On February 24, 2023, the Cyberspace Administration of China (CAC) released the final version of the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information, accompanied by a standard contract as a schedule. The measures will take effect on June 1, 2023, and provide a six-month grace period.
“Signing a standard contract” is one of the three lawful cross-border data transfer mechanisms introduced under China’s Personal Information Protection Law. With the release of the implementing rules for the other two mechanisms in 2022 (i.e., “passing a security assessment administered by CAC” and “obtaining a certification from a qualified institution”), the finalization of the measures and standard contract signifies that all three transfer mechanisms are now in place. See this October 2022 Cooley c/d/p blog post for more details on data protection laws in China.
Who can rely on the standard contract?
A personal information handler – similar to the concept of a “data controller” under the General Data Protection Regulation – may transfer personal information outside China by signing the standard contract if it:
- Is not a critical information infrastructure operator.
- Processes the personal information of fewer than one million individuals.
- Has not cumulatively transferred overseas the personal information of more than 100,000 individuals or the sensitive personal information of more than 10,000 individuals since January 1 of the previous year.
Personal information handlers processing or transferring personal information in an amount exceeding the thresholds described above can only transfer personal information outside China by passing a security assessment administered by CAC. The measures explicitly prohibit personal information handlers from circumventing such a security assessment by “breaking down” the amount of personal information concerned.
What steps should be taken when relying on the standard contract?
The measures explicitly specify that when signing the standard contract, the parties are not allowed to include deviations from the form released by CAC and can only add other terms in the second appendix, which must not conflict with the standard contract.
In addition to signing the standard contract, personal information handlers relying on this transfer mechanism must also conduct a “personal information protection impact assessment” (PIA) and file the signed standard contract together with the PIA report with provincial CAC within 10 business days after the standard contract takes effect.
Personal information handlers also are required to reconduct the PIA, supplement or sign a new standard contract, and submit a new filing when:
- There are any changes to:
- The purpose, scope, category, sensitivity, transfer means or storage location of the personal information transferred.
- The processing purpose and means of the overseas recipient.
- The overseas retention period (except when the retention period is shortened).
- There are changes to the personal information protection policies and laws/regulations of the jurisdictions where the overseas recipient is located.
What are key terms in the standard contract?
The key terms in the standard contract focus on:
- Obligations of the personal information handler, which include:
- Notifying data subjects of the details of the cross-border transfer (e.g., processing purpose, means, categories, retention period and the means for exercising data subject rights).
- Obtaining a separate consent (where the cross-border transfer relies on consent as the legal basis).
- Notifying individuals that they are third-party beneficiaries to the standard contract.
- Making reasonable efforts to ensure that overseas recipients will take technical and organizational security measures.
- Responding to inquiries in relation to the cross-border transfer from CAC.
- Carrying out the PIA and retaining PIA reports for no less than three years.
- Obligations of the overseas recipient, which include:
- Only processing personal information within the scope of the standard contract.
- Deleting the personal information after the retention period expires.
- Adopting technical and organizational security measures (e.g., encryption, anonymization, de-identification and access control).
- Where a data breach occurs, taking remediation actions and notifying the personal information handler immediately, reporting to relevant Chinese regulator in accordance with applicable rules, notifying affected data subjects (where the overseas recipient acts as an “entrusted entity,” the data subjects shall be notified by the personal information handler) and retaining the records related to the breach.
- Only conducting onward transfers after satisfying certain requirements.
- Agreeing to be subject to regulation by CAC.
- Impact of the personal information protection policies and laws/regulations of the jurisdictions where the overseas recipient is located on the performance of the standard contract – The parties shall confirm in the standard contract that they have conducted an assessment and have not identified any policies, laws or regulations of the destination country that may impact the performance of obligations under the standard contract by the overseas recipient. The overseas recipient also must notify the personal information handler immediately after it receives any requests for providing personal information from government or judicial agencies.
- Rights and remedies available to data subjects – Data subjects may exercise their data subject rights (such as the rights to access, obtain a copy, objection, correction or deletion) by making requests to either the personal information handler or the overseas recipient. The overseas recipient also must appoint a contact person to respond to questions and complaints in relation to their processing activities. The contact information of such a contact person shall be provided to the personal information handler and the data subjects (e.g., via separate notice or website announcement).
- Other terms – Other terms in the standard contract include contract termination, breach of contract, dispute resolution (arbitration or litigation) and governing law (Chinese law).
The measures will be enforceable after the six-month grace period ends, which is on December 1, 2023. Companies planning to rely on the standard contract as its cross-border data transfer mechanism should take immediate steps to consider the transfer scenarios where a standard contract is needed, sign the standard contract with the overseas recipients, conduct the PIA and complete the fillings with CAC within the next nine months.
* Cooley LLP is not licensed to practice the law of the People’s Republic of China (PRC) and nothing herein constitutes an opinion or legal advice by Cooley with respect to PRC laws or otherwise. This blog may not be relied upon, construed as or used as an opinion, interpretation of or legal advice in any respect relating to or arising out of PRC laws or otherwise. This blog, and our review of the information referenced in this blog, is based solely upon our general familiarity with matters of the type referenced in this blog and the consultation with PRC counsel with respect to certain matters of PRC law or practice, as referenced in the blog, provided that notwithstanding such consultation, no opinions or legal advice with respect to PRC law are made herein. Any analysis, conclusion, advice or opinion with regard to PRC laws, or otherwise with regard to any of the matters referenced in this blog, must be obtained from PRC local counsel.