CAC Issues Guidelines on Standard Contract Filing for Outbound Cross-Border Transfers of Personal Information

On 30 May 2023 — just two days before the Measures on Standard Contracts for Outbound Cross-Border Transfers of Personal Information (“SC Measures”) took effect and started requiring certain handlers of personal information (“PI”) from China to enter into mandatory “standard contracts” with the overseas recipients of such PI — the Cyberspace Administration of China (“CAC”) published the Guidelines for Filing Standard Contracts for Outbound Cross-Border Transfers of Personal Information (“SC Filing Guidelines”), which aim to clarify certain uncertainties and fill relevant gaps under the SC Measures.

In particular, the SC Filing Guidelines offer guidance to PI handlers in China regarding the detailed documentation, procedures, and timeline requirements that they will need to satisfy when handling the standard contract filings required under the SC Measures (“SC Filings”). A summary of the key takeaways from the SC Filing Guidelines is provided below.

Who is entitled to transfer PI offshore via standard contracts?

The Personal Information Protection Law of the People’s Republic of China (“PRC PIPL”) offers three potential methods for PI handlers in China to transfer PI to offshore recipients:

(1) passing a CAC-led “security assessment”, which, generally speaking, involves a robust and substantive (and therefore, burdensome) review and approval process with the CAC;

(2) obtaining a “personal information protection certification” from a specialized body designated by the CAC, a process which is still subject to considerable uncertainty;[1] or

(3) executing standard contracts with relevant overseas recipients of relevant PI, which must essentially follow the terms under the Standard Contract template issued by the CAC. This standard contract approach is envisioned as being a less burdensome path to legally transferring PI to overseas recipients in the case of qualifying PI handlers.[2]

Specifically, a PI handler will only be capable of relying on the standard contract approach in cases where the PI handler is not required to perform a CAC-led security assessment (for more details, please refer to our previous newsletter on this topic) or subject to other localization requirements under PRC laws and regulations. Specifically, this will mean that none of the following conditions are triggered:

• the PI handler is a critical information infrastructure operator;
• the PI handler has processed the PI of one million or more individuals;
• the PI handler has exported the PI of 100,000 or more individuals to overseas parties on a cumulative basis in the period since 1 January of the preceding year;
• the PI handler has exported the “sensitive” PI of 10,000 or more individuals to overseas parties on a cumulative basis in the period since 1 January of the preceding year.

In cases where the PI handler seeking to transfer PI to an overseas recipient satisfies any one of the conditions above, such PI handler will be required to perform a security assessment with the CAC and will not be able to rely on the use of standard contracts envisioned under the SC Measures. Where none of the above conditions are triggered, the PI handler should be able to rely on the standard contract approach by completing the procedures outlined below.

How to prepare a standard contract?

The SC Filing Guidelines re-attach the same form Standard Contract previously published by the CAC, which overtly specifies that its clauses will prevail over any additional clauses or separate clauses in other legal documentation in the case of any inconsistency or conflict. The SC Measures provide that the standard contracts entered into with overseas PI recipients must include terms that strictly comply with the terms set out in the CAC’s Standard Contract. Based on these requirements, only a few of the clauses/content under the Standard Contract published by the CAC are allowed to be tailored, such as information concerning the parties, their contact details, their preferred method of dispute resolution,[3] and details concerning the PI that will be transferred set out in the contract’s appendix (the purpose of processing such PI, its processing method, the scale of processing, the types of PI that will be transferred, the method by which such PI will be transferred, the recipient’s retention period after the transfer, etc.).

Based on the above, one fundamental takeaway made clear in the SC Measures and the SC Filing Guidelines is that PRC authorities intend for the CAC’s Standard Contract to essentially be used as a template, in which only very minor customization is permitted. In other words, the CAC’s Standard Contract itself is the agreement that PI handlers will need to executive with their offshore recipients of PI, and any alternative data processing agreements (DPAs) or standard contractual clauses (SCCs) that may be required by the data protection laws of other jurisdictions (such as the GDPR) will not meet the requirements under the SC Measures and cannot take the place of the CAC’s own Standard Contract, even in cases where those DPAs/SCCs do not necessarily conflict with the CAC document.

Likewise, merely signing a supplementary agreement to make the terms of the CAC’s Standard Contract accord with the terms of a company’s existing DPAs/SCCs will not be a feasible solution, given the Standard Contract’s mandatory language on prevailing in the case of conflicts or inconsistency noted above. Additionally, as copies of the executed contracts mirroring the CAC’s Standard Contract must be filed with the CAC, it is also crucial that all such documents are executed in the Chinese language (although an English version is still allowed to be executed separately for internal use).

Given the above, we expect that the strict conformity required under the CAC’s Standard Contract will actually result in relatively straightforward data compliance arrangements in the case of MNCs that need to implement internal, group-wide compliance with the PRC data framework (e.g., in the case of PRC subsidiaries that need to share PI with overseas parent companies or other affiliates). However, it remains to be seen how willing external parties may be to sign contracts mirroring the CAC’s Standard Contract in cases where such external parties will be positioned as offshore PI recipients, especially considering the extremely limited allowance for customization.

