In February 2023, the Cyberspace Administration of China (CAC) officially released its long-awaited, final version of the Standard Contract for the outbound cross-border transfer of personal data. This is one of three permitted mechanisms for transferring personal data outside of China and is expected to be the most frequently used.The Measures for the Standard Contract for Outbound Cross-border Transfer of Personal Data (Measures) and the final version of the Standard Contract (Standard Contract) will come into force on 1 June 2023. Their contents remain largely consistent with the June 2022 consultation drafts but with some important variations.
When can the Standard Contract be used?
Filing with CAC within 10 business days
Circumstances requiring a supplement or new contract
Adopting the Standard Contract
Grace period under the Measures
When can the Standard Contract be used?
A data controller can adopt the Standard Contract for the cross-border transfer of personal data if the following criteria are met:
(i) it is not a critical information infrastructure operator;
(ii) it processes the personal data of less than one million individuals;
(iii) since 1 January of the previous year, personal data of less than 100,000 individuals in aggregate has been provided to overseas recipients; and
(iv) since January 1 of the previous year, sensitive personal data of less than 10,000 individuals in aggregate has been provided to overseas recipients.
These criteria complement CAC‘s mandatory security assessment regime (as regulated by the CAC security assessment measures- please see New guidance on the CAC security assessment for cross-border data transfer) which applies to the cross-border transfer of personal data exceeding these limits1.
Interestingly, the Measures suggest that only data transferors which are data controllers can adopt the Standard Contract for the cross-border transfer of personal data. Further clarification is still needed as to whether a data processor acting as a data transferor will also be able to rely on the Standard Contract route.
Another notable feature of the Measures is that the adoption of the Standard Contract must be (i) accompanied by a personal data protection impact assessment (DPIA), and that (ii) the Standard Contract and DPIA report must be filed with CAC within 10 working days upon execution of the Standard Contract.
Compared to the consultation draft, the Measures contains an additional provision which restricts a data controller from dividing personal data into smaller quantities or adopting other means to enable the data controller to meet the criteria for the Standard Contract route. This shows the authority‘s intention to block any attempts to circumvent the CAC mandatory security assessment regime.
DPIA considerations
The Personal Information Protection Law (PIPL) requires data controllers to conduct a DPIA before transferring personal data outside of China. The Measures supplement the law by setting out the details that need to be considered in a DPIA2 under the Standard Contract route.
Filing with CAC within 10 business days
Within 10 working days from its effective date, a copy of the signed Standard Contract, together with the DPIA report, must be filed with the local CAC in the place where the data controller is located. However, the filing is not a pre-condition to the Standard Contract becoming effective, and personal data can be transferred outside of China upon the Standard Contract taking effect according to its terms.
Circumstances requiring a supplement or new contract
The data controller is required to conduct a new DPIA and supplement its existing Standard Contract or execute a new one, as well as re-comply with the record filing obligations with CAC, if any of the following circumstances occurs:
(i) there is any change in the purpose, scope, type, sensitivity, quantity, means, retention period or storage location of the personal data transferred overseas, or any change in the purpose and means of the personal data processing of the overseas recipient, or an extension of the overseas retention period of the personal data;
(ii) there is any change in personal data protection policies and regulations in the country or region where the overseas recipient is located, which may affect personal data rights and interests; or
(iii) other circumstances that may affect personal data rights and interests.
Compared to the consultation draft, the Measures clarify that a new DPIA will be required in the above circumstances.
Adopting the Standard Contract
The Measures provide that the Standard Contract shall strictly follow the form of the template Standard Contract. A data controller is able to agree additional clauses with an overseas recipient provided that the new clauses do not contradict the Standard Contract template.
It will be interesting to see how, in practice, the Standard Contract interacts and integrates with existing commercial agreements between data controllers and overseas recipients. The Standard Contract basically extends the jurisdiction of the PIPL to overseas recipients through contract. However, the overseas recipients will be subject to the laws of their home jurisdictions (including but not limited to data protection laws) and. there may be conflicts between them and the PIPL. We expect that this will result in a lot of back-and-forth communication between the parties before a Standard Contract can be signed.
Grace period under the Measures
Cross-border transfer activities which do not comply with the Measures when they come into effect will have a grace period of 6 months to bring such activities into compliance.
Any non-compliant cross-border transfer of personal data in place before 1 June 2023 will be required to ensure compliance with the Measures by 30 November 2023. Any new arrangements set up after 1 June 2023 will be required to comply with the Measures before the transfer, or comply with one of the other mechanisms (ie certification or CAC security assessment).
However, it should be noted that the cross-border transfer of personal data is not necessarily a one-off activity and can be a continuous process. It is not clear whether any arrangement for the continuous transfer of personal data commenced before, but continuing after, 1 June 2023 will be able to benefit from the grace period.
Our observations
Given that the Standard Contract route is the least complicated mechanism with the lowest cost of compliance compared to the other mechanisms (ie undertaking a security assessment or obtaining certification), it is expected to be the most commonly adopted mechanism for cross-border transfer of personal data from China. However, there are still a number of areas that require clarification.
Further clarification is needed as to whether a cross-border transfer of personal data between a domestic data processor and an overseas data controller or data processor can rely on the Standard Contract route.
Another area of uncertainty is the extent to which commercially sensitive information (or even trade secrets) included in the Standard Contract or a DPIA report can be withheld from the record filing with the local CAC. According to the template Standard Contract, confidential information can be withheld or redacted when providing a copy of the Standard Contract to the relevant data subjects. However, the Measures do not specify whether such information can be withheld or redacted from the copies to be filed with the authorities. The Measures provide that staff of the competent authorities have a confidentiality obligation in relation to confidential information obtained during the performance of their duties, which seems to suggest that there may not be any ground to withhold confidential information from the authorities for the purpose of record filing.
1 For an outbound data transfer by a data controller that falls under any of the following circumstances, the data controller is required to apply to CAC for a mandatory security assessment:
1. outbound transfer of important data;
2. outbound transfer of personal data by a critical information infrastructure operator or a data controller who has processed the personal data of more than 1,000,000 people;
3. outbound transfer of personal data by a data controller who has made outbound transfers of the personal data of 100,000 people cumulatively or the sensitive personal data of 10,000 people cumulatively since 1 January of the previous year; or
4. other circumstances where an application for the security assessment of an outbound data transfer is required as prescribed by CAC.
2 The DPIA must focus on the following matters:
1. the legality, legitimacy, and necessity of the purpose, scope, and means of the personal data processing by the data controller and the overseas recipient;
2. the quantity, scope, type, and sensitivity of personal data to be transferred overseas, and the risk that the outbound cross-border transfer may pose to personal data rights and interests;
3. the responsibilities and obligations that the overseas recipient undertakes to assume, and whether the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations are sufficient to ensure the security of personal data to be transferred;
4. the risk of the personal data being tampered with, sabotaged, disclosed, lost, or misused after the it is transferred overseas, and whether there is a smooth channel for individuals to protect their personal data rights and interests;
5. the impact of personal data protection policies and regulations in the country or region where the overseas recipient is located on the performance of the standard contract; and
6. other matters that may affect the security of personal data to be transferred overseas.
For further information, please contact:
Nanda Lau, Herbert Smith Freehills
nanda.lau@hsf.com