Article 38 of the Personal Information Protection Law stipulates four compliance paths for the cross-border transfer of personal information, namely: (1) passing the security assessment organized by the Cyberspace Administration of China ("CAC"); (2) passing the protection certification by a specialized agency; (3) entering into a standard contract formulated by CAC; and (4) meeting other conditions set forth by laws and administrative regulations and by CAC.
On 24 February 2023, the CAC issued the Measures for Standard Contract for Cross-border Transfers of Personal Information (the "Measures"), which officially announced the implementation of the third of the "four ways" for cross-border transfer of personal information. In light of our practical experience, this article analyses the key elements of the Standard Contract for Cross-border Transfers of Personal Information (the "Standard Contract"), with the aim of assisting relevant enterprises in carrying out compliance work on cross-border data transfers.
1. CHARACTERISTICS OF THE STANDARD CONTRACT
(1) Standard Terms Recognized by the State
As the cornerstone of contract law in modern society, the principle of "autonomy" is well recognized in the legislation and case law of most countries and in international treaties. In general, the majority of the commercial arrangements in a contract can be freely agreed by the parties, unless such an agreement is invalidated by mandatory rules. In contrast to freely agreed contract terms, there are take-or-leave contracts with non-negotiable standard terms. Standard contracts were originally created by one of the parties with the aim of improving transaction efficiency and providing a standardised service. Later, in order to balance the position of each party during the transaction and to protect the interests of parties with relatively less bargaining power, standard contracts were formulated and issued by the state. Previously, China also issued the Guidelines on the Content and Form of Specific Asset Management Contracts and the Guidelines on the Specification of Standard Clauses in Online Trading Platform Contracts, which require standard terms to be included or specified for contracts in certain areas.
By far, the Standard Contract is undoubtedly the most stringent standard terms and conditions contract under current PRC law. With complete and comprehensive contents, the Standard Contract requires the domestic personal information subject and the overseas recipient to strictly comply with the standard terms and conditions provided by the CAC in the execution or performance of the Standard Contract. When entering into a Standard Contract or Supplemental Agreement, companies should be aware of two prongs of the "no conflict" requirements:
- First prong: If the parties enter into additional agreements, the additional terms and conditions of the Standard Contract shall not contradict the standard terms and conditions of the Standard Contract. According to Article 6 of the Measures and the Official Q&A, only CAC has the right to revise the standard terms and conditions of the Standard Contract. Therefore, enterprises may execute other terms and conditions when signing a standard contract, but such additional terms and conditions are invalid if they conflict with the standard terms and conditions of the standard contract. In other words, the Standard Terms take precedence over any other terms agreed upon by the parties.
- Second prong: Other "legal documents" binding on the parties must not conflict with the Standard Contract. According to Article 9(1) of the Standard Contract, the Standard Contract takes precedence over any other "legal documents" signed by the parties. In other words, if the Standard Contract comes into force with the signatures of both parties, the Standard Contract takes precedence over any other agreement or policy between the parties.
In view of the two prongs of the "no conflict" requirement, the Standard Contract, although it takes the form of a "contract", is not particularly carved with the concept of "statutory empowerment". On the contrary, the Standard Contract leaves rather limited room for the parties to negotiate freely.
(2) Administrative Record-filing
In addition to the requirements on the standard terms of the Standard Contract, the personal information processor is also obliged to file the executed Standard Contract with the provincial-level CAC offices at the place where the personal information processor resides. Such filing must be made within 10 working days after the Standard Contract comes into effect.
The Standard Contract is not the only contract subject to record filing. In the areas of patent and trademark licensing and construction projects, record filing is often an effective means of protecting the rights of both parties against other third parties. However, the Standard Contract differs from the such contracts due to the administrative nature of its record filing requirement. Pursuant to the relevant provisions of the Measures and the Personal Information Protection Law, failure to comply with the record filing obligation of the Standard Contract may result in penalties including, but not limited to, warning, fine, revocation of business license, and publication of credit file records; if a crime is committed during such failure, criminal liability shall be investigated in accordance with law.
In addition, it should be noted that the record-filing of a Standard Contract is not completed once and for all. The Personal Information Processor must record-fill the Standard Contract when one or more of the following conditions occur.
