On 30 June 2022, the Cyberspace Administration of China (the “CAC“) released the draft of Provisions on Standard Contracts for Cross-border Transfers of Personal Information (the “Provision“) for seeking public comments until 29 July 2022. This Provision contains an appendix of a sample template of standard contractual clauses (the “SCC“) for businesses to integrate into their commercial contracts entered into with other data handlers.
Since the Provision is drafted in accordance with the Personal Information Protection Law (the “PIPL“), the definitions formulated by the PIPL will be inherited by the Provision and consistent with the PIPL.
As per Article 38 of the PIPL, there are four scenarios for data exporters to transfer personal information outside of China legitimately, that is:
- The relevant security assessment organised by the CAC has been passed in accordance with Article 40 of the PIPL;
- The relevant certification of personal information protection issued by a professional institution according to the regulations of the CAC has been obtained;
- The contract in compliance with the standard contract terms provided by the CAC has been signed with the overseas personal information recipient; or
- Other conditions prescribed by the laws, regulations or the CAC.
The release of the Provision is to address the scenario (c) above and provide detailed guidance. According to Article 2 of the Provision, a data handler who intends to export personal information based on the scenario (c), shall enter into the SCC to establish the rights and obligations of both the exporter of personal information in China (the “Exporter“) and the overseas recipient (the “Importer“).
Most Exporters shall proceed with transferring personal information out of China by signing the SCC with Importers, instead of passing a security assessment or obtaining the certification. According to Article 4 of the Provision, a personal information handler (i.e. the Exporter in this case) shall meet all of the following conditions if it wants to export the personal information to the Importer:
- It should not be a critical information infrastructure operator (the “CIIO“);
- It handles personal information of less than 1,000,000 data subjects;
- It has provided personal information of less than 100,000 data subjects in aggregate to the Importer since 1 January of the previous year; and
- It has provided sensitive personal information of less than 10,000 data subjects in aggregate to the Importer since 1 January of the previous year.
In other words, CIIOs or personal information handlers who go beyond either of the above thresholds will not be able to legally transfer personal information out of China by signing the SCC. They would either carry out a security assessment organised by the CAC, obtain a certification of personal information protection issued by a professional institution, or follow any other condition prescribed by laws and regulations in the future as the case may be.
Other than signing the SCC, the Provision still requires Exporters to carry out a Personal Information Protection Impact Assessment (“Impact Assessment“) before transferring personal information out of China.
The Impact Assessment shall focus on i) the legal basis and necessity of transfer; ii) the scope and volume of data involved, the potential risks of such transfer; iii) Recipients’ warranties on safeguarding the personal information transferred; iv) the potential remedies for protecting the personal information for data subjects to deploy; and v) the impact of personal information protection policies and regulations in the country or region where Importers are located and governed, on the enforcement of the SCC. In sum, this Impact Assessment is equivalent to the TIA (Transfer Impact Assessment) under the General Data Protection Regulation (GDPR) as one would usually hear.
Once the SCC is signed and the Impact Assessment is completed, within 10 working days from the effective date of the SCC, the Exporter shall file the SCC and the Impact Assessment report with the CAC at the provincial level where it is located (“Cross Border Filing“).
It is worthwhile to note that the above filing is not a once-and-for-all process. Should there be any changes of circumstances that may affect data subjects’ rights and interests on their personal information, the Exporters shall amend, resign and redo the Cross Border Filing. The language of the circumstances of redoing the Cross Border Filing is rather ambiguous, i.e., the regulator may have a large room to interpret what can be deemed a change at its own discretion.
Failing to do, or redo, the Cross Border Filing with the CAC or filing false materials will cause administrative orders to rectify, to cease transfer and/or other administrative punishments according to the PIPL. If the violation is sufficiently serious to constitute a crime, Exporters may bear criminal liability as well.
The Provision is still a draft legislation, but once promulgated, it will definitely have an impact on companies with international data flows. We will follow this very closely and update our clients on the progress. We recommend companies start to review their data flows accordingly to be ahead of the legislative procedures.