of the previous calendar year.
Under the PIPL, PI is defined as all types of information about the identified or identifiable natural persons recorded by electronic or other means, excluding information processed anonymously. In addition, a separate definition for sensitive PI is provided, which refers to types of PI that may harm the individual’s dignity or endanger the individual’s personal safety or property safety if disclosed or illegally used, such as biometric characteristics, religious beliefs, medical history, financial accounts, location, and PI of minors under the age of 14.
A PI processor refers to an organisation or individual that independently determines the purposes and methods of the processing of PI, whose role resembles that of a “controller” under the GDPR. PI handling activities include PI collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.
A cross-border transfer of PI is defined as an outward-bound transfer of personal data over the course of a company’s operation in mainland China; it includes the use of personal data via remote access by individuals or organisations abroad.
In addition, the Measures now contain an anti-abuse provision which expressly forbids PI processors from engaging in the practice of splitting data transfers into separate, discrete batches to avoid triggering the requirement to undergo a security assessment. This safeguarding mechanism is specifically targeted at multinational corporations whose subsidiaries in China are deliberately and artificially segmenting their data export activities to bypass the requirement for a security assessment.
Furthermore, where the export of “important” data is concerned, which is defined as data that may constitute a threat to national security, economic and social stability, public health, and safety if it is tampered with, destroyed, leaked, or illegally obtained or used, a security assessment will be required.
Content of the Standard Contract
The Standard Contract prescribed by the CAC contains nine articles:
- Article 1 provides a list of definitions of relevant terms;
- Article 2 enumerates the obligations of the PI processor;
- Article 3 lists the obligations of the offshore importer of PI;
- Article 4 considers the impact of PI protection policies and regulations in the country or region where the offshore data importer is based on the performance of the Standard Contract;
- Article 5 defines the rights of the PI subject;
- Article 6 delineates the remedies to which the PI subject has recourse;
- Article 7 specifies the circumstances under which the Standard Contract can be terminated;
- Article 8 sets out the liability of each party in the event of breach;
- Article 9 addresses other miscellaneous matters, including dispute resolution procedures, and the governing law and jurisdiction.
Noteworthy points under the Measures
Standard Contract clauses are non-amendable
According to the Measures, the terms as set out in the Standard Contract prescribed by the CAC are not to be modified in any way. The Standard Contract must be implemented and strictly adhered to in its entirety and unaltered form.
Other terms or pre-existing agreements should not conflict with the Standard Contract
While PI processors are prohibited from deviating from the Standard Contract, they have discretion in deciding which additional provisions to insert, insofar they do not conflict with those that form the core of the Standard Contract. Appendix II – Other terms agreed by the parties (if required) to the Standard Contract allows for the addition of any supplementary provisions. No further guidance is, however, provided as regards the scope or limits of its application.
By the same token, where data processing agreements are already in place, such pre-existing arrangements should be compatible and consistent with the provisions in the Standard Contract. If a company seeks to amalgamate both arrangements, it would be advisable to take the Standard Contract as the main body of the agreement, with any supplementary terms placed into Appendix II.
Effective date of Standard Contract
Cross-border data transfers can only take place after the relevant Standard Contract comes into effect. Although PI processors are legally obligated to file the executed Standard Contract with the CAC, together with a Personal Information Protection Impact Assessment (“PIPIA”), within ten working days of the effective date, non-filing will not undermine the validity or affect the operation of the Standard Contract.
Signatories to the Standard Contract
The Standard Contract is to be signed between the PI processor based in mainland China and the offshore data importer, which is defined as an organisation or individual situated outside mainland China that receives PI from the PI processor in mainland China. The Standard Contract suggests that the data importer can act in the capacity of either an independent PI processor or an entrusted processor, known as an Entrusted Party, appointed by the independent PI processor.
In contrast to the modular framework adopted under the GDPR to cater for the different possibilities in cross-border data transfers, such as controller–controller, controller–processor, processor–controller, and processor–processor, the Standard Contract employs a universal, blanket approach.
What remains a potential area of ambiguity is who the signatories to the Standard Contract should be in cases where more than two parties participate in cross-border data transfers.
