China: Long-awaited standard contract released and filing requirement added for transfer of personal information out of China
On 24 February 2023, the Cyber Administration of China ("CAC") issued measures containing a standard contract template for transfers of personal information, detailed guidelines including for a required impact assessment and a filing-requirement for transfers of personal information from China to other countries.
These measures come into effect on 1 June 2023 and are highly relevant for multinational companies with a presence in China.
Processing of personal information in China
China's data privacy law, the Personal Information Protection Law ("PIPL") entered into force on 1 November 2021 and it also regulates cross-border transfers of personal information. On 30 June 2022, CAC issued a draft standard contract template soliciting public comments. Building on from that, CAC issued the "Circular on the Measures for the Standard Contract for Outbound Cross-border Transfer of Personal Information" ("Measure") on 24 February 2023.
Standard contract as legal basis for transfers
Pursuant to the issued Measures, not all personal information processors are allowed to use the standard contract template now issued as the legal basis for transfer of personal information out of China. Only those personal information processors adhering to all of the following four requirements may use the standard contract:
- The personal information processor is not a critical information infrastructure operator (often referred to as "CIIO");
- The personal information processor handles personal information of less than one million individuals;
- The personal information processor transfers personal information of less than 100,000 individuals, in aggregate, to overseas recipients since 1 January of the previous calendar year; and
- The personal information processor processes sensitive personal information of less than 10,000 individuals, in aggregate, to overseas recipients since 1 January of the previous year.
Pursuant to the Measures issued, a standard contract must include basic information of the personal information processor, the overseas recipient, the purpose, scope, type, sensitivity and quantity of personal information, method, retention period, storage location, and other aspects of the personal information to be transferred. Alongside the Measures, CAC also published a standard contract template. Except for minor adjustments, the finalized standard contract template now published is almost the same as the draft standard contract template issued in June 2022.
Requirement for personal information protection impact assessment
In addition to the standard contract, the personal information processor transferring personal information out of China must also conduct a "personal information protection impact assessment" ("PIPIA"), cf. the Measures, article 5. A PIPIA must containing the following:
- description of the legality, legitimacy, and necessity of the purpose, scope, and method for processing personal information by the personal information processor and the overseas recipient;
- listing of the quantity, scope, type, and sensitivity of the personal information to be transferred overseas, and the risk(s) that the cross-border transfer may pose;
- the obligations that the overseas recipient undertakes, and whether its management, technical measures and capabilities sufficiently fulfil such obligations ensuring safety of the personal information to be transferred;
- after transfer abroad, the risk of disclosure, destruction, or interference of the personal information, and whether there is a channel for individuals to protect their rights and interests in their personal information;
- the impact of personal information protection policies and regulations in the country or region of the overseas recipient on the performance stipulated in the standard contract; and
- 0ther matters that may affect the security of the personal information to be transferred overseas.
Once a standard contract has been executed and the PIPIA has been completed, the personal information processor in China is required to file both of these documents with the local or higher level CAC at the place where the personal information processor is located. Such filing must occur within 10 working days from the effective date of the standard contract.
It is worth noting that regardless of whether the personal information processor is a larger group of companies who share personal information with other group companies or whether the overseas recipient is an external third party provider outside of China, the personal information processor in China needs to have a separate standard contract and conduct a separate impact assessment report for each overseas recipient.
With the announcement of the Measures and the standard contract template, all companies transferring personal information from China got a new set of detailed requirements it must adhere to from 1 June 2023. Especially preparation for entering into the standard contracts and conducting PIPIA in accordance with the Measures can be challenging. It is therefore our recommendations that companies initiate these processes as soon as possible to avoid that their cross-border transfer of personal information are in breach of PIPL. Non-compliance with PIPL may lead to fines up to RMB 100,000 for persons in charge or directly viable for the violation and/or fines to up to RMB 50,000,000 or 5% of previous year's turnover for the company and even withdrawal of the right to conduct business in China.