By Connie Chen, Maarten Roos
The Measures on the Standard Contract for Outbound Transfer of Personal Information (the “Measures”) promulgated by the Cyberspace Administration of China (CAC) came into force on 1 June 2023. One day before, on 30 May 2023, the CAC issued the Filing Guidance for the Standard Contract for Personal Information Outbound Transfer (First Edition) (the “Filing Guidance”) with implementation guidance to the Measures.
This Q&A deals with some of the more common questions raised by small-scale data exporters based in China, including many foreign-invested companies in the B2B segment, on the steps that they need to take to remain compliant with PRC laws.
We will be using “outbound transfer” and “export”, as well as “data” and “information” interchangeably in the following.
[Q1] Is the filing of the Standard Contract mandatory, and what are the legal consequences for failing to do so?
[A1] Yes, the filing of a Standard Contract is mandatory under PRC laws. Article 7 of the Measures clearly stipulates that “the personal information handler shall, within 10 working days after the Standard Contract enters into effect, apply for filing with the local provincial cyberspace administration”.
Article 12 of the Measures stipulates that “any violation of the Measures shall be punished in accordance with the Personal Information Protection Law of the People’s Republic of China (PIPL), and other laws and regulations; where a crime is constituted, criminal responsibilities shall be investigated in accordance with the law”.
The legal consequences stipulated in the PIPL include ordering to make corrections, giving a warning, confiscating illegal gains, ordering the suspension or termination of applications that illegally handle personal information; and where the circumstances are serious, a fine up to five percent of the previous year’s turnover may be imposed on the company, and those directly in charge and other directly responsible persons may be fined up to one million Chinese Yuan (CNY 1 million, approx. USD 140,000). So, both the company and individuals could be subject to heavy penalties.
[Q2] Which personal information handlers are subject to filing of the Standard Contract for export of personal information?
Certain companies that export personal information overseas must complete a security assessment as per the Outbound Data Security Assessment Measures (Assessment Measures); and this must be filed with the CAC for approval. This applies when a data handler meets any of the following criteria:
- is a critical information infrastructure operator (CIIO);
- handles personal information of more than 1 million individuals;
- has exported personal information of more than 100,000 individuals, cumulatively since January 1 of the previous year; and
- has exported sensitive personal information of more than 10,000 individuals, cumulatively since January 1 of the previous year.
For all other exporters of personal information i.e., those companies that process and export personal information on a small-scale, they can either complete a heavy certification process with a CAC-appointed body, or they will be governed by the Measures. Most Chinese subsidiaries of international companies will undoubtedly opt to file the Standard Contract.
The contracting parties to the Standard Contract can only be a domestic personal information handler and a foreign recipient. Thus, a foreign entity that directly collects and processes personal information in Mainland China does not fall under the Measures. However, it may still fall under the Assessment Measures if it meets any of the above conditions.
[Q3] If a personal information handler entrusts a third party to process personal information, how to determine whether the Standard Contract shall be entered into and who are the contracting parties thereto?
[A3] The Standard Contract stipulates that the party to export personal information shall only be the personal information handler (i.e. data controller), that is, the organization or individual who independently decides the purpose and method of personal information processing and exports personal information. Below are some key scenario’s:
|1||Chinese company entrusts a Chinese third-party agent to process personal information and transfer abroad||The Chinese company is the data controller of personal information; the Chinese third party is only a supporting agent; therefore, the Chinese company should enter into the Standard Contract, while the details of the Chinese agent should be included in Appendix I.||The Chinese company and the foreign recipient||The Chinese subsidiary of a foreign company uses a third-party payroll agent in China, which report directly to the foreign company headquarters (the recipient) with monthly payroll details.|
|2||Chinese company entrusts a foreign third party to process personal information||Chinese company who acts as a data controller and exports personal information, shall enter into the Standard Contract with its entrusted foreign third party (data importer).||The Chinese company and the foreign third party||A Chinese company hires a Singapore consultancy company to provide coaching program for its employees in China.|
|3||A foreign entity entrusts a domestic entity to process personal information including export of personal information||Since the domestic entity is not a personal information handler, the Standard Contract is not applicable.||/||A foreign company uses cloud services provided by a Chinese company to manage their database. The Chinese company transfers the data (back) from its server to the foreign company|
[Q4] What filing feedback may the CAC give upon review?