Re-filing of the Standard Contract
There are specific circumstances that necessitate the filing of a new Standard Contract alongside the submission of a revised PIPIA before the contract expiry date, namely the following:
- There have been changes to the purpose, scope, type, level of sensitivity, processing means, or storage location of the exported PI, and to the purpose and means of processing PI by the offshore data importer; or there has been an extension of the retention period.
- There have been changes to the policies, laws, or regulations governing the protection of PI in the offshore data importer’s jurisdiction that may impact the rights and interests of the PI subjects.
- Other conditions that could impact the rights and interests of the PI subjects.
Obligations of offshore data importers
The Measures impose rather onerous obligations on offshore data importers, which stipulate that they observe relevant requirements on the length of the retention period, access management, transfer of PI to an offshore third party, maintenance of records, etc.
In particular, offshore data importers seeking to transfer PI to another third party based outside mainland China must:
- Prove that there is a genuine business need to do so;
- Inform the relevant PI subject in respect of the transfer and, where the transfer of sensitive PI is concerned, regarding its impact on the rights and interests of the PI;
- Obtain explicit consent of the PI subject or his/her guardian(s) in the case of a minor;
- Sign a written agreement with the third party to ensure that the third party’s processing of PI complies with Chinese laws governing the protection of PI, and agree to be liable for any violation of PI subjects’ rights resulting from the transfer of PI to the third party;
- Provide a copy of the written agreement to the PI subject upon his/her request, with confidential information redacted where necessary.
In the case of a further delegation of processing activities to an offshore sub-processor, the offshore data importer will need to meet additional obligations under the Standard Contract, including obtaining separate consent from the PI processor based in mainland China and exercising supervision over a sub-processor.
In addition, it is important to note that the offshore data importer, in signing the Standard Contract, will agree to be subject to the regulatory supervision of the CAC in respect of any requests, enquiries, and inspections.
What steps should you take to ensure compliance with the Measures?
Properly adhere to filing requirements
Prepare an appropriate PIPIA
As indicated above, a PIPIA must be submitted, in addition to the filing of the executed Standard Contract, prior to conducting any data export activities. It should be emphasised that the preparation of the PIPIA is not to be approached as if it were a box-ticking exercise. The completion of such a report can take several months, depending on the nature and complexity of data transfers. Although the CAC does not prescribe a standard format on which to base the PIPIA, the following points should be sufficiently addressed, as specified in the Measures:
- The legality, legitimacy, and the necessity of the purpose and extent of the outbound PI transfers as well as that of the processing techniques used by the PI processor based in mainland China and the offshore data importer.
- The range, scale, type, and degree of sensitivity of the PI being exported as well as the possible risks to which the rights and interests of the PI subjects may be exposed as a result of the outbound PI transfers.
- The duties and obligations taken on by the offshore data importer, and if the administrative and technical safeguards that have been implemented in discharging such duties and responsibilities are sufficient to protect the exported PI.
- The risk of the PI being tampered with, destroyed, leaked, lost, or used for illicit purposes following export, and if the pathways for securing the rights and interests of the PI subjects remain free and unobstructed.
- The implications of PI protection policies and regulations in the country or region where the offshore data importer is based for the performance of the Standard Contract.
- Other relevant factors that may impact the security of outbound PI transfers.
Conduct a comprehensive inventory of cross-border data transfers
It is evident from the threshold requirements under the Measures: the onus is on PI processors to maintain precise and detailed records of all cross-border data transfers to ensure that they are acting in compliance. Hence, it is advisable to undertake a meticulous and exhaustive inventory of the exact volume, nature, type, and scale of PI being exported offshore to ascertain whether you fall within the applicable scope of the Standard Contract.
As mentioned previously, the purposeful division of data into smaller batches to circumvent the requirement for a security assessment is strictly prohibited. Observing the relevant volume thresholds is, therefore, of paramount importance. It is worth highlighting once again that the relevant commencement date from which the volume of exported PI begins to be counted towards the aggregate permissible volume is 1 January of the preceding calendar year. In the latter half of the period, especially, the volume of transferred PI should be carefully tracked and monitored to ensure that it remains within the confines stipulated by the Measures.