- The purpose, scope, category, sensitivity, method, and storage location of personal information transferred abroad, or the purpose and method of personal information processing by the overseas recipient has changed, or the retention period of personal information located abroad is extended;
- The personal information rights and interests will be affected by the changes in the policies and regulations on personal information protection in the country or region where the overseas recipient is located;
- Other circumstances that may affect the rights and interests of personal information.
Considering the above conditions triggering another round of mandatory recordkeeping, it is recommended that the contracting parties leave some room for flexibility in the implementation of the Standard Contract by foreseeing or anticipating possible changes that are likely to occur after the personal information is transferred abroad. In addition, when the Standard Contract comes into force, companies should also establish internal and external procedures to closely monitor the actual personal information process and changes in the legal environment where the overseas recipient is located, so as to prevent illegal consequences caused by failure to conduct another round of mandatory record filing in a timely manner.
(3) Contract for the Third-party Beneficiary
Standard Contract set out rights and obligations among three parties, namely: the obligations of the domestic personal information processor, the obligations of the overseas recipient, and the rights of and remedies available for the personal information subject. The domestic personal information processor and the overseas recipient enter into and perform the Standard Contract as the contractual parties, while the personal information subject, as a third-party beneficiary, is also granted the corresponding rights through the agreement reached between the contracting parties.
In principle, based on the doctrine of privity, contractual rights, and obligations are usually negotiated between the contractual parties. A contractual party may only make a claim or file a lawsuit against the other party, nor may such party, at its discretion, claim against or create obligations for a third party who is not in privity to the contractual party. However, for the protection of the personal information subject, the Standard Contract directly incorporates the spirit of Article 522 of the Civil Code concerning the third-party beneficiary, granting the personal information subject the right to sue the personal information processor and the overseas recipient in an individual capacity. In addition, the Standard Contract recognizes the joint and several liabilities, which expanded the choices for the personal information subject to exercise his/her rights when litigating against the personal information processor or the overseas recipient. In particular, it should be noted that rights and obligations created by contracts are highly recognized in mainstream countries. Therefore, during extraterritorial litigations, it is undoubtedly a better choice for the personal information subject to establish claims based on the Standard Contract, so that he/she can exercise remedial actions to protect his or her rights against the overseas recipient directly.
2. SCENARIOS FOR THE APPLICATION OF THE STANDARD CONTRACT
When the Security Assessment Measures for Outbound Data Transfers was introduced in 2022, we published an interpretation article entitled "Planning before Moving, Gaining after Knowing When to Stop - How to Effectively Choose Data Cross-border Solutions for Enterprises under all Three Laws" to analyze and explain typical scenarios of the three paths of cross-border data transfers applicable to enterprises with the purposes to help them choose the appropriate path of cross-border data transfers. Considering the provisions of the Measures, the Standard Contract is likely to be applicable in the following two scenarios:
(1) Cross-border transfer of personal information for small and medium-sized enterprises
According to the Measures, the application of the Standard Contract premises on satisfying all four conditions: (1) the personal information processor is not a critical information infrastructure operator; (2) in the aggregate, the personal information processor processes personal information of fewer than one million people; (3) the personal information processor provides personal information to overseas countries of less than 100,000 people in total within two years; and (4) the personal information processor provides sensitive personal information to overseas countries of less than 10,000 people in total within two years. In other words, the application scope of the Standard Contract is supplemental to the application scope of Security Assessment Measures for Outbound Data Transfers, and enterprises can choose to apply the Standard Contract for outbound data transfer only if they are not under mandatory obligation to declare a security assessment.
Considering the business realities and the wide varieties of the types of personal information processors, the number of users held by domestic internet enterprises or TO-C-type large and medium-sized enterprises generally exceeds one million; secondly, enterprises that value intellectual property rights and have high R&D investment ratio often controls important data (e.g. automobile data) or a large amount of sensitive personal information (e.g. facial recognition data), which is highly likely to fall into the regulation scope of the Security Assessment Measures for Outbound Data Transfers; moreover, large-scale defense enterprises, telecommunication companies, financial institutions, and medical institutions also have a higher possibility of constituting critical information infrastructure operators due to their industrial nature and status, and are therefore excluded from the application scope of the Standard Contract.
