CAC Publishes Draft Standard Contract Provisions for the Exit of Personal Information

On 30 June 2022, the Cyberspace Administration of China (“CAC”) released the draft Standard Contract Provisions for the Exit of Personal Information (“Draft Provisions”) together with the draft Personal Information Export Standard Contract (“Draft Standard Contract”), both subject to public comments until 29 July 2022. Taken together, if ultimately adopted in their current form, these two documents would mark another significant development of the People’s Republic of China’s (“PRC”) cybersecurity regulatory regime.

Filling in Legislative Gaps

Although the landmark Personal Information Protection Law of the PRC (“PIPL”) came into effect on 1 November 2021, it has been subject to some uncertainties, which the PRC legal community expected would be clarified in subsequent months.

For example, Article 38, paragraph 1 of the PIPL provides that a personal information processor (“PI Processor”) seeking to export personal information to a recipient outside the territory of the PRC must satisfy several conditions (where such a transfer is not strictly prohibited), such as the conclusion, between the PI Processor and the intended foreign recipient, of a contract, whose terms moreover must comply with those of a “standard contract” provided by the CAC.[1] To date, there have been no (public) rules or guidance about satisfying these requirements.

The Draft Standard Contract and Draft Provisions now seek to fill this gap and are poised to become cornerstones that PI Processors can take into consideration when establishing or updating their personal information protection policies in the PRC market.

Key Stipulations

Applicable Scope. The Draft Provisions apply only to PI Processors that:

• are operators of non-critical information infrastructure (i.e., operators which do not constitute “CIIOs”);[2]
• have processed the personal information of less than one million individuals;
• have exported the personal information of less than 100,000 individuals to overseas parties since 1 January 2021; and
• have exported the sensitive personal information of less than 10,000 individuals to overseas parties since 1 January 2021.

The Draft Provisions thus appear not to apply to all PI Processors. When read in conjunction with the draft Measures of Security Assessment for Data Export released by the CAC on 29 October 2021, it seems that only PI Processors that are not subject to CAC security assessment requirements will be able to rely on the CAC’s standard contract terms in order to export personal information. Meanwhile, PI Processors that fall outside the scope of the Draft Provisions must still adhere to other relevant provisions of PRC law, including the satisfaction of the other conditions set out at Article 38, paragraph 1 of the PIPL, before they may legally export personal information to any foreign recipient.

Data Protection Impact Assessment. Article 56 of the PIPL already provided that PI Processors must conduct a data protection impact assessment (“DPIA”) addressing a number of topics, mainly concerning the legality, legitimacy and associated risks of proposed transfers of personal information as well as the adequacy of proposed security measures to protect the same. The Draft Provisions provide more detailed guidelines regarding what a DPIA must address in addition to the framework previously provided by the PIPL, e.g., the quantity, scope, type, and sensitivity of the personal information being exported from the PRC as well as the obligations and operational and/or technical measures that the foreign recipient will undertake and implement to ensure the safety of the personal information being exported. In this regard, it appears that the guidelines in the Draft Provisions may serve as an important reference for what a DPIA must address in order for it to be deemed compliant with the requirements under the PIPL.

Contents of a Standard Contract. The Draft Provisions also clarify that the main contents of a “standard contract” should at least include the following:

The above-mentioned contents are all incorporated into the Draft Standard Contract[3], which essentially provides a template of what a compliant contract between a PI Processor and a foreign recipient would look like (from the perspective of the CAC).

As such, the Draft Standard Contract will allow PI Processors to conveniently adopt a standard form agreement to execute with relevant foreign recipients of personal information for transferring personal information out of the PRC. The Draft Standard Contract contains a blank Appendix II, indicating the CAC’s recognition that a certain degree of flexibility is expected for contracting parties to incorporate any “other provisions” – presumably as long as such provisions do not contradict the provisions of the Draft Standard Contract or prejudice the rights of the data subjects from whom personal information is collected.

Filing Requirements. The Draft Provisions also make clear that a PI Processor is required, within ten days of executing any standard contract for overseas transfer of personal information, to file it and its corresponding DPIA to the local provincial Cybersecurity and Information Department. Furthermore, the Draft Provisions also set out circumstances in which a PI Processor must re-execute such agreements with counterparties and re-file the re-executed agreements with the local provincial Cybersecurity and Information Department, including any subsequent changes to the purpose, scope, storage period, or storage location of any personal information and any changes to the relevant personal information regulations of the country or region of the foreign recipient.

At this stage, it is still not entirely clear what the relationship will be between the legal effectiveness of a standard contract for overseas personal information transfers and a PI Processor’s requirement to file such contracts with PRC authorities. Whether standard contracts will only be deemed as legally effective after they have been properly filed remains to be clarified. The Draft Standard Contract appears to suggest that the contract becomes valid as of its execution by both contracting parties. However, how the authorities will in practice interpret the relationship between the filing process and the validity of filed contracts (or, for example, contracts that are filed but do not comply with the CAC’s requirements) remains to be seen.

Consequences of Breach. The Draft Provisions do emphasize that PI Processors who fail to comply with their filing obligations, who submit falsified documents to the relevant authorities, who fail to fulfill their obligations under the standard contract or who otherwise infringe on the personal information rights of their data subjects may be ordered to undertake rectification measures issued by provincial branches of the Cybersecurity and Information Department (or higher-level branches). If such PI Processors still fail to comply, they may be penalized and even potentially bear criminal liability.

Considering the overall nature of the PRC cybersecurity framework, as it has emerged in recent years, any penalties imposed under the Draft Provisions are likely to be essentially administrative in nature and arise under the regulatory authority already existing under the PIPL (which is, in fact, expressly referenced in the new draft documents). However, as alluded to in the Draft Provisions, in especially serious cases of non-compliance, there could be a risk of criminal liability. Given the stakes, this too will be an area to pay particular attention to once the formal version of the Draft Provisions is issued.

Impact for Companies Inside and Outside the PRC

Although the Draft Provisions and Draft Standard Contract are not yet legally binding and are even subject to change, they are in tune with legislative and regulatory trends, and therefore business operators with activities in the PRC market may wish to begin familiarizing themselves with them and even prepare to update their personal information protection practices, though they generally need not take any concrete measures in that respect yet.

Notably, the PIPL and its recent draft implementing rules appear aimed at enhancing governance of data processing activities outside the PRC carried out by business operators providing services to customers within the PRC (including through websites/applications hosted outside the PRC). Therefore, all business operators with a PRC presence (even those that perform their operations from the offshore level) will want to be familiar with the contents of these new regulatory documents.

DaHui will simultaneously monitor the situation closely, including any significant feedback or suggestions that are put forth during the Commentary Period, and will continue to report on any further developments.

1. See Article 38 paragraph 1(3) of the PIPL, which provides: “Where it is necessary for personal information to be provided by a personal information processor to a recipient outside the territory of the PRC due to any business need or any other need, one of the following conditions shall be met: […] 3. A contract in compliance with the standard contract provided by the national cyberspace authority has been concluded with the overseas recipient, establishing the rights and obligations of both parties […].”
2. CIIOs (critical information infrastructure operators) are entities engaged in “important industries or fields”, including: public communication and information services; energy; transport; water; finance; public services; e-government services; national defense; and any other important network facilities or information systems, which, in the event of damage thereto, loss of function thereof or leak of data therefrom, may seriously harm national security, the national economy and people’s livelihoods, or public interest in the event of incapacitation, damage, or data leaks.
3. It is unclear for the time being whether the use of the Draft Standard Contract is mandatory for entities falling within the scope of the Draft Provisions to export personal information out of the PRC in compliance with relevant PRC laws and regulations.