On 30 May 2023, the Cyberspace Administration of China (CAC) issued the first edition of guidance on filing for the standard contract for outbound cross-border transfer of personal information (Standard Contract). On 1 June 2023, the Measures for the Standard Contract for Outbound Cross-border Transfer of Personal Information (Measures) will come into force, introducing the Standard Contract as one of the permitted mechanisms for transferring personal information outside of China (please refer to our previous bulletin China officially releases standard contract for cross-border transfer of personal data for details of the Standard Contact mechanism). The Measures require the Standard Contract to be filed with the CAC and the new guidance facilitates the implementation of these filing requirements.
The key points to note in the guidance include the following:
- The personal information processor (being the organisation or individual that independently decides the purpose and means of the personal information processing activities and transfers the personal information outside the territory of China) is required to file the executed Standard Contract within 10 business days of the effective date of the Standard Contract.
- The filing should be made with the provincial CAC in the place where the personal information processor is located by delivering the required written documents together with electronic copies. The required documents include an authorisation letter which gives the necessary authorisations to the person handling the filing. This suggests that the filing needs to be made in person.
- The following documents must be submitted along with the Standard Contract (original):
- Unified credit code certificate (photocopy);
- ID of legal representative (photocopy);
- ID of authorised person handling the filing (photocopy);
- Authorisation letter authorising the person handling the filing (original);
- Undertaking letter (original); and
- Personal information protection impact assessment (DPIA) report (original).
Template forms of the authorisation letter, undertaking letter and DPIA report are included in the guidance.
- The local CAC has 15 business days to review the filing and notify the personal information processor whether it has passed. If supplemental documents are required, the personal information processor is required to submit these within 10 business days. The guidance does not set out any details as to the extent of the local CAC’s examination and whether this will be to check the formalities only or a more substantive review. In addition, it is not clear whether a personal information processor can make a re-filing in respect of the same cross-border transfer scenario where it has not passed the initial filing, or whether it would be required to terminate the Standard Contract and cease the cross-border transfer of personal information. According to the Measures, the filing is not a pre-condition to the Standard Contract becoming effective and so personal information can be transferred outside of China upon the Standard Contract taking effect according to its terms.
- In certain circumstances, the personal information processor is required to conduct a new DPIA, supplement its existing Standard Contract (or execute a new one), and re-comply with the filing obligations with the CAC. The guidance reemphasises these requirements but does not set out the timeframe for making the re-filing. We assume that this would follow the same timeframe as the initial filing, namely within 10 business days of the re-filing obligation arising.
- The template authorisation letter specifies that authority is given to a person from the personal information processor which suggests that only employees of the personal information processor can be authorised to handle the filing on behalf of the personal information processor.
- The undertaking letter requires that the DPIA is completed no earlier than three months prior to the date of filing. This goes beyond the existing requirements in both the template Standard Contract and the Measures. It is also not clear whether the 3-month period relates to the date of submitting the filing or the date of the local CAC’s decision.
- The main content of the template DPIA report set out in the guidance is similar to that in the template for the self-assessment report on the risk of outbound data transfer required for the CAC’s mandatory security assessment mechanism. However, the DPIA report template omits the section on the assessment of the legal document executed given the Standard Contract will be signed between the personal information processor and the relevant overseas recipient.
As discussed above, there are a number of practical issues that still need to be clarified. It is expected that the provincial CACs will issue their own respective guidance to facilitate the filing process, as was the case with the mandatory security assessment mechanism. However, the guidance issued by the provincial CACs may not provide substantial additional information. Personal information processors may, eventually, need to consult the local CAC on a case-by-case basis, as is done for the mandatory security assessment.