When to sign and file contracts with the CAC?

The SC Measures provide a six-month grace period after their effective date (i.e., until 1 December 2023) for any PI handlers who do not meet the relevant requirements under the SC Measures to adopt rectification actions. Although the SC Measures do not expressly specify which actions should be taken during this grace period, logically, in the case of PI handlers who intend to continue exporting PI to overseas recipients on or after 1 December 2023, such actions would consist of the same compliance obligations set forth under the SC Measures, including:

(1) entering into executed versions of the CAC’s Standard Contract with all overseas recipients of PI, and ensuring that such contracts take effect before 1 December 2023;

(2) conducting a so-called “personal information protection impact assessment” (“PIPIA”) and preparing PIPIA reports; and

(3) submitting an SC Filing to the CAC by 30 November 2023, unless such PI handlers are able to obtain the currently unclear “personal information protection certification” noted above, or are already required to perform a CAC-led security assessment under the Measures concerning the Security Assessment for Cross-Border Data Transfer (“SA Measures”).

Beyond this, the SC Filing Guidelines clarify that such SC Filings must be submitted within 10 working days after the signed standard contract takes effect, must be submitted in both hard copies and electronically, and that such SC Filings should be submitted to the PI handler’s relevant provincial-level branch of the CAC.

What actions need to be taken to complete an SC Filing?

The SC Filing Guidelines provide additional clarification that a PI handler submitting an SC Filing will need to provide the following materials:

• a copy of the business license of the filing party (i.e., the PI handler);
• a copy of the identification of the legal representative of the filing party;
• a copy of the identification of a person authorized to handle the SC Filing;
• a signed power of attorney (based on a provided template);
• a signed commitment letter by the filing party (based on a provided template);
• the signed and effective version of the Standard Contract that has been executed with the applicable overseas PI recipient; and
• the applicable PIPIA report (based on a provided template).

Based on the template PIPIA report issued by the CAC, the information and contents that need to be included in such PIPIA reports appear to be significantly similar to the existing “self-assessment” reports under the SA Measures, except that the PIPIA report does not require any information regarding important data and key terms under executed standard contracts (given that such contracts will already need to be provided separately in the case of an SC Filing).

Taken together, the preparation of PIPIA reports is expected to be the most time-consuming task in the process of completing an SC Filing, and notably, such PIPIA reports must be completed no earlier than three months before the date that the SC Filing is submitted. Once submitted, any significant changes that deviate from the submitted materials will result in the need to prepare a new PIPIA report.

What are the possible outcomes of an SC Filing?

Unlike many “filings” in other jurisdictions, most of the filings made to PRC authorities will be subject to some level of review and examination, and SC Filings will not be immune from this trend. Upon all necessary documentation being submitted to the competent provincial branch of the CAC, such branch will then review the submission. Upon receiving the filing materials, the CAC is theoretically required to complete their examination within 15 working days and to notify the filing party of the examination results.

There will be two potential outcomes of an SC Filing:

(1) If the provincial branch of the CAC is satisfied with their examination results, the SC Filing will be passed, and a filing number will be issued by the relevant provincial branch of the CAC.

(2) If the provincial branch of the CAC is not satisfied following their examination, the SC Filing will essentially be failed and the relevant provincial branch of the CAC will notify the filing party of this outcome and the reasons for the failure. If supplementary documents are requested by the CAC, the filing party will be required to submit such materials within 10 working days after receiving notification from the CAC.

Although the SC Filing Guidelines do not specify the reasons why a party could potentially fail its SC Filing, the theoretical reasons could include:

(a) incomplete submission of documents;

(b) unacceptable deviation from the CAC’s Standard Contract;

(c) submitting a PIPIA report that fails to meet the CAC’s requirements; or

(d) the proposed transfer of PI offshore does not comply with other PRC regulatory requirements (such as the PI transfer being of insufficient necessity, or resulting in PI at risk of being destroyed, leaked, lost, illegally obtained or used, etc.).

According to the SC Measures, an outbound cross-border transfer of PI can be carried out only after the signed standard contract for such transfer takes effect. The SC Filing Guidelines do not expressly indicate whether PI handlers are required to cease cross-border transfers of PI in cases where they fail a corresponding SC Filing, which will be subject to further CAC clarification. That said, under certain scenarios (for example, if the SC Filing failure was a result of the reasons listed in items (b) or (d) of the preceding paragraph), proceeding with a cross-border PI transfer after failing an SC Filing would might result in a violation of the PRC PIPL.

How long will an SC Filing be valid?

Unlike the security assessment results under the SA Measures (which are valid for only two years and subject to renewal upon expiration), both the signed contracts entered between PI handlers and their overseas PI recipients as well as the PI handler’s successful SC Filing will each remain valid indefinitely, unless one of the following circumstances occurs:

(1) The purpose, scope, types, sensitivity, manner of transfer, or storage location of the PI to be transferred offshore changes; the use or manner of processing the PI by the overseas recipient changes; or the overseas retention period of the PI is extended;

(2) The PI protection policies and regulations in the jurisdiction where the overseas recipient is located change in a manner that may affect the rights and interests implicated by the transferred PI;

(3) Other circumstances that may affect the rights and interests implicated by the transferred the PI.

