By Maarten Roos & Connie Chen
On 24 February 2023, the Cyberspace Administration of China (CAC) issued the Measures for Standard Contracts for Outbound Personal Information (Measures) and the Standard Contractual Clauses (SCC), which will take effect on 1 June 2023 to guide implementation of Article 38 of China’s Personal Information Protection Law (PIPL) focusing on cross-border transfers of personal data.
Application of the Measures and SCC
China’s PIPL establishes that companies that export personal information overseas and meet certain criteria or thresholds, must first complete a security assessment as per the Data Outbound Security Assessment Measures (Assessment Measures); and this must be filed with the CAC for approval. This applies when any of the following criteria are met:
- critical data infrastructure operator (CIIO);
- personal data processing of more than 1 million individuals;
- transfer of personal data of more than 100,000 individuals, cumulatively since January 1 of the previous year; and
- transfer of sensitive personal data of more than 10,000 individuals, cumulatively since January 1 of the previous year.
For all other exporters of personal information, i.e., those companies that process and export personal information on a small-scale, can either complete a heavy certification process with a CAC-appointed body, or they will be governed by the Measures. Most subsidiaries of international companies are expected to fall into the latter category.
Record Filing of the Executed SCC + PIA
The Measures clarify several concepts under the PIPL, and detail obligations on both the personal data exporter and the overseas recipient. From a procedural point of view however, the key obligations under the Measures are three-fold:
- Data processors will need to sign contracts with the overseas recipient of the personal information, based on the SCC template;
- Data processors must complete a personal information protection impact self-assessment (PIA) and issue a detailed report in China;
- The signed SCC and PIA should be submitted to the local office of the CAC for record filing, within 10 working days from the effective date of the SCC.
For processors that are engaging in personal data export but have not filed with the local CAC, the Measures establish a six-month grace period. So, filings for existing exporters must be completed by 30 November 2023.
PIA (Self-Assessment Requirements)
The Measures include specific details of what the PIA should cover, which exemplify the priorities of China’s data privacy rules:
- the legality, legitimacy and necessity of the purpose, scope and methods of processing by the processor and overseas recipient;
- the quantity, scope, type and sensitivity of the personal data to be transferred to the overseas recipient, and the associated risk of such transfer;
- the ability of the overseas recipient to take security measures to fulfill data protection obligations under the PIPL;
- the risk of any information breaches, destruction, falsification, misuse after transfer, as well as the available remedial measures for individuals; and
- the impact of local policies and regulations on the protection of personal data in the overseas jurisdictions.
Conclusions & Next steps
The adoption and implementation of the Measures is one further step in the establishment of a comprehensive legal regime in China for the protection of personal information, this time focusing on the export of such information by small-scale data exporters that do not meet the heavy criteria that trigger the need for a security assessment and CAC filing.
The key takeaway is that it is now clear what steps these companies need to take to remain compliant: sign SCC’s with overseas recipients (incl. HQ’s of multinationals), complete a self-assessment, and file both the SCC’s and self-assessment with the CAC.
R&P’s data privacy team advises companies on how to remain compliant with China’s data privacy laws, and supports our clients with assessments and CAC filings. For more information on how we can support your business to be compliant, please reach out to [email protected] or [email protected], or to your usual contact at R&P.