[A4] The filing results will be either Pass or Fail. Specifically, the relevant provincial cyberspace administration will issue a filing number to the personal information handler if the filing passes, or otherwise the personal information handler will receive a notice on unsuccessful filing and the reasons therefor. Where the personal information handler is required to supplement materials, it shall do so for re-submission within 10 working days.
[Q5] Is the filing of the Standard Contract subject to substantive review?
[A5] The relevant provincial cyberspace administration shall, within 15 working days upon receipt of the materials, complete examination of the materials and notify the personal information handler of the filing results. Although this procedure is a “filing”, which would normally be subject to formal review only, there are only two possible results (Pass and Fail), and so it is very likely that the cyberspace administration will conduct a substantive review of the submitted filing materials.
[Q6] Can any terms of the Standard Contract be modified?
[A6] In principle they cannot be modified. In February 2023, the CAC when responding to reporters in a press conference explained that the text of the Standard Contract cannot be modified. The contracting parties to the Standard Contract can agree to additional terms that do not conflict with the Standard Contract, which should be stipulated in Appendix II.
[Q7] How to understand the precedence of the Standard Contract, and whether the terms regarding processing of personal information previously agreed automatically become invalid?
[A7] The Standard Contract shall prevail over any other legal documents signed by the parties thereto. However, the signing of the Standard Contract does not necessarily lead to the automatic invalidation of contracts previously signed; that is, subject to the specific terms and contents, terms that were previously agreed and are not in conflict with the Standard Contract, shall remain valid. The Standard Contract shall prevail in case of conflict.
[Q8] What should be the contract term for the Standard Contract?
[A8] The Measures do not set requirements on the validity period of the Standard Contract; While the filing procedure is not a condition to its effectiveness, our current understanding is that the term of the Standard Contract may be agreed by the parties at their discretion. Our advice is to determine the contract term comprehensively with reference to the information type, the purpose of personal information export, and the situation of the foreign recipient (such as the level of security measures provided thereby).
[Q9] Under what circumstances shall the personal information handler and the foreign recipient re-conduct a personal information protection impact assessment (PIA), supplement or re-sign the Standard Contract, and conduct filing formalities?
[A9] Article 8 of the Measures establishes that under any of the following circumstances, the personal information handler shall re-conduct the personal information protection impact assessment (PIA), supplement or re-sign the Standard Contract, and re-perform relevant filing formalities:
- where the purpose, scope, type, sensitivity, method, storage location of personal information to be exported or the foreign recipient’s purpose and method to process the personal information have changed, or the retention period of personal information has been extended;
- where the rights and interests of personal information subjects may be affected by changes in the policies and regulations on personal information protection of the country or region where the foreign recipient is located;
- any other circumstances that may affect the rights and interests of personal information subjects.
[Q10] If a business has multiple branches or subsidiaries that are involved in personal information processing in Mainland China, how to determine which entity shall sign the Standard Contract and submit it for filing?
[A10] The Measures are not clear on this point. However, on 2 June 2023, Beijing CAC issued the “Relevant Instructions” for the Filing Guidelines of Beijing for the Standard Contract for Personal Information Outbound Transfer, specifically pointing out that the filing entity shall be a legal entity, which is consistent with the contracting party of the Standard Contract. If several independent legal enterprises belong to the same group company, then this group company can file on behalf of its subsidiaries and branches. We expect that other provinces/cities will follow the same practice as Beijing.
[Q11] What notification and informing obligations do the Standard Contract stipulate for the foreign recipient in case of further transfer of the personal information?
[A11] The notification and informing obligations of the personal information handler under the Standard Contract are consistent with the provisions of Articles 17, 31 and 39 of the PIPL. If the foreign recipient transfers personal information of individuals to third parties, then the Standard Contract requires the personal information handler to inform the individual of such other recipients, the storage period after export, the place of storage, and other information as agreed in Appendix I).
