On February 22, 2023, the Cyberspace Administration of China (hereinafter referred to as the “CAC“) issued the Measures on Standard Contract for Outbound Transfer of Personal Information (hereinafter referred to as the “Measures“), which will take effect on June 1, 2023.
In China, the basic rules governing the outbound transfer of personal information are set forth in the Personal Information Protection Law (hereinafter referred to as the “PIPL“), which took effect in November 2021. According to the PIPL, depending on the circumstances, the outbound transfer of personal information for business purposes can be carried out through one of the following methods: (1) the outbound security assessment organized by the CAC; (2) the certification of personal information protection by a specialized agency; and (3) the conclusion of a standard contract (hereinafter referred to as the “Standard Contract”) established by the CAC. For the purpose of applying the latter method, the Measures provide the rules and the template of the Standard Contract.
1. Who can transfer personal information abroad using the Standard Contract?
A company (the processor (the “controller” in GDPR terminology) of personal information) that meets the following conditions may transfer personal information abroad using the Standard Contract: (a) it is not a critical information infrastructure operator (“CIIO”, in particular in the fields of public communication and information, energy, transport, water management, finance, public services, e-government, etc.); (b) the personal information that it processes should be less than 1 million individuals; (c) the personal information that it has cumulatively transferred abroad should be less than 100,000 individuals since January 1 of the previous year; and (d) the sensitive personal information it has cumulatively transferred abroad should be less than 10,000 individuals since January 1 of the previous year.
For critical information and processing of personal information exceeding the above thresholds, the company should conduct an outbound security assessment instead of using the Standard Contract.
2. To what extent should the Standard Contract be applied? Can the parties modify the terms and conditions of the Standard Contract?
The parties should conclude the Standard Contract by using the template provided by the Measures (adjustable by CAC), but they may agree on other terms and conditions, provided that such terms and conditions do not conflict with the Standard Contract. Such specially agreed terms and conditions shall be attached as Annex 2 to the Standard Contract.
3. What is the governing law and jurisdiction of the Standard Contract? Can the parties submit disputes thereunder to a foreign court or arbitration?
The applicable law is Chinese law. The parties may not submit the dispute to a foreign court, but they may select a foreign arbitration institution for dispute resolution provided that it is from a contracting country of the Convention on the Recognition and Enforcement of Foreign Arbitral Awards.
4. What if the personal information laws, regulations, and policies of the place where the foreign recipient is located prevent the foreign recipient from performing the Standard Contract?
In the first instance, the parties shall ensure that they have exercised reasonable care at the time of the conclusion of the Standard Contract and that they are not aware of any policies or regulations on the protection of personal information in the country or region of the overseas recipient that would affect the overseas recipient’s performance of its obligations under the Standard Contract.
In addition, if a change in such laws, regulations and policies results in the recipient’s inability to perform the Standard Contract, the recipient shall promptly notify the transferor and the transferor shall have the right to suspend the transfer and terminate the Standard Contract.
5. Are there any additional formalities/measures imposed on either party in relation to the Standard Contract?
The Standard Contract, together with the assessment report on the impact on the protection of personal information, should be filed with the relevant cyberspace authority within ten working days of its effective date. The assessment report should focus on the legality, legitimacy, and necessity of the purpose, scope, and method of personal information processing; the scale, scope, type, and sensitivity of outbound personal information; risks; impact of foreign legislation, etc..
Moreover, the foreign recipient is subject to the supervision by the Chinese regulatory authority during an enforcement procedure related to supervising the implementation of the Standard Contract, such as responding to inquiries and inspections by the authority, complying with the measures taken or decisions made by the authority, etc.
Meanwhile, the foreign recipient should designate a contact person who is authorized to respond to and deal with inquiries or complaints concerning the processing of personal information. The contact person and contact information (office phone number or email address) should be specified in the Standard Contract.
6. Can an individual (personal information subject) directly make a request to the foreign recipient to access to, copy, correct, supplement, or delete his/her personal information, or explain the processing rules?
Yes. The foreign recipient should process the request(s) within a reasonable time. If the foreign recipient refuses to comply, it should provide the reason for the refusal and the means of redress.
7. Can an individual sue the foreign recipient for a violation of his/her personal information in a Chinese court?
Yes. The individual, as a third-party beneficiary under the Standard Contract, has the right to sue either party in a Chinese court in accordance with Chinese law, and this would not affect the individual’s right to seek remedies under other laws and regulations. This means that the individual may commence parallel litigation/arbitration.
Companies have 6 months from the effective date of the Measures to rectify the existing outbound transfer of personal information that does not comply with the Standard Contract Measures. In view of this, it is advised that companies used to transfer personal information abroad (such as employees’ information for human resource management, and clients’ information for business development and operation) carry out a preliminary assessment on the scale, nature, and scenarios of the personal information transferred abroad to see whether the transfer falls within the scope of the Measures. If personal information would be transferred among multiple affiliates, the transfer path among the parties and the contracting parties should be carefully structured and streamlined.
Meanwhile, companies should proceed with the assessment of the impact of personal information protection according to the Measures and prepare the report to be submitted to the CAC. In particular, laws and regulations, administrative and judicial practices concerning personal information protection of the country where the foreign recipient is located should be studied, and the impact, risk and pre-arranged plan of their changes should also be further assessed. This assessment is also advised to be accompanied by a dynamic updating system to ensure its applicability.
Most importantly, in order to comprehensively reduce legal barriers and risks, depending on the situation, the terms and conditions otherwise agreed by the parties as Annex 2 of the Standard Contract should be elaborated and, if necessary, confirmed with the authorities, so as not to be considered as contradicting the Standard Contract by the authorities at a later stage.