On June 30, 2022, the Cyberspace Administration of China (the "CAC") issued the Provisions on the Standard Contract for the Export of Personal Information (Draft for Comment) (the "Draft Provisions") and the Draft Standard Contract for the Export of Personal Information (the "Standard Contract"). The Draft Provisions are composed of 13 articles and clarify the Standard Contract's application scope, conditions of application, main contents, etc., aiming to specify the requirements for transferring personal information cross-border by signing standard contracts formulated by CAC authorities under Article 38.3 of the Personal Information Protection Law ("PIPL"). Notably, the Draft Provisions require personal information handlers to conduct filing procedures with the provincial-level CAC within 10 working days from the effective date of the Standard Contract. Although the filing does not affect the effectiveness of the contract and the export of personal information, the requirement provides the regulatory authorities with useful tools to supervise the export of personal information.
The Standard Contract includes 9 articles and 2 appendixes, focusing on the obligations of personal information handlers, the obligations of the overseas recipients, the rights of personal information subjects, the impact of personal information protection policies and regulations in overseas countries or regions on compliance with the contract terms, remedy measures, contract termination, liability for breach of the contract, governing law and dispute resolution.
We will briefly summarize the main contents of the Draft Provisions and the Standard Contract, and provide practical suggestions for companies to use and implement the Standard Contract in practice.
Application scope of the standard contract
- Circumstances where personal information may be transferred cross-border under the Standard Contrac
Article 4 of the Draft Provisions specifies all four conditions that a personal information handler is required to satisfy when providing personal information cross-border by entering into the Standard Contract, including:
- Not classified as a critical information infrastructure operator (the "CIIO");
- Processes personal information of less than one million individuals;
- The cumulative amount of personal information provided cross-border has not reached 100,000 individuals since January 1 of the previous year;
- The cumulative amount of sensitive personal information provided cross-border has not reached 10,000 individuals since January 1 of the previous year.
The above four conditions exclude the circumstances where personal information handlers are required apply to CAC for a data export security assessment under the PIPL and the Measures on Security Assessment of Data Export, which are expected to be formally issued soon. However, this does not mean that personal information handlers do not need to sign the Standard Contract when applying for a data export security assessment, rather that they may not transfer personal information cross-border solely by executing the Standard Contract. In other words, personal information handlers will need to apply to CAC for a security assessment in addition to executing the Standard Contract.
It should be noted that the quantity standards specified in the above items 2, 3 and 4 are consistent with the Measures for Security Assessment of Data Export (Draft for Comments) ("Draft Assessment Measures") issued in 2021 1and will be likely to be adopted in the subsequent finalized version. In addition, items 3 and 4 above clarify the time span standard of "cumulative quantity" which is generally concerned by the personal information handlers, and specify that the quantity of personal information or sensitive personal information provided cross-border will be calculated from January 1st of the last year. We take the view that setting 1-2 years as the cumulative period of personal information quantity, to a certain extent, is beneficial for companies with small scale of personal information to use the Standard Contract, which is a relatively convenient method, to transfer personal information crossborder
- The Standard Contract does not appear applicable to overseas entities that directly collect personal information from domestic individuals
The circumstance where overseas entities directly collect personal information from domestic individuals is not similar to the circumstance where domestic personal information handlers provide personal information to overseas recipients and may not be deemed as the "export of personal information" under Article 38 of the PIPL and the Draft Provisions. Therefore, it seems that overseas entities may not rely on the Standard Contract when they directly collect personal information from domestic individuals. However, if the overseas entity is subject to the Article 3.2 of the PIPL, its collection and processing of personal information of domestic individuals will still constitute the "export of personal information", and its specialized agencies or designated representatives in China may apply for certification in accordance with the Practice Guidelines for Cybersecurity Standards - Technical Specifications for the Certification of Personal Information Cross-border Processing, and assume relevant responsibilities.
To read the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.