On 22 February 2023, the Cyberspace Administration of China (“CAC”) released the long-awaited standard contract (“Standard Contract”) for personal information export and an accompanying regulation (“Regulation”), seven months after it published the first draft for consultation. The Regulation takes effect from the 1 June and provides for a six-month rectification period.
In this article, we highlight the key provisions of the Standard Contract and the Regulation and set out our observations on the proposed measures. If you would like a copy of the English translation of the Standard Contract, please contact James Gong at [email protected].
Article 38 of the Personal Information Protection Law (“PIPL”) (for our comments on the PIPL, please click here) provides three routes for personal information processors (“PI Processors”) to export personal information (“PI”), namely:
- passing a governmental security assessment (“Governmental Assessment”) that is required for critical information infrastructure (“CII”) operators as well as organisations that process personal information reaching one of the three threshold amounts (“Thresholds”) specified by the CAC;
- attaining a PI protection certification (“Certification Regime”) by an institution accredited by the CAC; or
- entering into a Standard Contract with the overseas recipient.
The Governmental Assessment becomes the first route that has been made available by the CAC, when it published the guidance for submission at the end of August 2022. Data Processors are given a six-month grace period to complete their submissions, which expired on 28 February 2023. (For our comments on the Governmental Assessment, please click here).
In 2022, the National Information Security Standardization Technical Committee (“TC260”) also released and updated a guidance document for the Certification Regime; (for our comments on the Certification Regime, please click here and here).
The CAC released the draft Standard Contract together with the regulation in July 2022. Since then, there has been speculation as to when the CAC will put the last piece to complete data export regulatory framework.
Looking at the three routes, most PI Processors do not reach the Thresholds and therefore are not eligible for the Governmental Assessment. The Certification Regime appears to be designed for intragroup PI transfer within large multinational companies or international organisations and has yet to open any channels for applications. As a result, the Standard Contract is expected to be the most used route for PI Processors.
Key Provisions and Observations
I. When to use the Standard Contract?
Under the PIPL, the PI Processor may consider using the Standard Contract as its route for exporting PI, only if the proposed export is not subject to the Governmental Assessment.
Measures of Security Assessment for Data Export (“Security Assessment Measures”) identify the following circumstances where the Governmental Assessment applies to data export, which include:
- export of important data;
- export of personal information by CII operators;
- export of personal information by a data processor that processes personal information of 1,000,000 individuals or more;
- export by a data processor that from 1 January of last calendar year in aggregate exports (i) personal information of 100,000 individuals or more; or (ii) sensitive personal information of 10,000 individuals or more; and
- such other circumstances as specified by the CAC.
The Regulation confirms this position and further prohibits the PI Processors from circumventing the requirements of the Governmental Security Assessment for example, by splitting the volume of data export by one PI Processor amongst several PI Processors. The CAC fears that certain companies may try to avoid reaching the Thresholds by reducing the volume of personal information exported by a single entity. However, the Regulation does not specify how to identify an intended circumvention, Enforcement of such requirement may give rise to practical issues, for example, whether a reasonable optimisation of the IT infrastructure within a group company constitutes an intended circumvention.
II. Who should sign the Standard Contract?
The Regulation refers to the exporter as the “PI Processor” in China, which is in line with the PIPL. Apparently, neither the PIPL nor the Regulation contemplates that exporters who are entrusted by the PI Processor with processing PI (“Entrusted Party”) will qualify as an exporter able to sign the Standard Contract. The Security Assessment Measures take a similar position that only a PI Processor is eligible to apply for the Governmental Assessment, although in practice the CAC in certain circumstances will allow an Entrusted Party to apply. It is not clear whether the CAC intends the Entrusted Parties to be exempted from the Regulation.
On the other hand, a data importer is defined as an organisation or individual located outside China, who receives PI from a PI processor. The Standard Contract seems to indicate that the data importer can be either a PI processor or an Entrusted Party.
In summary, the Standard Contract can be used by a PI Processor to export personal information to a data importer that is either a PI Processor or an Entrusted Party. In comparison, the standard contractual clauses (“SCCs”) under the GDPR which provide for four modules to cater to the different roles of the exporters and importers as a controller or a processor in the data processing activities.
