On May 30, 2023, the Cyberspace Administration of China (“CAC”) released the Guidelines for the Filing of Standard Contract for Outbound Transfer of Personal Information (First Edition) (“Filing Guidelines”), immediately before the Measures for Standard Contract for Outbound Transfer of Personal Information (“Standard Contract Measures”) took effect on June 1, 2023. The Filing Guidelines provides a detailed explanation on the scope, filing methods and filing procedures for the Standard Contract for the Outbound Transfer of Personal Information (“Standard Contract”) and also provides contact information for consultation, as well as the templates for relevant filing documents.
This alert will discuss the key documents required and issues involved in the filing of the Standard Contract in conjunction with the Standard Contract Measures and the Personal Information Protection Law.
1. Personal Information Protection Impact Assessment Report
The most important document required for filing, in addition to the Standard Contract, is the Personal Information Protection Impact Assessment Report (“Assessment Report”). Personal information processors need to prepare the Assessment Report based on the document templates and the actual situation of their companies.
The Assessment Report shall consist of the following four parts:
(1) Brief introduction of the assessment work. The companies needs to provide a basic overview of the assessment work, including the start and end time, organization of the assessment work, implementation process, methods used and the involvement of the third-party, etc.
(2) Overview of the outbound transfer activities. In this section, the companies are required to provide detailed information on the personal information processors, the business and information systems involved in the outbound transfer of personal information, the personal information intended for outbound transfer, the personal information protection capabilities of the processors, the situations of the overseas recipients, whether the personal information is provided to any third parties and how to ensure the implementation of the Standard Contract terms, etc.
(3) Assessment of the impact of the proposed outbound transfer activities. In this section, companies are required to provide item-by-item explanations on the various matters listed in the template of Assessment Report to evaluate the legality, legitimacy and necessity of outbound transfer of personal information, as well as the associated security risks.
(4) At the end of the Assessment Report, companies are required to provide an objective impact assessment conclusion on the outbound transfer activities based on the comprehensive assessment and corresponding rectification measures, and fully explain the reasons and evidence behind the assessment conclusion.
In addition, according to the Commitment Letter template attached to the Filing Guidelines, the personal information protection impact assessment should be completed within three months prior to the filing, and there should be no significant changes until the filing date.
Given that the Assessment Report involves some content related to cyber security technology, it is recommended to consult with legal experts as well as network data security professionals during the drafting process.
2. Supplementation or Re-filing
After the completion of filing of the Standard Contract, the companies should conduct another personal information protection impact assessment, supplement or enter into a new Standard Contract and perform relevant filing formalities under any of the following circumstances:
(1) where the purpose, scope, category, sensitivity, method and storage location of provision of personal information overseas or the overseas recipient’s purpose or method to process personal information has changed, or the overseas storage period of personal information is to be extended;
(2) where the rights and interests of personal information may be affected by changes in the policies and regulations on personal information protection of the country or region where the overseas recipient is located; or
(3) any other circumstance that may affect the rights and interests of personal information.
Except for the above, if the companies enter into a supplemental agreement within the term of the Standard Contract or enter into a new Standard Contract, a supplementary filing or re-filing should be conducted.
3. Grace Period
For companies that are required to file the Standard Contract, the Standard Contract Measures provides a grace period of six months, during which the companies that have already started the outbound transfer of personal information may continue to the transfer. After the grace period expires, i.e. after December 1, 2023, companies that have not completed the filing of Standard Contract or whose filing has not been approved should no longer continue to transfer the personal information outbound.
4. Legal Liabilities
The Standard Contract Measures do not directly specify the legal liabilities for failure to file, but stipulate that penalties may be imposed in accordance with the Personal Information Protection Law and other relevant laws and regulations. Penalties may include orders to make corrections, warnings, confiscation of illegal gains, orders to suspend or terminate provision of relevant services, suspension of business for rectification, revocation of relevant business permits or business licenses, fines of up to RMB 50 million or 5% of the personal information processor’s annual turnover from the previous year, etc. If the personal information processor’s behaviour constitutes a crime, they shall also bear corresponding criminal liabilities.
For more details about the Standard Contract Measures, please refer to our previous alert Standard Contract for Outbound Transfer of Personal Information from China.
Despite the six-month grace period provided by the Standard Contract Measures, there a significant amount of preparation work required for filing. We strongly recommend that companies that are required to file the Standard Contract should initiate the filing process as soon as possible to avoid any disruption to their normal business operations. If you have any further questions regarding the filing of the Standard Contract or require our assistance with the filing process, please do not hesitate to contact us.