PRC Cyberspace Administration issued its Circular on the Draft of Regulation on Standard Contract for Outbound Cross-border Transfer of Personal Information ("the Draft") on June 30, 2022, in order to seek public opinions. This article aims to briefly illustrate recent progress for this new legislative change.
1. Background for the Issuance of the Draft
PRC Personal Information Protection Law ("PIPL") which was enacted on August 20, 2021 and implemented since November 1, 2021, has been widely regarded as a first and historical step of Chinese legislation in protecting the personal rights in digital era, which is comparable to the GDPR of EU. The article 38 of the PIPL provided three different approaches for the
The outbound transfer of information has been increasingly important for transactions by subsidiaries of multinationals in different jurisdictions or between foreign companies and their domestic partners. From the perspective of daily operation of multinationals, foreign headquarters may need the concentrated administration of information acquired from domestic subsidiaries. By the same token, domestic branches may also need outbound information transfer ("OIT") during their regular operation.
2. General Requirement of PIPL
The PIPL, as the upper level legislation in its Article 38, provided that "Where it is necessary for personal information to be provided by a personal information processor to a recipient outside the territory of the People's Republic of China due to any business need or any other need, one of the following conditions shall be met.
- A security assessment organized by the national cyberspace authority has been passed in accordance with Article 40 of this Law;
- A certification of personal information protection has been given by a professional institution in accordance with the regulations of the national cyberspace authority.
- A contract in compliance with the standard contract provided by the national cyberspace authority has been concluded with the overseas recipient, establishing the rights and obligations of both parties;
- Any other condition prescribed by law, administrative regulations or the national cyberspace authority is met.
Nonetheless, the national cyberspace authority has not established any professional institution in charge of the certification by now as provided in the second paragraph of the provision above. Nor has the "Measures of Security Evaluation for Data Outbound Transfer" been issued as provided in the first paragraph of the provision.
Notably, among the three approaches mentioned above, the third appears to be the most cost-effective one. Consequently, the issuance of the Draft at this time made solid progress for the third approach, namely concluding contract with foreign receipt in compliance with the standard contract as provided by national cyberspace authority.
3. The Requirements on Entities Qualified to take the Approach of Standard Contract
Article 4 of the Draft provided that A personal information processor may provide personal information to an overseas recipient by entering into a Standard Contract if it meets all of the following conditions:
(1) it is a non-critical information infrastructure operator;
(2) it handles the personal information of less than one million individuals;
(3) it has provided personal information of less than 100,000 individuals in aggregate to overseas recipients since January 1 of the previous year; and
(4) it has provided sensitive personal information of less than 10,000 individuals in aggregate to any overseas recipients since January 1 of the previous year.
Therefore, the entity that take the third approach will need to be an operator handles (a) Non-Critical Information Infrastructure("NCII"), (b) Information less than one million individuals and (c) Non-sensitive information for less than 10 thousand individuals. With regard to the entity that handles information otherwise differently or exceeds the limitations as provided above may not be applicable to this approach, it therefore need to go through the rest approaches such as security assessments by authority or certification by institution. Notably, the social service app or website will very likely exceed the limitation of millions in terms of the number of users which thus may not be able to take the third approach. In addition, it is noteworthy that the limitation of number is calculated by the number of individuals rather than the pieces of information.
4. Assessment against the impact of personal information protection
According to Article 5 of the Draft, it provided that Before providing any personal information to an overseas recipient, the personal information processor shall conduct a personal information protection impact assessment focused on the following matters.
(1) the legality, legitimacy, and necessity of the purpose, scope, and method for processing personal information by the personal information processor and the overseas recipient
(2) the quantity, scope, type, and sensitivity of personal information to be transferred overseas, and the risk that the outbound cross-border transfer may pose to the rights and interests in personal information;
(3) the responsibilities and obligations that the overseas recipient undertakes to assume, and whether its management and technical measures and capabilities to fulfill such responsibilities and obligations are sufficient to ensure the security of personal information to be transferred;
(4) the risk of being disclosed, destroyed, tampered with, or misused after the personal information is transferred overseas, and whether there is a smooth channel for individuals to protect their rights and interests in the personal information;
(5) the impact of personal information protection policies and regulations in the country or region of the overseas recipient on the performance of the Standard Contract; and
(6) other matters that may affect the security of personal information to be transferred overseas.
In addition, Article 7 of the Draft also provided that
the personal information processor shall, within 10 working days
from the effective date of the Standard Contract, file a record
with the provincial cyberspace authority where it is located. The
following materials shall be submitted for record-filing.
(1) the Standard Contract; and
(2) the personal information protection impact assessment report.
The personal information processor shall be responsible for the authenticity of the materials it submits. It may proceed with the outbound cross-border transfer of personal information after the Standard Contract takes effect.
As provided in Article 5 above, personal information processor needs to conduct assessment against the key issues for protection of personal information prior to the execution of the standard contract, which may include status of the procession, potential risks, security maintenance capacity,
channel of remedies for right owners, governing policy and laws of recipient in foreign jurisdictions. Such information shall be included in the assessment report, in order to make sure the process is in compliance with the regulations.
5. Re-execution of the Standard ContractArticle 8 of the
Draft provided that, The personal information processor shall
re-sign the Standard Contract and make a record-filing again if one
of the following circumstances occurs during the valid term of the
(1) there is any change to the purpose, scope, type, sensitivity, quantity, method, retention period, and storage location of personal information transferred overseas, or any change in the purpose and method of the overseas recipient for handling personal information, or an extension of the overseas retention period of personal information;
(2) there is any change to personal information protection policies and regulations in the country or region where the overseas recipient is located, which may affect the rights and interests in personal information; or
(3) other circumstances that may affect the rights and interests in personal information.
6. Key Points in Practice
The provision above aims to avoid failure of compliance due to the change of situation where the Standard Contract shall be re-signed and recorded.
The best practice under the Draft can be summarized as follows.
(1) The compliance check and implementation shall be a continuous process and will need to be remade according to change of related situation and status.
(2) Legal compliance division of an entity shall keep close communication with its business sections as well as foreign recipients, in order to secure the best practice.
(3) A minor change of amount of personal information may not necessarily affect the risk as a whole thus may not trigger the re-assessment
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.