On 30 May 2023, the Cyberspace Administration of China (“CAC”) released the guidelines (“Guidelines”) for filing the standard contract for personal information export (“SCCs”), two days before the regulation for filing the Chinese SCCs took effect on 1 June. In this article, we highlight the key requirements of the Guidelines together with our observations. If you would like a copy of the English translation of the Guidelines, please contact James Gong at james.gong@twobirds.com.
BACKGROUND
The Personal Information Protection Law (“PIPL”) (for our comments on the PIPL, please click here) provides three routes for personal information processors1 to export personal information (“PI”), namely:
- passing a governmental security assessment (“Governmental Assessment”) that is required for critical information infrastructure (“CII”) operators as well as organisations that process personal information reaching one of the three threshold amounts (“Thresholds”) specified by the CAC (for our comments on the Governmental Assessment, please click here);
- attaining a PI protection certification (“Certification Regime”) by an institution accredited by the CAC. (for our comments on the Certification Regime, please click here and here); or
- entering into the SCCs with the overseas PI importers.
Most PI Processors do not reach the Thresholds and therefore are not eligible to use the first route, the Governmental Assessment. The Certification Regime appears to be designed for intragroup PI transfer within large multinational companies or international organisations and the process is quite onerous. As a result, the SCC route is expected to be the most commonly used data export route for PI Processors.
The CAC released the regulation on filing the SCCS in February 2023 (for our comments on the regulation, please click here), which took effect on 1 June 2023 and gives the PI exporters in China six months to implement the regulation. In accordance with the regulation, the PI exporters must conduct a personal information protection impact assessment (“PIPIA”), sign the SCCs, and file the PIPIA report and a copy of the signed SCCs with the provincial CAC office within 10 business days of executing the SCCs.
The Guidelines are intended to provide PI exporters, who elect to adopt the SCCs process for their PI export,
with more details on the filing process.
KEY PROVISIONS AND OBSERVATIONS
I. How to file?
PI exporters are required to make the filing by sending hard copies of the SCC’s together with electronic copies of the filing materials to the CAC office of the province where the PI Processor is located. Contrary to expectation, the CAC has not rendered an online application channel. It is not clear whether the CAC will accept applications by mail or require onsite submission only, which we expect will be determined by the individual provincial CAC office.
By the date of this article, the Beijing CAC has released its own guidance. Thereunder, PI exporters must send an electronic copy of the filing materials (in .pdf format) to the Beijing CAC by email first and then file a hard copy. The filing will be deemed successful on notification issued by the Beijing CAC within 10 business day of filing. Unsuccessful PI Processors will need to submit an electronic copy of supplemental or revised materials within 10 business days of the notification.
The Shanghai CAC takes a similar approach that PI exporters should submit the electronic copy by email first and the hard copy after the electronic copy has been reviewed and approved. However, it does not specify a timeline for review of the electronic copy.
There could be multiple supplemental applications, which will be arduous and time-consuming for applicants for the SCC if provincial CACs only accept hard copies. The guidance released by the Beijing CAC and Shanghai CAC will avoid these inconveniences of having to prepare hard copies for each submission, should the first submission be unsuccessful. It is not known whether other provincial CAC offices will follow suit.
II. Filing process, timeline and content
Filing process
The filing process will include the following three phases:
- Submission of filing materials by the PI exporters within 10 business days of signing the SCCs;
- Review of the materials and notification by the provincial CACs, who will notify the PI exporters
result of the filing within 15 business days of submission; and - Submission of supplemental materials by unsuccessful applicants within 10 business days of
notification.
It appears that the initial review process will take 15 business days. However, PI exporters should consider the possibility that the submission may not be accepted on the first occasion and that there could be one or more subsequent submissions of supplemental materials. It may take another 15 business days for the provincial CACs to review supplemental materials and reach a decision. Therefore, the process may well take 40 business days or more.
The Beijing CAC reduced the time for first review of the materials from 15 business days to 10 business days, and it is possible that other provincial CACs may follow suit.
