Eight months after the implementation of the Personal Information Protection Law of the People's Republic of China ("PIPL"), on June 30, 2022, the Cyberspace Administration of China ("CAC") issued the draft of the long-expected standard contract for cross-border transfer of personal information ("PI"), together with the draft Provisions on Standard Contract for Cross-border Transfer of Personal Information ("Draft Provisions"), to solicit public comments.
According to the PIPL, when transferring PI outside of China, one of the four conditions shall be met: (1) passing the security assessment; (2) obtaining the PI protection certificate; (3) signing the standard contract; or (4) satisfying other conditions prescribed by laws and regulations. Regardless of the catch-all clause, the release of the standard contract unveils the final piece of puzzle of China's international PI transfer regime, as the draft measures for security assessment has been published on October 29, 2021, and the draft guidance for PI protection certification has just been issued on June 24, 2022.
This alert will introduce the draft standard contract as well as the relevant provisions on the application and implementation of the contract, from a practical perspective for reference by enterprises, especially multinationals, with needs for international PI transfer.
I. Application Scope
According to the Draft Provisions, a PI handler (basically equivalent to data controller under the GDPR) could provide PI outside of China by entering into the standard contract with the overseas recipient, provided that all of the following conditions are met:
- the PI handler is NOT a critical information infrastructure operator;
- the PI handler has processed PI of LESS THAN 1 million people;
- the PI handler has NOT provided abroad PI of MORE THAN 100,000 people accumulatively since January 1st of last year; and
- the PI handler has NOT provided abroad sensitive PI of MORE THAN 10,000 people accumulatively since January 1st of last year.
Such application scope corresponds to that of the security assessment stipulated under the draft measures for security assessment. That means, if any of the above conditions is not satisfied, the mandatory assessment will be triggered.
It should be noted that PI protection certification is mainly applicable to intra-group cross-border data transfer (and processing of PI by overseas entities caught by the extraterritorial reach of the PIPL), but intra-group transfer can also be carried out by means of a signed standard contract. However, in absence of further clarification, it is unclear whether the PI protection certification can replace the security assessment for intra-group transfer of PI reaching certain threshold, since the draft measures for security assessment just provide that if any of the above conditions is not satisfied, the security assessment will be legally required.
II. Pre-step: Conducting PIPIA
Echoing to Article 55 and 56 of the PIPL, the Draft Provisions specifies the factors to be assessed in the personal information protection impact assessment ("PIPIA", which is similar to DPIA under the GDPR), which shall be conducted before transferring PI abroad:
- the legality, legitimacy and necessity of the purpose, scope and method of the PI processing by the PI handler and the overseas recipient;
- the quantity, scope, category, and sensitivity of the PI to be exported, and the risks that PI export may bring to the PI related rights and interests;
- the responsibilities and obligations that the overseas recipient commits to undertake, and whether its management and technical measures and capabilities for fulfilling the responsibilities and obligations can ensure the security of the PI to be exported;
- the risks of leakage, damage, tampering and abuse, etc. after the cross-border transfer, and whether the channels for individuals to maintain their PI related rights and interests are smooth;
- the impact of the PI protection policies and regulations of the country or region where the overseas recipient is located on the performance of the standard contract; and
- other matters that may affect the security of PI going abroad.
III. Filing System
China proposes to adopt a filing system for standard contract as prescribed in the Draft Provisions, that is, the PI handler (provider) should file with the local provincial-level cyberspace administration within 10 working days from the date the standard contract takes effect, submitting the standard contract signed and the PIPIA report.
But notably, filing is not a prerequisite for the export of PI, as it could be carried out after the standard contract takes effect.
IV. Legal Liability
Pursuant to the Draft Provisions, where any of the following circumstances happens, the local provincial-level cyberspace administration shall, in accordance with the PIPL, give the order to rectify within a time limit; or order to suspend the cross-border transfer of PI and impose penalties if the PI handler or the overseas recipient refuses to rectify or a harm to PI related rights and interests is caused; or pursue the criminal liabilities, if a crime is constituted:
- failing to perform the filing procedure or submitting false materials for filing;
- failing to fulfill the responsibilities and obligations stipulated in the standard contract, and infringing upon the PI related rights and interests and causing damage; or
- other circumstances affecting the PI related rights and interests occur.
V. Standard Contract Terms
The draft standard contract mainly includes the following contents:
- the basic information of the PI handler and the overseas recipient, such as name and contact;
- the purpose, scope, type, sensitivity, quantity, method, retention period, storage location, etc. of the PI going abroad;
- the responsibilities and obligations of the PI handler and the overseas recipient to protect PI, as well as the technical and management measures taken to prevent security risks that may arise from the export of PI;
- the impact of the PI protection policies and regulations of the country or region where the overseas recipient is located on compliance with the terms of the standard contract;
- the rights of PI subjects, and the ways and means to protect such rights;
- other terms such as remedy, termination, liability and dispute resolution.
In general, the standard contract has a large degree of similarity with the EU SCCs in terms of substantive responsibilities and obligations, including without limitation, principles such as purpose limitation, transparency, minimization, security, storage limitation, etc.; documentation and audit; protection of data subjects' rights.
However, unlike the EU SCCs, which have four modules based on the roles of data provider and recipient, the draft standard contract adopts a one-stop structure. This does not mean that the standard contract ignores the issue at all, since in the specific terms, the obligations of "entrusted party" (which is akin to data processor under the GDPR) are mentioned separately. For example, the consent of the PI handler shall be obtained when the entrusted party re-entrusts a third party (i.e. sub-processor) to process PI; the entrusted party shall provide the PI handler with an audit report after deleting or anonymizing the PI when the entrustment relationship ends; and the obligations of report (to authority) and notification (to PI subjects) shall be borne by the PI handler, rather than the entrusted party, when security incidents like data breach occur.
VI. Looking Forward
Along with the release of the draft standard contract, China's cross-border PI transfer regime is becoming clear, though the relevant documents are still in the process of drafting.
Compared with the security assessment and the PI protection certification that require the substantive intervention of third party (competent authority or certification agency), standard contract is probably the most widely adopted approach for international PI transfer as a relatively easy way, though the filing procedure is necessary to follow. As such, it is recommended for enterprises, especially multinationals, with needs for international PI transfer to pay close attention to the draft standard contract, and also, comments could be submitted to the CAC, if any, before July 29, 2022, the closing date of public consultation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.