CAC Releases Finalized Measures on Standard Contracts for the Outbound Cross-Border Transfer of PI

On 24 February 2023, the Cyberspace Administration of China (“CAC”) published the finalized Measures on Standard Contracts for the Outbound Cross-Border Transfer of Personal Information (“SC Measures”), together with the Standard Contract for the Outbound Cross-Border Transfer of Personal Information (“Standard Contract”).[1] The SC Measures will take effect on 1 June 2023. As such, companies engaged in the outbound cross-border transfer of personal information (“PI”) from China within the scope of the SC Measures will need to be prepared to swiftly adopt responsive measures in order to comply with these new regulations. A summary of the key takeaways from the SC Measures is provided in the sections below.

Applicable Scope of the SC Measures

A PI handler[2] will be subject to the SC Measures if it engages in the transfer of PI out of China based on contractual arrangements, unless such PI handler has already completed a PI protection certification from a qualified certification institution designated by the CAC.[3] However, PI handlers that meet any of the threshold requirements for the mandatory application of the Data Export Security Assessment Measures (“SA Measures”) will still remain subject to the CAC-led security assessment regime for their cross-border data transfers and are not permitted to engage in such transfers under the standard contract regime.

For the reader’s reference, the SA Measures mandatorily apply to PI handlers transferring PI outside of China in cases where the PI handler:

• is a critical information infrastructure operator (“CIIO”);
• has processed the PI of at least one million individuals;
• has exported the PI of at least 100,000 individuals to overseas parties on a cumulative basis since 1 January of the preceding year; or
• has exported the sensitive PI of at least 10,000 individuals on a cumulative basis to overseas parties since 1 January of the preceding year.

The SC Measures further support the strict interpretation of these thresholds under the SA Measures by expressly prohibiting PI handlers from selectively distributing the volume of the PI that is processed or exported across different operating entities, so as to avoid meeting the thresholds above and thereby circumventing security assessment obligations. As such, the standard contract regime may be an unrealistic option for the transfer of PI outside of China in the case of PI handlers that are CIIOs or that are implicated by the thresholds under the SA Measures.

Requirements under the SC Measures

Execution of Standard Contracts with Overseas Recipients

PI handlers that qualify for the standard contract regime under the SC Measures must execute standard contracts with the overseas recipients of PI transferred out of China, and such contracts must include terms that strictly comply with the terms set out in the Standard Contract.[4] Covered PI handlers must refrain from carrying out any cross-border data transfers of PI before their standard contracts with corresponding overseas recipients take effect.

Filing of Standard Contracts and PI Protection Impact Assessments

Pursuant to the SC Measures, PI handlers must file both the standard contract applicable to a cross-border transfer of PI, as well as a PI protection impact assessment (“PIPIA”) report, to their provincial branch of the CAC within 10 business days of such standard contract taking effect.[5] This clearly envisions PIPIA reports being a mandatory filing document and, from this perspective, the SC Measures reinforce the existing requirement under the PRC PIPL that PI handlers must perform PIPIAs before transferring any PI offshore.

The SC Measures also provide additional guidelines as to what a PIPIA report must address, in addition to the general framework already established by the PIPL (i.e., how such reports are expected to cover the quantity, scope, type, and sensitivity of the PI being exported from the PRC, as well as the obligations and operational and/or technical measures that the overseas recipient will undertake and implement to ensure the safety of the PI being exported).

Furthermore, in situations where there are changes to the cross-border data transfer activities between a PI handler and an overseas recipient during the term of their standard contract (such as any changes to the purpose, scope, storage period, or storage location of any PI, or any changes to the relevant PI regulations of the country or region that the overseas recipient is located in that would impact the interest of data subjects), the SC Measures affirmatively require PI handlers to: (a) carry out a fresh PIPIA and prepare an updated PIPIA report; (b) execute a new standard contract or a supplementary contract that covers such changes; and (c) file both the updated PIPIA report and new standard contract or supplemental contract to the relevant provincial branch of the CAC.