What is not clear is which party will be the appropriate signatory to the Standard Contract when there are more than two parties involved in the data export activities. For instance, when an PI Processor exports personal information via an Entrusted Party in China or when a PI Processor receives personal information via an Entrusted Party outside China, the parties may disagree as to who should sign the Standard Contract.
III. Personal Information Protection Impact Assessment (“PIPIA”) and Transfer Impact Assessment (“TIA”)
The PIPL requires a PI Processor to conduct a PIPIA for, amongst others, exporting PI and keep a record for that. The Regulation further provides for key aspects that a PIPIA for data export must cover, including:
- the legality, legitimacy and necessity of the purpose, scope and means of the processing by the data exporters and the data importers;
- the scale, scope, types and sensitivity of the PI to be exported and the risks to the PI rights and interests of individuals;
- the obligations of the importers and whether their organisational and technical measures and capability can ensure security of the PI to be exported;
- risks of the PI being altered without authorisation, destructed, leaked, lost, or illegally used and the effectiveness of the channels for individuals to exercise their rights to PI;
- the impact of the PI protection policies, laws and regulations of the country or region where the data importers are located upon the performance of the Standard Contract; and
- other matters that may impact security of PI export.
So far, the authorities have not published any guidelines on how to conduct the PIPIA. The TC260 published recommended national standards on conducting a personal information security impact assessment in 2020, but with the effectiveness of the PIPL in 2021 these standards will need to be updated if they are to apply to the PIPIA.
The concept of a TIA originates from the European Court of Justice in its Schrems II decision, where a data exporter is required to, with the assistance of the importer, (i) verify whether the law of the third country of destination ensures adequate protection (under the EU law) for PI being transferred pursuant to the SCCs; and (ii) provide additional safeguards to those offered by the clauses if the protection is not adequate.
Under the Regulation, the PIPIA will also include an assessment of the impact of the PI protection policies, laws and regulations of the country or region where the data importer is located upon the performance of the Standard Contract.
Clause 4 of the Standard Contract requires the data exporters and importers to warrant that:
- they are not aware of any PI protection policies, laws or regulations of the country where the data importers are located which will prevent the data importers from performing the Standard Contract, including any requirement to provide PI to or grant authorisation of access to PI to the public authorities; and
- they have taken into account the following when giving the warranty in item i above, including:
- details of the export and track record of the importers in data export activities, such as whether the importers have received any requests from public authorities to provide PI and if so, how the importers responded to the requests;
- the key factors of the PI protection policies, laws and regulations of the country or region where the data importers are located, including
- the PI protection laws, regulations and applicable standards;
- the regional or global PI protection organisations such country or region has joined and the undertakings it has given; and
- the mechanism for implementing PI protection, e.g., whether there are PI protection supervisory authorities and relevant judicial bodies; and
- the security management system and technical security capability of the data importers.
The data importers must represent that they have used their best efforts to provide the necessary information to the data exporters. Both the data exporters and importers must record the assessment process and results in writing, which gives rise to a formal contractual obligation to conduct a TIA.
The requirements for a TIA under the GDPR and the Regulation are similar, except that in China the TIA is part of the PIPIA for data export. The exporters are expected to file the signed Standard Contract and the PIPIA report with the provincial level CAC within ten business days of the Standard Contract taking effect.
IV. Third-party beneficiary
The Standard Contract requires data exporters to undertake to notify the individuals who have been made third-party beneficiaries, who are entitled to enjoy the associated legal rights unless they expressly refuse within 30 days of being notified. The data exporters will now need to make sure that they have included in the privacy notice information on third-party beneficiaries and contact details, via which the individuals can express their objection.
In addition, as third-party beneficiaries, individuals are given the right to enforce the obligations of the data exporters and importers under the Standard Contract. In particular,
- Individuals have rights under the PIPL and other relevant laws, such as the right to information, right to restrict or refuse processing, etc;
- Individuals may request the data exporters (with the assistance of the importers) or data importers to take actions to respect the exercise of the rights in item i above;
- Data importers must respect and realize the rights exercised by the individuals within a reasonable time period and notify the individuals of the relevant information in a conspicuous and clear manner; and
- Individuals have the right to request either the exporters or the importers to perform any obligations relevant to their PI rights under the Standard Contract.
