- The Measures on Standard Contract for Overseas Transfer of Personal Information have now been issued in their final form.
- The Measures govern the terms of the standard form contract which can be put in place when transferring personal information data out of China.
- Companies using the standard contract may face some issues, including pushback from overseas recipients who may be reluctant or cautious about accepting the jurisdiction of the Chinese authorities.
- There are also potential conflicts of laws issues.
- Guidance is expected in due course, and it is hoped that this will help clarify certain grey areas and allow companies to use the standard contract with greater confidence.
On February 24, 2023, China's cyber watchman, the Cyberspace Administration of China (CAC), released the final version of the Measures on Standard Contract for Overseas Transfer of Personal Information (the “Measures”), together with a template of the Standard Contract for Overseas Transfer of Personal Information (the “Standard Contract”). The Measures are set to become effective on June 1, 2023, and personal information (PI) handlers have been given a 6-month grace period starting from the effective date to retrospectively rectify any previous overseas transfer of personal information that is not compliant with the Measures.
There are no substantial changes with respect to the requirements of the Measures and the structure and clauses of the Standard Contract, as compared to the draft version of the Measures which was published on June 30, 2022. However, the final version of the Measures emphasizes two requirements:
- the PI handlers must not use the signing of a Standard Contract to circumvent their obligation to declare for CAC-led security assessment for overseas transfer of PI through the means of breaking up the amount of transferred PI, etc.;
- the PI handlers must sign the Standard Contract with overseas recipients strictly in accordance with the template, and the parties cannot enter into additional clauses which may conflict with the Standard Contract.
Compared with two other legitimate mechanisms for overseas transfer of PI under Article 38 of the Personal Information Protection Law (PIPL), i.e., passing the CAC-led security assessment and being certified by a qualified professional firm, signing a Standard Contract is deemed to be the most efficient and widely used mechanism which can be relied on by a company that has business needs to transfer PI out of China. This is provided that the company meets four prerequisites set out by the Measures:
- it is not identified as a critical information infrastructure operator;
- it processes PI of less than 1 million individuals;
- it has transferred the PI of less than 100,000 individuals on a cumulative basis since January 1 of the previous year; and
- it has transferred the sensitive PI of less than 10,000 individuals on a cumulative basis since January 1 of the previous year.
However, it must be acknowledged that, when relying on signing a Standard Contract as a legitimate basis to transfer PI out of China, companies still face several challenges:
(1) The Standard Contract can only be used by PI handlers to transfer PI overseas.
In contrast to its EU equivalent, the Standard Contractual Clauses (2021 version), which provide four modules to cover different scenarios of cross-border transfer of personal data between different data exporters and importers, the Standard Contract can only be used by a PI handler (defined by the Measures as an organization or individual that independently determines the processing purposes and processing methods in the PI processing activities) as the data exporter. The final version of the Measures and the Standard Contract adopts the same approach used by Article 38 of PIPL: an entrusted party (i.e. a party entrusted by PI handlers to process PI, similar to the concept of a data processor under the GDPR) in China is not included within the scope of an exporter that may rely on the Standard Contract to transfer PI out of China. In practice, when a China-based entrusted party needs to transfer PI out of China and the other two mechanisms are not applicable, it is unclear what legal basis it may rely on. This is expected to be clarified by the CAC in the future.
(2) Overseas recipients may have concerns over accepting the jurisdiction of Chinese regulatory authorities.
Under the Standard Contract, the overseas recipients of PI agree to accept supervision and management by Chinese authorities in the procedures related to regulating the implementation of the contract. Such obligations include responding to the authority's inquiries, cooperating with the authority's inspections, complying with measures or decisions taken by the authorities, and providing written evidence that the necessary actions have been taken.
At this stage, it is unclear how Chinese authorities, such as the CAC, will exercise their extraterritorial jurisdiction over the overseas recipients of PI, and in particular how inspection rights can be effectively exercised on the overseas processing of the transferred PI. Due to the current complicated geopolitical environment, international businesses have concerns on the supervision of Chinese authorities and such concerns could be an obstacle for overseas recipients to agree to sign the Standard Contract, despite the fact that they may have agreed to submit to similar extraterritorial jurisdiction as imposed by the EU Standard Contractual Clauses.
If the CAC can provide a clear and detailed explanation on how it regulates the overseas recipients of the Standard Contract, similar to the transparency the European Data Protection Board has displayed, it may be easier for China-based PI handlers to persuade their overseas recipients to accept the Standard Contract.
(3) Overseas recipients' compliance with the Standard Contract may potentially conflict with their obligations under local laws.
Considering that the overseas recipients of PI may be in different countries and regions around the world, it is inevitable that their performance of the obligations under the Standard Contract may conflict with their domestic obligations under local laws. For example, Article 4.6 of the Standard Contract requires the overseas recipient to notify the PI handler immediately if it receives requests from the local administrative or judicial authorities to provide the PI it has received under the Standard Contract; however, such notification may be prohibited by local laws or applicable court orders. In that case, the overseas recipient will find itself in a dilemma: it must either violate the local laws or breach the Standard Contract. As the Standard Contract gives PI handlers broad rights to suspend the transfer and rescind the Standard Contract, if such conflicts of legal obligations cannot be resolved properly, the cross-border transfer of PI relying on the Standard Contract could be easily interrupted and the businesses of both the PI handlers and the overseas recipients may be impacted.
There are only three months left before the Measures and the Standard Contract become effective. Companies intending to rely on the Standard Contract as the legal basis to transfer PI out of China must take action immediately. The following steps should be followed in order to prepare for the implementation of the Measures:
(1) Sorting out the cross-border PI transfer activities and determining whether the Standard Contract may be used as a legal basis.