Grace Period

Similarly to the SA Measures previously promulgated by the CAC, the SC Measures also include a grace period of six months after their effective date (i.e., until 1 December 2023) for PI handlers who do not meet the relevant requirements under the SC Measures to adopt rectification measures. Although the SC Measures do not expressly specify what measures should be taken during the grace period, one would expect that PI handlers who wish to continue to export PI will need to enter into standard contracts with overseas recipients, conduct PIPIAs, prepare PIPIA reports and file such documentation with the CAC by 1 December 2023 (unless such PI handlers are able to obtain PI protection certification from qualified certification institutions designated by the CAC). In cases where that is not possible for a PI handler, the PI handler will likely need to cease all PI exporting activities by 1 December 2023 in order to remain compliant with the SC Measures.

Key Clauses of the Standard Contract

The SC Measures provide that the terms of the Standard Contract must be strictly followed. Notably, most of the provisions included in the Standard Contract are aimed at giving effect to the detailed requirements and principles applicable to the handling of PI under the PRC PIPL. For example, there are clauses aimed at ensuring that parties adopt the “minimum necessity” principle, clauses that require the detailed disclosure of overseas data recipients, requirements concerning specific consent, the reiteration of the PIPIA requirements noted above, and several other terms aimed at protecting the rights and interests of data subjects.

The table below highlights several of the key terms set forth in the Standard Contract which merit attention:

Conclusion

Many of the companies currently engaged in outbound cross-border transfer of PI will be impacted by the SC Measures and will need to be prepared to take action in response. Notably, there are still several issues that remain to be clarified, such as whether every standard contract executed must be filed with the CAC, and whether a PIPIA must be conducted for each offshore recipient (although the SC Measures appear to require this). If the CAC were to take such a view on these issues, then many MNCs operating in China—especially those which are not already required to perform security assessments under the SA Measures—will need to promptly familiarize themselves with these potentially burdensome obligations under the SC Measures.

Finally, it is worth noting that the SC Measures provide that if the CAC identifies any risks or discovers any security incidents related to outbound cross-border PI transfer activities, the CAC is expressly authorized to conduct a regulatory talk (“yuetan” (约谈) in Chinese) with the PI exporter, and the PI exporter must take measures to mitigate/eliminate such risks or to rectify such incidents. It therefore appears that the CAC still intends to closely supervise cross-border data transfer activities of PI handlers that do not fall within the SA Measures through the documents that need to be filed under the SC Measures.

DaHui will continue to monitor all developments concerning the regulation of cross-border data transfer activities in China and will provide further clarifications as subsequent implementing regulations or guidelines are issued.

[1] As used in this newsletter, the defined term “Standard Contract” refers specifically to the Standard Contract for the Outbound Cross-border Transfer of Personal Information template exhibited to the SC Measures as Appendix 1. Meanwhile, the general and non-capitalized use of “standard contract” refers to the individual standard contracts that are executed between PI handlers and their overseas PI recipients in accordance with the terms of the SC Measures.

[2] The Personal Information Protection Law of the People’s Republic of China (“PRC PIPL”) defines a PI handler as any organization or individual that independently determines the purpose and method of handling PI, in connection with any activities that involve the handling of PI.

[3] Although the CAC has issued certain rules addressing PI protection certifications, it is unclear at this time which institutions are qualified and designated to carry out such certifications, and how the certifications will actually be conducted.

[4] The SC Measures provide that PI handlers and overseas recipients may agree on other supplementary terms, on the condition that such terms do not contradict any terms included in the Standard Contract.

[5] The Information Security Technology – Security Impact Assessment Guide of Personal Information (GB/T 39335-2020), issued by the National Information Security Standardisation Technical Committee of China (TC260)on 19 November 2020 and implemented on 1 June 2021, provides more detailed guidance on carrying out PIPIAs and formulating a PIPIA report.