In the event of any of the abovementioned circumstances, the PI handler will be required re-conduct PIPIA procedures, to update or re-sign the contracts executed with relevant overseas recipients, and perform a new or supplemented SC Filing by submitting such updated materials to the CAC.

What is the penalty for transferring PI offshore in violation of the SC Measures?

If a PI handler transfers PI offshore without executing a contract with overseas recipients that mirrors the CAC’s Standard Contract, then (unless such PI handler has completed a CAC-led security assessment or obtained a “personal information protection certification”) such party will likely be considered to have violated several provisions of the PRC PIPL (e.g., Articles 38, 55), and subject to relevant penalties.

Specifically, the penalties for violation of these clauses in such a scenario could include:

• being ordered to adopt rectification measures;
• being given a warning;
• having any unlawful proceeds confiscated by PRC authorities; and
• having any online systems or applications used to unlawfully process PI suspended or terminated.

Additionally, in cases where ordered rectification measures are not adopted, the PI handler could be subject to a fine of up to RMB 1 million, and any person in charge or otherwise directly liable for the violation could be fined between RMB 10,000 and RMB 100,000.

In extremely serious cases, the penalty imposed on PI handlers could be up to RMB 50 million or 5% of the PI handler’s revenue in the preceding year. That said, as the PI handlers entitled to export PI through the standard contract approach under the SC Measures inherently do not process a very large volume of PI (in which case, they would be required to conduct security assessments under the SA Measures), the risk of these PI handlers committing an extremely serious violation may be somewhat limited.

In addition to the above, the SC Measures provide that if the CAC identifies any risks or discovers any security incidents related to outbound cross-border PI transfer activities, the CAC is expressly authorized to conduct regulatory discussions (“yuetan” (约谈) in Chinese) with the PI handler, in which case the PI handler will be required to adopt measures to mitigate/eliminate such risks or to rectify such incidents.

The body of PRC laws and regulations that are currently in force do not specify which exact penalties would be imposed in the case of a PI handler who completely fails to submit (or pass) an SC Filing, but theoretically, we would expect the same penalties under the PRC PIPL will also apply if the failure to submit or pass the SC Filing involves activities that violate the regulatory requirements for cross-border transfers of PI under the PRC PIPL.

DaHui’s observations

In our view, we anticipate that many of the companies currently engaged in outbound cross-border transfers of PI from China will likely be impacted by these clarified aspects of the SC Measures detailed in the SC Filing Guidelines, and such companies will need to be prepared to take action.

In particular, every company that plans to continue exporting PI to overseas recipients after 30 November 2023 would be advised to start preparing PIPIA reports with respect to its overseas PI transfers, and to have such reports ready to be issued no earlier than three months prior to the submission of their SC Filing and no later than 30 November 2023. Likewise, such companies should also plan to have all versions of the CAC’s Standard Contract executed with their overseas PI recipients ready to take effect before 30 November 2023, so that relevant SC Filings can be submitted no later than 30 November 2023.

Although the SC Filing Guidelines clarify various matters concerning SC Filings, there are also notably still several issues that remain subject to uncertainty. For example, it is not currently clear whether one version of the CAC’s Standard Contract will be permitted to be signed with multiple entities acting as either PI handlers (e.g., various PRC subsidiaries of a group signing the same contract) or offshore recipients (e.g., various offshore affiliates of one PRC subsidiary signing the same contract), and if so, which entity should be the filing party to actually submit the SC Filing. Considering that many MNCs with operations in China utilize various subsidiaries in multiple provinces in China, whether such entities will be permitted to alter their data flows and utilize one PI-exporting “holding company” for purposes of cross-border PI transfers and compliance with the SC Measures also remains to be seen.

As always, DaHui will continue to monitor all developments concerning these cross-border data transfer requirements in China, and will provide further clarifications as subsequent implementing regulations are issued and as regulatory practices become more clear.

[1] Although the CAC has issued certain rules addressing PI protection certifications, it is unclear at this time which institutions will be qualified and designated to carry out such certifications, and how the certifications will actually be conducted.

[2] Notably, under both the SC Filing Guidelines and the overarching regulations that comprise China’s data compliance regime, the PRC authorities take a broad and constructive view of what amounts to an outbound cross-border transfer of PI, which can mean: (i) transferring or storing PI that is initially collected or generated during operations carried out within mainland China to any entities or individuals located outside of mainland China; and (ii) viewing, accessing, retrieving, downloading or exporting any PI that is collected/generated and stored within mainland China by entities or individuals located outside of mainland China.

[3] Under the SC Measures, the parties’ dispute resolution mechanism must be either litigation in China or arbitration administered by a PRC arbitration institution or another institution in a country or region that is a member of the New York Convention.