Therefore, the majority of eligible subjects for the Standard Contract will be small and medium-sized enterprises, and its application scope will be limited to the transfer of a small amount of personal information or sensitive personal information.
(2) Cross-border Investment and M&A Transactions
During cross-border investment and M&A transactions, when the target company is a foreign enterprise, the majority of the personal information will be inbound transferred from overseas territories to the Chinese Mainland. Therefore, only a limited amount of personal information needs to be transferred abroad and such transfer can often be completed through a one-off transaction. In this scenario, we recommend that domestic enterprises choose the Standard Contract as the compliance path for the cross-border transfer of personal information.
Undoubtedly, for cross-border transactions involving the two-way transfer of personal information, the buyer and seller should follow the data privacy laws of the countries where they are incorporated or operated. Considering that negotiation and execution of a Standard Contract will add an additional hurdle to the transaction itself, how to negotiate a valid and agreeable contract will also be the key issue under the cross-border investment and M&A transactions scenario.
(3) Inapplicable Scenarios
In particular, the Measures states that the personal information processor may not avoid the mandatory security assessment and utilize the Standard Contract instead for outbound data transfer by means such as volume splitting. As such, it is safe to conclude that it is illegal under the laws for Group companies to reduce the amount of personal information to be transferred abroad through means of splitting and categorizing a certain volume of personal information to its subsidiaries to avoid the security assessment. Instead of pushing lucks of not being punished, enterprises shall genuinely and strictly assess the amount of personal information to be transferred abroad
3. COMPLIANCE ADVICE ON THE APPLICATION OF THE STANDARD CONTRACT
Standard Contract is much more than just a regular contract. It covers rich topics. From the perspective of the full-scale performance of the contract, we believe that the Standard Contract sets a very high bar of obligations for contractual parties to follow. From the perspective of a domestic personal information processor, we would like to suggest enterprises take three "early" steps to timely and effectively utilize the Standard Contract for cross-border data transfer.
(1) Clarifying Data Assets and the Number of Personal Information Subjects as Early as Possible
The Measures will come into effect on June 1, 2023 (the "Implementation Date"). Enterprises that have already conducted cross-border personal information transfer activities before the Implementation Date but have not fulfilled the obligation of signing a Standard Contract should complete the rectification within six months from the Implementation Date. In other words, the grace period for rectification under the Standard Contract will last until December 1, 2023.
Per our abundant experience of security assessment on cross-border data transfer, the supervisory authorities will generally require eligible enterprises to complete the rectification as early as possible, so that such enterprises can declare and receive the acceptance notice before the deadline. Therefore, in terms of the record-filing process of the Standard Contract, it is reasonable to assume that enterprises should allow sufficient time to confirm the appropriate path and prepare for relevant material. We strongly advise against the practice of submitting the report on the date or shortly before the date of December 1, 2023.
We recommend that enterprises shall, as soon as possible, conduct a clear and comprehensive review of their data assets and the scenarios of the cross-border transfer, and then determine a compliance path for the cross-border transfer of personal information.
(2) Pushing the Negotiation and Execution of the Standard Contract Forward as Early as Possible
The implementation of the Standard Contract does not proceed easily.
First, the overseas recipients are usually foreign organizations working in their native language. At present, the State has not yet issued an official English translation of the Standard Contract. Considering the stringent restrictions imposed by CAC on the Standard Contract's formative terms, it may take some time for the contractual parties to clarify the contract's content term by term in order to reach a consensus.
Second, the compulsory nature of the Standard Contract may affect the ongoing or planned commercial arrangements of the enterprise, and the contractual parties should properly negotiate considering a foreseeable change of the commercial arrangement.
Third, in scenarios involving the two-way cross-border transfer of personal information, the domestic personal information processor may be confronted with the requirement to sign an "overseas" version of the SCC or to cooperate with the overseas recipient to fulfill compliance obligations under foreign law. The domestic personal information processor should carefully assess whether other documents it signs or compliance obligations it performs may be contrary to the compulsory requirements of PRC laws, including the Measures.
Finally, under the Measures, the personal information processor is required to submit an assessment report on the impacts on personal information protection when record-filing the Standard Contract. The domestic personal information processor will consider matters concerning the assessment for the impacts on personal information protection when promoting the signing of the Standard Contract.
