On June 30, 2022, the Cyberspace Administration of China (the “CAC”) issued a draft Provision on the Standard Contract for Cross-border Transfer of Personal Information (“Draft Provisions”) and a draft of the Standard Contract for Cross-border Transfer of Personal Information (“Standard Contract”) for public comments. Per Article 38 of the Personal Information Protection Law (“PIPL”), if the data handler is not required to conduct a government security assessment, it may choose either to conduct certification by a qualified third institution or to execute the Standard Contract for cross-border transfer of personal information. Certification might be more commonly used for cross-border transfer within a group, whereas the Standard Contract may be more popular under other scenarios of cross-border transfers.
Scope of Application of Standard Contract
Data handlers must satisfy all of the following conditions to be eligible for execution of the Standard Contract for cross-border transfer:
- They are not considered critical information infrastructure (“CII”) operators;
- They do not process less than one million individuals’ personal information;
- They cumulatively transferred personal information of less than 100,000 individuals from January 1 of the previous year; and
- They cumulatively transferred “sensitive” personal information of less than 10,000 individuals from January 1 of the previous year.
Even though the Standard Contract is only a draft, the above conditions or thresholds are highly unlikely to be changed substantially in the final version of the Standard Contract. Such conditions or thresholds echo the Measures on Security Assessment on Cross-border Transfer (the “Measures”), which regulate mandatory government assessment for cross-border transfers.
Personal information protection impact assessments (“PIPIA”) are required before cross-border transfers. This is consistent with relevant requirements under PIPL. Specifically, the Draft Provisions provide more detailed requirements of the PIPIA for cross-border transfers of personal information, including:
- legality, legitimacy and necessity of purpose, scope and method of processing personal information by the data handler and the data recipient;
- quantity, scope, type and sensitivity of personal information to be transferred outside of China, and potential risks to rights and interests in personal information caused by the cross-border transfer;
- responsibilities and obligations that the data recipient assumes, and whether its management, technical measures and capabilities to fulfill such responsibilities and obligations are sufficient to ensure the security of the transferred personal information;
- risks of disclosing, destroying, tampering with or misusing personal information, and whether there is a convenient channel for individuals to assert their rights and interests in the personal information;
- impact of personal information protection policies and regulations in the country or region of the data recipient on fulfillment of the Standard Contract; and
- other matters that may affect the security of personal information to be transferred outside of China.
Supervision by the CAC
Within 10 business days of the effective date of the Standard Contract, data handlers are required to conduct filing for cross-border transfer with the cyberspace authority at the provincial level (“Competent Authority”). Data handlers must submit both the Standard Contract and the PIPIA report to the Competent Authority. The CAC will eventually open an online platform for submission of filing materials, but it is not available yet.
The data handler is obligated to respond to inquiries by the Competent Authority regarding processing activities of the data recipient unless it is agreed that the data recipient shall respond to such inquiries. Even where such agreements are in place, the data handler is still liable to respond inquiries from the Competent Authority if the data recipient fails to do so. The data handler also bears burden of proof.
The data recipient is also subject to supervision by the Competent Authority. This obligation includes but is not limited to responding to the inquiries of the Competent Authority, cooperating in examination by the Competent Authority, obeying the order or decision made by the Competent Authority and providing written evidence of compliance to the Competent Authority.
The data handler’s contractual obligations include the following: (1) processing lawfully in compliance with PIPL; (2) informing data subjects that they are third-party beneficiaries under the Standard Contact; (3) providing the relevant laws and technical standards to the data recipient upon request; (4) responding to the relevant inquiries of the Competent Authority regarding the processing activities of the data recipient; (5) conducting relevant PIPIAs; (6) providing a copy/summary of the Standard Contract to the data subjects; (7) bearing the burden of proof; and (8) providing the relevant documents, including audit reports, for proof of compliance by the data recipient.
The data recipient’s obligations include: (1) processing personal information in compliance with the Standard Contract; (2) providing a copy/summary of the Standard Contract to data subjects; (3) minimizing the scope of transfer of personal information outside of China; (4) minimum necessary storage time; (5) providing audit reports to the data handler after deletion or anonymization of personal information in cases of sub-processing by an entrusted third party; (6) implementing relevant technical and management measures and access controls to safeguard security of processing; (7) obligations related to data breaches; (8) restrictions on onward transfer; (9) restrictions on sub-processing by an entrusted third party; (10) restrictions on automated decision making; (11) providing relevant documents to the data handler for evidence of compliance with the Standard Contract; (12) three-year retention period requirement and provision of relevant documents to the data handler or the Competent Authority; and (13) acceptance of supervision by the Competent Authority.
The Standard Contract restricts the data recipient from providing personal information under the Standard Contract to any third party outside of China (“Onward Transfer”). An Onward Transfer is only allowed when all of the following conditions are met:
- the Onward Transfer is necessary for business;
- the data recipient has informed the data subjects of the relevant information and obtained separate consent unless relevant laws do not require separate consent;
- there is a written agreement between the data recipient and such third-party recipient to ensure the protection level is not lower than provided for under the PIPL, and the data recipient is jointly liable for any damage caused by the Onward Transfer; and
- the data recipient is obligated to provide the onward transfer agreement to the data handler.
Evaluation of Local Laws
The purpose of evaluating the local laws of the data recipient is to achieve equivalent protection with PIPL. Such an evaluation would focus on the following issues:
- Personal information protection laws of the country or region of the data recipient would not prevent the data recipient from fulfilling obligations under the Standard Contract.
- Analyzation of the impact of local laws of the data recipient on cross-border transfer must be analyzed, taking into account the following matters:
- the specific circumstances of cross-border transfer including the type, volume, scope and sensitivity of personal information to be transferred, scale and frequency of transfer, transfer period and retention period by the data recipient, processing purpose, the data recipient’s relevant experience of cross-border transfer and processing by the data recipient under similar scenarios, whether the data recipient has any data incidents in the past and disposed of such incident appropriately, if any, and whether the data recipient received any request for the provision of personal information from public authorities of its country/region and its corresponding response;
- the status of the existing laws and regulations and generally applicable standards for the protection of personal information in such country or region;
- regional or global organizations to which the country or region has joined in the field of personal information protection and the binding international commitments it has entered into; and
- the mechanism for implementation of personal information protection in such country or region, such as whether there is any personal information protection supervision and enforcement body and relevant judicial body.
Data Subject’s Rights
In addition to data subjects’ rights under PIPL, data subjects may also make relevant requests to the data recipient directly. As third-party beneficiary of the Standard Contract, data subjects may request copy of the Standard Contract.
If data subjects make excessive or unreasonable requests, particularly those of a repetitive nature, the data recipient may charge a reasonable fee or refuse to act as requested, taking into account of the implementation and operation costs of such request.
The Standard Contract shall be governed by Chinese law and the parties may choose either court or arbitration as dispute resolution. The arbitral institution must be a member of the New York Convention.
The parties may have additional agreements in Annex II, but they cannot prejudice or conflict with the Standard Contract. In the event of any conflict between the Standard Contract and any other existing agreement by and between the data handler and the data recipient, the terms of the Standard Contract shall prevail.