To enforce their rights in a dispute with the data exporters or the importers, individuals may elect to (i) file a complaint with the supervisory authority, or (ii) lodge a lawsuit against the parties to the Standard Contract in accordance with Chinese laws. Individuals can claim damages from the party that has infringed the rights of the individuals based on a breach of the Standard Contract.
Where the individuals choose to bring a lawsuit against the parties to the Standard Contract, the court of competent jurisdiction will be determined by Chinese civil procedure laws. Enforcement of a Chinese court judgement may be difficult outside China. and that the exporters are jointly and severally liable for losses caused to the individuals by the data importers under the Standard Contract. As such, individuals may be more likely to bring civil actions against the data exporters.
V. Onward transfers by data importers
Data importers are unable to provide the PI to a third party located outside China unless the data importers have:
- genuine business needs;
- notified individuals of the details of the transfers and, where sensitive personal information is provided, necessity of the transfer and its impact on the rights and interests of individuals;
- obtained separate consent from the individuals or their guardians (in the case of a child), if the processing is based upon consent;
- entered into a written agreement with the third party to ensure that the protection level of the third party is no lower than that under Chinese laws and regulations and agreed to be liable for any harm to the individuals; and
- provided a copy of the written agreement to the individuals, which may be redacted to protect confidential information.
The PIPL uses the word “provide” to indicate sharing of PI by a PI Processor with another PI Processor. If “provide” has the same meaning in the Standard Contract, both the data importer and the third party receiving the PI in an onward transfer should be PI Processors.
The Standard Contract requires the data importer that is an Entrusted Party of the data exporter to obtain consent of the data exporter before sub-entrusting a third party for processing. It appears that the Standard Contract imposes different obligations on data importers who are separate PI Processors and those who are the Entrusted Parties of the data exporter.
VI. Other notable provisions
Reporting obligations of data importers
In the event of a data breach, data importers are obliged to not only notify the data exporters but also the supervisory authority of China in accordance with Chinese laws. Individuals must also be notified where required by applicable laws and regulations.
The Standard Contract has extended the reporting obligations under Chinese law to the data importers irrespective of whether the data importers are subject to any extraterritorial effect of the laws.
Arbitration as dispute resolution
The Standard Contract allows the parties to settle their dispute by arbitration, with the ability to choose by agreement which arbitration institution and venues. The parties may choose an arbitration institution of a country that is a party to the Convention on the Recognition and Enforcement of Foreign Arbitral Awards, providing a possibility for the dispute to be heard by a foreign arbitration institution.
Data exporters’ right to information
Data importers are obliged under the Standard Contract to provide necessary information to the data exporters to prove the data importers’ compliance with the Standard Contract, including allowing the data exporters to access relevant documents or ability to audit the relevant data processing activities. In practice, the parties may would like to further define the scope of the data exporters’ right to information to avoid any potential dispute.
The Standard Contract requires both the exporters and the importers to obtain a sperate consent, only when the legal basis of the processing is consent. This new provision in the Standard Contract seems to support the view that a PI Processor should be exempted from the obligation of obtaining separate consent if its processing is not based upon consent, which is good news for PI Processors. The Standard Contract itself lacks the legal authority of a regulation, but still it provides the PI Processors with a stronger legal argument when it opts not to obtain a separate consent for processing that is based on legal grounds other than consent.
The Standard Contract and the Regulation completes the Chinese regulatory framework for PI Export. Whilst the Standard Contract in China bears many similarities with the SCCs under the GDPR, the data importers and exporters are required to sign the Standard Contract in the form as released by the CAC without any changes, and additional terms must not contradict with the Standard Contract.
PI Processors in China are recommended to take the following actions to ensure compliance with the Standard Contract and Regulation:
- Identify the PI export data flows and the importers;
- Amend existing cross-border data transfer documents to reflect the changes;
- Notify and discuss with the importers about signing the Standard Contract;
- Conduct the PIPIA in relation to the PI export and remediate any gaps and risks identified;
- Execute the Standard Contract; and
- File the PIPIA report and the signed Standard Contract with the CAC.