To sum up, enterprises that choose to apply the "Standard Contract" path for cross-border data transfer should promote the negotiation and execution of the contract as soon as possible, reserving sufficient time to prepare for the execution of the Standard Contract.
(3) Deploying the Enterprises' Internal Control Measures Required for the Standard Contract as Soon as Possible
The Standard Contract is both a product of autonomy and legal requirement from compliance supervision. Before signing a Standard Contract, enterprises should ensure that they can fulfill the obligations prescribed by the standard terms and bear the burden of proof to evidence their compliant performance of contractual obligations. We have summarized six compliance measures that shall be taken by the domestic personal information processor:
a) fulfilling the obligation to inform
The domestic personal information processor is obligated to fulfill their obligations to inform. Except for cases where the obligation to inform is not required by laws and administrative regulations, the domestic personal information processor shall inform the personal information subject of the following items:
- The name of the overseas recipient, contact information, the purpose of processing personal information transferred abroad, the method of processing, the type of personal information, the retention period, and the method and procedure for exercising the rights of the personal information subject, and other matters;
- The personal information subject is a third-party beneficiary of the Standard Contract and may enjoy the rights of a third-party beneficiary pursuant to the Standard Contract;
- If a domestic personal information processor plans to provide sensitive personal information abroad, it shall also inform the personal information subject of the necessity of providing sensitive personal information and the impact on personal rights and interests.
b) having a legal basis
Article 13 of the Personal Information Protection Law stipulates seven categories of the legal basis for the processing of personal information. A domestic processor of personal information may carry out processing activities of personal information, including cross-border transfers of personal information, if and only if it has a legal basis.
In the case of "consent" as the legal basis, the domestic personal information processor is required to obtain the separate consent from the personal information subject. The so-called "separate consent" excludes overall consent, general consent, and one-click-tick consent. Therefore, in situations where the processing activities are subject to more stringent supervision, such as the cross-border transfer of personal information, we recommend that enterprises obtain separate consent from the personal information subject in writing and outstanding format. In the case of cross-border transfer of personal information involving minors under the age of 14, the domestic personal information processor shall obtain separate consent from the parents or other guardians of the minor.
Additionally, written consent shall be obtained if laws and administrative regulations stipulate as such. For example, the Administrative Regulations on Credit Investigation Industry stipulates that credit institutions shall obtain the written consent from individuals when collecting information concerning income, deposit, securities, commercial insurance and real estate and information on tax payment amount; the Administrative Regulations on Human Genetic Resources of the People's Republic of China stipulates that the written consent from the provider of human genetic resources shall also be obtained when collecting human genetic resources within the PRC. For the scenario of cross-border transfer of the personal information mentioned before, the written consent of the personal information subject should also be obtained per our understanding.
c) prudently selecting the overseas recipient and making proper assessment records
According to the Standard Contract, the overseas recipient should have an adequate security management system, technical measures, and safeguarding capabilities, and must meet the personal information protection standards stipulated in relevant PRC laws and regulations. Therefore, the selection of a competent overseas recipient is crucial to the implementation of the Standard Contract.
In the scenario of a "passive" cross-border transfer of personal information due to the international third-party supply chains, the domestic personal information processor is usually granted more power in the selection of qualified hardware or software supplier, and we recommend that the processor should assess in detail the relevant qualifications of the overseas recipient (hardware or software supplier); in the scenario where the data processor "actively" transfers personal information abroad, the enterprise should negotiate with the overseas recipient properly, and guide and help the overseas recipient to establish a security management system and improve its technical security capabilities that meet the requirements of the Standard Contract.
Specifically, the domestic recipient can assess the overseas recipient from the following aspects:
- Whether technical measures such as encryption, anonymization, de-identification, etc. are adopted;
- Whether any mechanisms are designed to carry out regular checks to ensure the security of personal information to be transferred abroad;
- Whether the obligation to keep confidentiality is imposed in any form on the personnel of the overseas recipient who is authorized to process personal information;
- Whether the minimum authorization of the rights of access is established;
- Whether there is any relevant prior experience in cross-border transfers and processing of personal information;
- Whether there have been incidents relating to the security of personal information and whether they have been handled promptly and effectively.