The CAC has not made it clear whether the PI exporter can continue to export PI if it has not completed the filing by the end of the grace period, i.e., 30 November 2023. It is advisable that PI exporters make the submission at least 40 business days before the end of the grace period to ensure compliance.
Updated and new filings
PI exporters may need to make an updated or a new filing after completing an initial filing of the SCCS, upon signing any updated or new SCCs in the following circumstances:
- changes to the purpose, scope, types, sensitivity, means or storage site of the exported PI or the purpose or means of the processing by the PI importers, or an extension of the retention period of the PI by the PI importers;
- changes to the PI protection policy, laws or regulations of the jurisdictions where the PI importers are located which may impact the rights or interests of individuals to the PI; or
- Such other circumstances that may impact rights or interests of individuals to the PI.
The provincial CAC office has 15 business days to review the filing made in the above circumstances. Although it does not specify the timeline within which a PI exporter should make such filing, we would recommend that the submission be made within 10 business days of signing.
In addition, the PI exporters will have an obligation to consistently monitor any changes in the data protection law, regulation and policy in the PI importer’s jurisdiction.
Filing materials
In addition to the PIPIA report and a photocopy of the signed SCCs, the PI exporters must also submit the following materials:
- A photocopy of the unified social credit code certificate;
- A photocopy of the ID of the PI exporter’s legal representative;
- A photocopy of the person authorized to handle the filing by the PI exporter;
- A letter authorizing the person to handle the filing; and
- A letter of undertaking issued by the PI exporter to warrant that it complies with the requirements for SCCs filing.
The guidelines provide templates for items iv and v.
III. PIPIA Report
The Guidelines also provide for the structure and key points of the PIPIA report, which, as expected, are in essence the same as those of the self-assessment report for the Governmental Assessment.
Key sections include:
- An introduction of the assessment;
- Description of the PI export activities, covering
a. Information of the PI exporters
b. Business and information systems relevant to the PI export activities
c. PI to be exported;
d. PI protection capability of the PI exporters; and
e. Information of the PI importers; - Impact assessment of the proposed PI export; and
- Conclusion of the security assessment.
The level of detail required under the PIPIA will require the PI exporters to incur substantial time and resources to map out the PI export activities and implement any remediation measures. The PIPIA report will need to be completed no more than three months before submission of the filing materials.
IV. Review by CAC
The Guidelines do not specify the extent, to which that CAC will review the filing materials. It appears that review by the provincial CAC offices may go beyond formality of the materials, especially in relation to the PIPIA report. If that instance, PI exporters should be prepared for detailed feedback from the CAC, which may require submission of supplemental materials and draw out the filing process.
CONCLUSION AND RECOMMENDATIONS
The Guidelines provide for a filing process that is comparable with the Governmental Assessment, in particular the structure of the PIPIA report, which is the key filing document. The process may take over 40 business days, and PI exporters should not underestimate the time and effort required to complete the process and are advised to start preparing for the filing as soon as possible.
For those that are subject to the Governmental Assessment but have yet to make an application for export of personal information, entering into a SCC will not be an alternative, as the CAC will take a close review of the filing materials and will reject any filing for data export that meets the Thresholds. PI exporters should not take a wait-and-see approach, as we anticipate that enforcement actions will follow. The CAC has noticed that certain companies are reluctant to take action and have opened channels for reporting noncompliance.
PI exporters are recommended to take the following actions:
- Identify the PI export data flows and PI importers;
- Amend existing cross-border data transfer documents to reflect the changes;
- Notify and discuss with the PI importers entering into the SCCs before the transfer;
- Conduct the PIPIA in relation to the PI export and remediate any gaps and risks identified;
- Execute the SCCs; and
- Make the filing with the competent provincial CAC.
For more information please contact: James Gong or Ying Zhong.
1 A personal information processor is defined as an organisation or individual that independently determines the purposes and means of the processing, akin to the concept of data controller under the General Data Protection Regulation (“GDPR”) of the European Union.