It is still recommended to check all the cross-border transfer of PI involved in your business operations and you should assess the necessities of such transfer (if you have never done this work before). You should always limit the overseas transfer of PI to the extent such transfer is critical and a “must have” for fulfilling the specific business needs. A data mapping chart would be helpful when the transfer activities are being sorted out.
Then, a preliminary assessment should be carried out on whether the concerned transfers fall into the scenarios where a declaration for CAC-led security assessment is needed. After confirming that the declaration for CAC-led security assessment is not needed, you may choose the certification mechanism or the Standard Contract as the legal basis of overseas transfer, based on your relationship with the overseas recipients. Since the certification mechanism is only applicable for cross-border transfer of PI between or among the affiliated enterprises or entities within the same business group, the Standard Contract is the only option when you transfer PI to an overseas recipient which has no affiliation relationship with your company.
(2) Conducting the PI Protection Impact Assessment on your overseas transfer of PI.
No matter what legal basis you rely on to transfer PI out of China, according to Article 55 of PIPL, you must conduct PI Protection Impact Assessment (PIA) prior to implementing the transfer. The Measures set out the key factors to be examined during the PIA, and require that the PIA report should be filed with the cyber administrations at provincial levels.
When conducting the PIA for overseas transfer of PI, the most challenging part will likely be assessing the impact of policies and regulations on the protection of PI in the country or region of the overseas recipient on the performance of the Standard Contract, which is also the obligations of both PI hander and the overseas recipient set out by Article 4 of the Standard Contract. Such assessment highly relies on the cooperation and support of the overseas recipient. It may be difficult for PI handlers to obtain relevant information in certain countries due to reasons such as lack of transparency, limitation of languages, etc. In addition, when the overseas recipient is from a country/region where the laws and policies on protection of PI are underdeveloped, careful analysis needs to be made to assess their impact on the overseas recipient's performance of the Standard Contract. On the contrary, if the overseas recipient comes from a country or region where data protection laws are well established (such as an, EU member state, the UK or Japan), there will be sufficient materials, statistics and reports which can be used to complete the assessment.
The PIA can be conducted in accordance with the national standard Guidance for Personal Information Security Impact Assessment (GB/T 39335-2020), which provides clear guidance on the procedures and methodologies by which the PIA should be conducted.
It is also worth noting that the key focus of the PIA is different from the risk self-assessment required for declaration for CAC-led security assessment for overseas transfer of data. In the risk self-assessment, the data handlers are required to assess their capabilities and the compliance status of the entirety of their data processing activities and the overseas transfers, and the potential national security and public interest risks posed by the overseas transfer. However, the core value of the PIA is to determine whether the PI subjects' rights and interests would be adversely impacted by the overseas transfers and how such impact can be effectively controlled and mitigated. Therefore, the covering scope of PIA is comparatively narrower than the risk self-assessment and the contents of PIA report will be less than those of the risk self-assessment report.
If your PIA result confirms that the planned overseas transfer of PI will not adversely impact the PI subjects' rights or interests or such impact can be properly controlled or mitigated, you may proceed to sign the Standard Contract with the overseas recipient. However, if the PIA result shows an impact on the PI subjects' rights and interests, then corresponding rectification and security measures must be taken, before proceeding with the contract, until any such impacts are satisfactorily mitigated or controlled.
(3) Signing the Standard Contract and filing with cyber administrations.
When signing the Standard Contract, it is suggested that:
- A bilingual version of the Standard Contract should be signed, using Chinese and the official language of the country/region where the overseas recipient resides, and it should be clearly provided that the Chinese version will prevail if there are any conflicts.
- You and the overseas recipient should carefully negotiate and forecast the potential needs of the overseas transfer of PI and provide a comparatively general and broad scope of the transfer purposes and processing activities in annex 1 to the Standard Contract, to cover as many scenarios as possible. By doing so, you can set a comparatively long term for the Standard Contract (which is not mandated by the Measures or the template Standard Contract) and it will not be necessary to frequently repeat the signing and filing process when implementing the overseas transfer of PI during the term of your agreement.
It should also be noted that you only have 10 working days to submit the signed Standard Contract and the corresponding PIA report for filing with the cyber administrations at the provincial level after the Standard Contract becomes effective. You should ensure the PIA report is properly prepared before the Standard Contract takes effect.
It is expected that, in due course, the cyber administrations at provincial level will formulate and publish detailed guidance on the filing procedure, as has been done for the declaration for CAC-led security assessment procedure.
(4) Monitoring the overseas transfers of PI following the filing.
After the filing process, there are still follow-up actions you should take to ensure the transfers under the Standard Contract are compliant with the Measures and the PIPL:
- You should continuously monitor your transfer of PI out of China to ensure such transfers remain well covered by the scope provided by the Standard Contract. For example, you should keep records of the volume of the PI you have transferred and be cautious as to whether your continuous transfer will reach the thresholds triggering the obligations to declare for CAC-led security assessment.
- You should also regularly check the performance status of your overseas recipient's performance of its obligations under the Standard Contract, in particular whether it has taken sufficient measures to respond to and support the PI subjects' exercise of their PI rights.
- It would be better that you and your overseas recipient implement a working plan to review any changes in law and policies of the destination country/region regarding the PI protection. This will ensure that you can take prompt actions if such changes are likely to impact the overseas recipient's performance of the Standard Contract.
- It is also recommended that you keep written records of those follow-up actions you have taken; these documents can be used as evidence proving your compliance with the Measures and the PIPL should there be any regulatory investigation or examination.
注释
1 https://www.chinalawandpractice.com/2023/03/03/exploring-the-final-version-of-chinas-standard-contract-for-overseas-transfer-of-personal-information/.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.