Standard Contract for international personal data transfers finalised and comes into effect on 1 June 2023.
On 24 February 2023, the Cyberspace Administration of China (“CAC”) issued the Measures for the Standard Contract for Outbound Cross-border Transfer of Personal Information (“Measures”). Primarily, the Measures finalise the Standard Contract between the recipient and sender. One of the key components in cross-border personal data transfers. And further supplements the overarching law, Personal Information Protection Law, that regulates personal data. The Measures furthers implementing provisions, by strengthening the management and protection of cross-border data transfers.
Also, the Measures require the signed Standard Contract to be filed at the local provincial network information department within 10 working days – from its effective date.
Therefore, before 1 June, international subsidiaries in China should be preparing to adjust procedures with headquarters and relevant third parties to ensure legal obligations are met. As for the deadline, the Measures offers a six-month grace period from 1 June 2023 (the date it enters into force) for companies to rectify their activities and to comply with the requirements in the Measures.
Below, we break down the Measures for companies to align with the forthcoming legal obligations.
Scope of Application
The Standard Contract applies to companies established in China that provide personal information to recipients outside of the territory of the People’s Republic of China via a personal information processor. And fulfills all following conditions (unless otherwise stipulated by other statutory laws and regulations):
- not a critical information infrastructure operator (CIIO);
- handles the personal information of fewer than one million individuals;
- provides personal information of fewer than 100,000 individuals in the aggregate to overseas recipients since 1 January of the previous year; and
- provides sensitive personal information of fewer than 10,000 individuals in the aggregate to any overseas recipients since 1 January of the previous year.
CIIOs are defined by the relevant administrative and supervisory authorities (‘authorities’) by industry. And identified operators shall be notified by authorities. Therefore, companies that have not receive notification may consider that they are not defined as a CIIO.
It is important to note, companies cannot bypass obligations by
- separating the amount of personal data to be transferred overseas; or
- utilising a Standard Contract as an alternative option for personal data subject to a security assessment.
Standard Contract Form
The CAC released the Standard Contract Form (‘Form’) as supplementary to the Measures. The content within the Form shall be strictly adhered to. Besides, if companies wish to supplement additional clauses to the form, the clauses shall not conflict with the Form.
The clauses of the Form include:
- Obligations of the personal information processor;
- Obligations of the overseas receiver;
- Impact of local policies and regulations;
- Rights of the personal information subject;
- Exporting activities include data processing purpose, processing method, scale and type of outbound personal information, type of sensitive personal information, third party receiver (if any), transmission method, storage period, storage location, and so forth.
- Incident remedies;
- Contract termination;
- Breach of contract liabilities.
Equally, obligations within relevant contracts, laws and regulations shall be observed.
The Standard Contract shall be filed with the local authorities within 10 working days. Also, companies shall file a Personal Information Protection Impact Assessment Report with the Standard Contract.
Besides, the Measures require the Standard Contract to be re-signed again and filed under any of the following changes:
- adjustments to Standard Contract content;
- changes in local policies and regulations; or
- other circumstances that may affect the rights and interests of personal information,
Violations shall be subject to penalties outlined under the Personal Information Protection Law and include administrative, civil liabilities, and criminal liabilities can be pursued for cases that violate the criminal law, dependent on the severity of the violation.
Administrative penalties may include warnings, rectification orders, fines, confiscation of illegal gains, suspension or revocation of relevant licenses or permits, and even administrative detention for the responsible personnel.
Also, for civil liabilities, the violator shall compensate for the losses due to non-compliance and damages to the personal information or personal information subject.
In preparation for the effective date, companies especially international businesses should evaluate cross-border personal data transfers and implement the Standard Contract to meet the deadline.