In addition, due to the adoption of the “third-party beneficiary” mechanism (explained further in A12), the personal information handler is also required to inform the personal information subject that he/she is a third-party beneficiary under the Standard Contract (e.g. as part of a consent form).
[Q12] Is the personal information subject a party to the Standard Contract, and how to understand the concept of “third-party beneficiary”?
[A12] The concept of “third-party beneficiary” draws on the content the EU Standard Contractual Clauses for the Transfer of Personal Data to Third Countries, which endows the personal information subject corresponding rights under the Standard Contract. As a third-party beneficiary, the personal information subject is entitled to claim its personal information rights against one or both of the personal information handler and the foreign recipient.
[Q13] What rights does the personal information subject have?
[A13] The third-party beneficiary is entitled to the right to know and to make decisions on the processing of his/her personal information, the right to restrict or refuse processing of this personal information by others, the right to consult or copy this personal information, and the right to request the personal information handler to correct, supplement or delete the personal information or to explain the processing rules for this personal information. In addition, the third-party beneficiary is entitled to directly claim or demand performance of obligations in relation to personal information rights under the Standard Contract against one or both the personal information handler and the foreign recipient. In the event that the personal information handler or the foreign recipient fails to fulfill its contractual obligations, the third-party beneficiary may bring a lawsuit to a competent court in China in accordance with the Standard Contract and hold the above-mentioned parties liable for breach of contract.
[Q14] What contractual obligations does the personal information handler have under the Standard Contract?
[A14] The personal information handler shall perform the following obligations:
- Follow the principles of minimum and necessity when carrying out export of personal information;
- Fully fulfill the obligation of notification;
- Obtain separate consent from personal information subject with respect to the personal information to be exported; consent of the minor’s parents or any other guardians; and written consent;
- Upon request by the personal information subject, provide the subject a copy of the Standard Contract;
- Reasonably supervise the compliance of the foreign recipient;
- Provide the foreign recipient with copies of China’s laws and regulations and technical standards;
- Cooperate with the regulatory authority, accept inquiries and provide necessary information and audit results for fulfilling the Standard Contract;
- Carry out the personal information protection impact assessment (PIA) and keep this report on file;
- Assume a burden of proof for the compliant performance of obligations under the Standard Contract.
[Q15] What are the foreign recipient’s contractual obligations under the Standard Contract?
[A15] The foreign recipient shall fulfill the following obligations:
- Follow the principle of minimum and necessity;
- Process the personal information strictly within the agreed scope;
- In principle, not transfer the personal information to other foreign third parties unless the conditions elaborated in Q18 are satisfied;
- Take technical and managerial measures to ensure the security of personal information;
- Ensure that the relevant personnel perform their confidentiality obligations;
- Establish access control permissions of minimum authorization;
- Follow the principle of the shortest storage period;
- Fulfill the obligation to cooperate with the personal information handler;
- Establish an emergency response mechanism for security incidents;
- Upon request of the personal information subject, provide such subject a copy of the Standard Contract;
- Keep records of personal information processing activities;
- Agree to accept the supervision and management of the regulatory authority;
- Use automated decision-making under the condition of meeting the requirements thereof;
- Inform the personal information handler of the impact of its national laws and regulations and law enforcement activities on the performance of contractual obligations and the rights of the personal information subject in a timely manner.
[Q16] How do the personal information handler and the foreign recipient assume their liabilities to the personal information subject?
[A16] The personal information handler and the foreign recipient shall be jointly and severally liable to the personal information subject for any material or non-material damage caused thereto due to the breach of the Standard Contract. This means that foreign recipients of personal information from China have an interest to make sure that the Chinese personal information handler has obtained proper consent.
[Q17] What shall be assessed in the personal information protection impact assessment (PIA) referred to in the Standard Contract?
[A17] As part of the filing, every company must prepare a personal information protection impact assessment (PIA). In accordance with the Filing Guidance, this should include:
- Basic information about personal information to be exported: the type, quantity and sensitivity of personal information, the purpose and method of processing, the processing scope of the foreign recipient, etc.
