On May 30, 2023, the Cyberspace Administration of China (“CAC”) issued the Guidelines to the Filing of Standard Contract for the Outbound Transfer of Personal Information (First Edition) (hereinafter referred to as the “Guidelines”), which provides the specific requirements for the method, process, and materials for the filing of standard contract (“Standard Contract”) as required in the Measures on the Standard Contract for Outbound Transfer of Personal Information (hereinafter referred to as the “Measures”) to be implemented on June 1, 2023.
We are currently providing the relevant services to a number of international clients by using the route of the Standard Contract pursuant to the Measures. The long-awaited Guidelines is absolutely a very timely tool. The purpose of this article is to share some key points of the Guidelines from a practical point of view.Our firm’s translated version of the Guidelines in Englishcan can be found at “Read More” at the end of this article for clients’ reference.
I. Which Entities May Use the Standard Contract for the Outbound Transfer of Personal Information
Unlike GDPR, there are only three routes or mechanisms for personal information cross-border transfer under PRC’s Personal Information Protection Law: (a) passing the mandatory security assessment organized by CAC; (b) obtaining a certification on personal information protection from a professional institution in accordance with the regulations of the CAC; (c) entering into Standard Contracts with overseas recipients. To use the Standard Contract route, Article 4 of the Measures provides the following applicable criteria:
1) not a critical information infrastructure operator;
2) handling personal information of fewer than one million individuals;
3) having provided personal information of fewer than 100,000 individuals in aggregate to overseas recipients since January 1 of the previous year; and
4) having provided sensitive personal information of fewer than 10,000 individuals in aggregate to any overseas recipients since January 1 of the previous year.
Personal information processors who meet the above conditions are allowed to transfer personal information to overseas recipients by using the Standard Contract mechanism.
In practice, for most multinational companies with business entities in China, they are concerned about the issue of the cross-border transfer of personal information (e.g. the transfer of Chineses employees’ personal information to the headquarters out of China). Even in the situation where the scale of personal information to be transferred is quite small, such overseas recipients are still required to take one of the above three paths, most likely the Standard Contract route. Compared to the other two paths, the Standard Contract mechanism seems to be the most efficient one.
II. Practical Points and Tips from the Guidelines
The Guidelines provides certain specific guidance for multinational enterprises and other entities which urgently need to transfer personal information out of China by using the Standard Contract route, such as further clarification on what situations would be regarded as cross-border transfer of personal information, the filing methods and processes, the filing material requirements. Most of all, the Guidelines also provides a template personal information protection impact assessment report (“PIA Report”) which is a mandatory and crucial report to be filed pursuant to the Measures.
The content of the Guidelines is relatively similar to the guidelines issued by the CAC for the applications under the Security Assessment of Outbound Data Transfers which came into effect on September 1 2022 (hereinafter referred to as “Guidelines for Data Transfer”) .
The following technical tips are summarized from our experience and shared for your attention:
Who Should Do the Filing
It is important to note that the entity to file the Standard Contract, the PIA Report and other supporting materials should be the personal information processors, i.e. the individuals or companies which provide personal information to overseas recipients. For multinational enterprises, it should be the domestic entities, not the overseas headquarters or companies, to do the filings.
The Result of the Filing
Unlike the Guidelines for Data Transfer, the Guidelines for personal information transfer specifies that the local provincial CAC will complete the examination within 15 working days after receiving the materials and notify the personal information processor of the filing result of PASS or FAIL. If FAIL, the personal information processor is required to submit additional materials within 10 working days.
Generally speaking, the local CAC’s review is kind of prima facie review. Nevertheless, it does not exclude the possibility that the local CAC may conduct an extensive investigation and review of the substance of the materials. Given the period for submitting supplementary materials is relatively short, the filing party is suggested to be well-prepared for the initial filing.
About the PIA Report
According to the template undertaking in Annex 3 of the Guidelines, the PIA Report should be completed within 3 months prior to the date of filing on the condition that no significant changes have occurred up to the date of filing.
The template PIA Report provided by CAC is basically the same as the template report provided in the Guidelines for Data Transfer, which seems to indicate that CAC does not lower the standard of the PIA simple because the entities are taking the easier mechanism, i.e the Standard Contract route, for cross-border transfer. According to the CAC’s Q&As on the Guidelines for Data Transfer, such template reports should be strictly applied. Therefore, the filing party is recommended to fully sort out all the relevant information based on this template. If it is difficult to clarify certain issues (such as legality, legitimacy and necessity) or technical aspects of data security (such as technical capacity of personal information security, etc.), you may consult with lawyers or other data security professionals.
Template Standard Contract
Unlike the SCCs under GDPR, the template Standard Contract provided in the Measures does not allow any adjustment to the main body of the contract, and additional content that does not conflict with the main body can be provided as an appendix to the Standard Contract.
III. Grace Period
The Measures provides for a six-month grace period. That is, the personal information processors need to comply with the requirements of the Standard Contract path for the personal information cross-border transfer activities on or before November 30, 2023.
Therefore, it is suggested that clients sort out the data transfer related business situation or activities as early as possible and determine whether the Measures is applicable. For clients who are able to take the Standard Contract route, they are advised to prepare their own Standard Contracts and PIA reports in accordance with CAC’s newly released templates and file them with the local provincial CAC authorities within the grace period.
Thanks to our intern Ms Shuyu Wang for her contribution to the translation of the Guidelines.
- Compliance & Regulatory