- Whether it has received a request to provide personal information from the public authority of the country or region where it is located, and how the overseas recipient has responded to the request.
d) assessing the impact of the legal environment of the country/region where the overseas recipient is located on the performance of the contract
An assessment of the legal environment where the overseas recipient is located constitutes an inextricably important term of the Standard Contract indicated in the following aspects:
- The personal data processor has the right to immediately terminate the contract if the overseas recipient's compliance with the Standard Contract violates the laws and regulations of the country or region where it is located;
- The personal information processor has the right to suspend the cross-border transfer until the breach is rectified or the Standard Contract is rescinded if a change in the legal environment where the overseas recipient is located makes it impossible for it to perform the contract.
Therefore, a comprehensive and proactive assessment of the legal environment where the overseas recipient is located prior to the signing of the Standard Contract is essential for the full and continuous performance of the Standard Contract. The domestic personal information processor should consider the following elements in the assessment:
- Present laws, regulations, and generally applicable standards with respect to personal information protection in the country/region where the overseas recipient is located, including any requirements to provide personal information or regulation authorizing access to personal information by public authorities;
- Regional or global organizations in which the overseas recipient's country or region is a member with respect to the protection of personal information, and binding international commitments that the overseas recipient's country or region has made.
- The mechanism for promoting the protection of personal information in the country or region where the overseas recipient is located, such as the existence of supervisory and enforcement bodies and relevant judicial bodies for the protection of personal information, etc.
In addition to the above three elements, we recommend that the domestic personal information processor further refers to previous cases or enforcement records to determine whether there is a greater likelihood that an overseas judicial or regulatory body will find a contract governed by Chinese law to be at risk of being invalid.
e) establishing a mechanism for the personal information subject to exercise his/her rights.
Prior to signing the Standard Contract, the domestic personal information processor should establish effective mechanisms for the personal information subject to enforce his or her rights. This specifically includes the following aspects:
- Ensuring the personal information subject's rights to be informed, make decisions, restrict or refuse the processing of his or her personal information by others, and rights to access, copy, correct, supplement and delete his or her personal information;
- Explaining to the personal information subject regarding the rules for processing personal information by both contractual parties.
- Establishing effective communication channels with the overseas recipient regarding the exercise of the rights of the personal information subject. When the personal information subject directly exercises his or her rights against the overseas recipient, or when the domestic processor of personal information is unable to comply with the request of the personal information subject to exercise his or her rights, it can inform the overseas recipient and request its assistance to do so.
f) completing the impact assessment on personal information protection
According to the provisions of the Measures, the record-filing materials of a Standard Contract include the assessment report on the impacts on personal information protection, and the personal information processor is responsible for the authenticity of the filed materials.
By summarizing the key requirements of the Measures on the impact assessment on personal information protection, it is not difficult to find that the nature of the requirements is similar to the obligations imposed by the parties in the Standard Contract. Therefore, the process for the domestic personal processor to negotiate and promote the signing of contracts and deploy the internal control measures of compliance is in essence the process to conduct the impact assessment on personal information protection with respect to its cross-border processing activities of personal information.
To promptly provide a true, complete, and accurate assessment report on the impacts on personal information protection, enterprises that have businesses related to the cross-border transfer of personal information should promptly conduct due diligence and compliance analysis of the entire process of cross-border processing of personal information and complete relevant rectification work.
With the promulgation of the Provisions on the Procedures for Administrative Law Enforcement by the Cyberspace Administration Authority of Various Levels and other regulations, 2023 has become the "first year of law enforcement". The administrative enforcement procedures on which CAC is acting as the main body of law enforcement will be implemented, and CAC will reinforce administrative enforcement against illegal data activities. In the official version of the Measures and Standard Contract, the penalties against non-compliant activities have been amended by replacing the term "prohibiting cross-border activities" originally provided in the draft for public comments with "interview or rectification". Nevertheless, we believe that this amendment is only made to comply with the legislative rules stipulated in the Administrative Penalty Law, rather than a "mitigation measure" for relevant violations.
The official promulgation of the Measures and the Standard Contract means that no "missing puzzles" are left to the regulations governing the cross-border transfer of personal information activities. Enterprises with different cross-border volumes should follow the applicable compliance path to fulfill the declaration or record-filing obligation. Enterprises with needs or scenarios of cross-border data transfer shall not suffer from an "Achilles' heel" in data compliance due to their failure or delay in rectifications.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.