- The legality, legitimacy and necessity of export of personal information;
- Risks of export: including to personal information rights and interests under normal circumstances, data security accidents, impact on personal rights and interests and the channels for safeguarding rights;
- Information of the foreign recipient: including managerial measures, technical measures and protection level of personal information taken by the foreign recipient and data security, protection obligations undertaken by the foreign recipient through the Standard Contract and other legal documents;
- Whether the legislation and regulation regarding personal information protection of the place where the foreign recipient is located will affect the foreign recipient’s performance of the Standard Contract.
The specific implementation framework of personal information protection impact assessment (PIA) shall be based on Annex V Personal Information Protection Impact Assessment Report (Template) of the Filing Guidance. We expect that this template is an important basis for determining whether an enterprise will be able to pass the filing examination of the Standard Contract.
[Q18] Under what conditions can the foreign recipient transfer personal information to any other foreign third party?
[A18] Upon satisfaction all the following conditions, the foreign recipient is permitted to transfer the personal information on to other foreign third parties:
- The transfer is necessary for business;
- Informed the personal information subject of the identity and contact information of the third party, the purpose and method of processing, the type of personal information, and the method and procedures for the personal information subject to exercise its rights, and the separate consent has been obtained (except as otherwise provided by laws and regulations);
- If any sensitive personal information is involved, has informed the personal information subject of the necessity of such transmission and its impact on the personal information subject. If it is difficult to inform the personal information subject or to obtain the separate consent, the foreign recipient shall inform the personal information handler in a timely manner and ask for its help to inform the personal information subject or to obtain the separate consent;
- A written agreement has been entered into by the foreign entity and the third party, so as to ensure that the protection level of personal information adopted by the third party is not lower than the protection standard stipulated by relevant laws and regulations in China;
- The foreign recipient will be jointly and severally liable for the damage that may be caused to the personal information subject due to such transfer; and
- Provide the personal information handler with a copy of the agreement entered into by the foreign recipient and the third party.
[Q19] What are the conditions and legal consequences of a Standard Contract’s termination?
[A19] Article 7 summarized the conditions for and legal consequences to termination of the Standard Contract:
- if the foreign recipient breaches its obligations thereunder, the personal information handler may suspend the transmission of personal information to the foreign recipient. If the suspension time exceeds 1 month, either party to the Standard Contract may terminate the Contract;
- If the foreign recipient’s compliance with the Standard Contract will violate the laws of the country or region where it is located, either party thereto may terminate the Contract;
- If the foreign recipient seriously or continuously breaches its obligations under the Standard Contract, the personal information handler may terminate the Contract;
- If, in accordance with the final decision made by the competent court or regulatory authority of the foreign recipient, the foreign recipient or personal information handler has breached its obligations under the Standard Contract, either party may terminate the Contract.
Upon termination, the foreign recipient shall return or delete the personal information it received under the Standard Contract, and shall provide a written statement to personal information handler.
[Q20] What methods of dispute resolution are stipulated in the Standard Contract?
[A20] The Standard Contract allows the parties to agree on either litigation or arbitration. Litigation shall be before the competent court in China: the personal information handler may only bring a lawsuit to the people’s court of the place where the Contract is performed, and the foreign recipient may bring a lawsuit to competent court of the place where the personal information handler is located or where the Contract is performed. Regarding arbitration, the Standard Contract allows the parties to submit their disputes to China International Economic and Trade Arbitration Commission, China Maritime Arbitration Commission, Beijing Arbitration Commission (Beijing International Arbitration Center) or any other arbitration institutions located in jurisdictions that are members of the Convention on the Recognition and Enforcement of Foreign Arbitral Awards. This to ensure that that arbitral awards can be enforced in China.
R&P’s data privacy team advises companies on how to remain compliant with China’s data privacy laws and supports our clients with assessments and CAC filings. For more information on how we can support your business to be compliant, please reach out to [email protected] or [email protected], or to your usual contact at R&P.