The Cyberspace Administration of China (CAC) published new Guidelines for the filing of Standard Contracts for Exporting Personal Information (Guidelines) on 30 May 2023 – just two days before the Chinese Standard Contract for the Export of Personal Information (SC) was set to become effective on 1 June 2023.
In essence, the Guidelines echo the filing requirements set out in the Measures on Standard Contracts for the Export of Personal Information (SC Measures). They also provide an outline of the filing process that personal information processors (Data Controllers) are required to undertake under the SC Measures.
The SC Measures, which were first released by the CAC on 24 February 2023, define the scope of application of the SC and prohibit data controllers from dividing data exports into separate batches to circumvent the Security Assessment data export mechanism (for more detail, please see our previous Legal Update on China: The "Gold" Standard – Long-Anticipated Standard Contract under Personal Information Protection Law Finalised).
Under the SC Measures, data controllers are required to file the executed SC and a Personal Information Protection Impact Assessment (PIPIA) with the local CAC office within ten working days from the effective date of the executed SC.1 However, beyond those high level requirements, the SC Measures lacked further detail as to the process and other documentary requirements. These gaps were addressed in some measure by the Guidelines, though some uncertainties still remain.
In this Legal Update, we look at some of the areas where the Guidelines have been instructive on the SC filing process.
Where to File/How to File
The Guidelines provide that the SC and other required documents are to be submitted to the local CAC office in the province where the data controllers are located by delivering the documents in written form together with an electronic version.2
The Guidelines clarify that data controllers should submit an “original” SC.3 This suggests that copies (or even electronically executed versions) of the SC may not be accepted, though the Guidelines do not provide formatting requirements regarding the execution of the SC and do not expressly address whether the use of electronic signatures will suffice.
Additional Documents to Be Filed
Notably, in addition to the executed SC and the completed PIPIA, the Guidelines further require data controllers to submit the following documents:4
- A photocopy of the Certificate with the Unified Social Credit Code (stamped with the company’s official seal);
- A photocopy of the legal representative's identification (ID) card (stamped with the company’s official seal);
- A photocopy of the ID card of the person in charge of the filing process (stamped with the company’s official seal);
- The signed power of attorney (the template is attached to the Guidelines as Annex 2);
- The signed letter of commitment (the template is attached to the Guidelines as Annex 3).
Note: This is the first time the aforementioned documents have been mentioned in an official document.
While the Guidelines shed more light on the additional documents data exporters need to submit, there are still outstanding practical issues that remain. For example, what certification documents should foreign companies with operations in China provide? Are there any other formality requirements for the required documents?
The Guidelines also provide a long anticipated PIPIA template. The requirements under the template are substantially similar to the Privacy Impact Assessment requirements under the Security Assessment and the Certification data export mechanisms (see our previous Legal Update on the Security Assessment and Revised Certification Specification). However, we note the newly available PIPIA template also includes additional assessment matters, with a focus on personal information rather than national security; such as the collection and use of personal information in the business involved in the data exports, processing of sensitive personal information, and use of personal information for automated data processing.5
In practice, some companies have adopted a proactive strategy by leveraging and adapting existing resources such as Data Protection Impact Assessments or Transfer Impact Assessments conducted pursuant to the GDPR to fulfil the PIPIA requirements.
However, these documents would likely need to be fine-tuned and further adjusted in light of the template provided by the Guidelines.
Timeline and Results Feedback
The SC filing process will supposedly take up to 15 working days from submission, provided there are no deficiencies in the materials submitted, or no requirement for the data controller to supplement such materials.6
If the SC filing is accepted, the successful data controller applicant will receive a filing number, while an unsuccessful applicant will be required to address the deficiencies and resubmit the relevant documents within 10 working days upon receipt of the CAC’s notification.7
In terms of the re-filing requirement, the Guidelines remain entirely consistent with the SC Measures. Data controllers are required to re-execute the SC and file anew in the event of any of the changes in certain circumstances.8 (see our previous Legal Update on China: The "Gold" Standard – Long-Anticipated Standard Contract under Personal Information Protection Law Finalised).
The Guidelines bring a greater degree of clarity to the SC filing process, though there are still outstanding questions, such as whether electronic signatures will be accepted, or how the CAC – which has been ostensibly overwhelmed by the security assessments – will be able to meet their self-imposed 15 working day timeline.
Furthermore, little is known on the exact level of detail required by the CAC vis-à-vis the PIPIA for the SC, which on the surface appears to mirror most of the requirements of the privacy impact assessment for the stricter security assessment.
Given that failure to comply with the filing requirements will expose data controllers to potential legal liability and penalties under the Personal Information Protection Law – with financial penalties of up to RMB 50 million or 5% of the data controller’s annual revenue – companies that engage in data exports should start preparing the PIPIA and the other required documents, and update and finalise the SC as soon as possible to ensure compliance with the SC Measures and the Guidelines.
We expect the local CAC offices from the various provinces to provide more details on the SC in the coming months, so businesses with a presence in China should keep an eye out for developments.
The local Beijing CAC office (not to be confused with the central CAC that sits in Beijing) has since released a guidance on 2 June 2023 in relation to SC filings (Beijing Guidance). The Beijing Guidance echoes many of the same points set out in the SC Measures and Guidelines, with the addition of the following points:
- Only data controllers with a separate legal personality may file an SC with the Beijing CAC i.e. branch offices without separate legal personalities cannot file SCs with the Beijing CAC;
- The SC filing entity should be the same entity as the data exporting data controller, save for where a parent company may make the SC filing on behalf of its subsidiaries;
- The SC and relevant documents should be submitted electronically in PDF to [email protected] first – the hard copies of the filing documents should only be submitted to the Beijing CAC after the electronic submission has been examined and approved;
- The Beijing CAC will review the electronic submissions within ten working days; whereafter data controllers that have passed the examination will be required to send in the hard copy materials to the Beijing CAC, following which they will receive a filing number.
Based on the Beijing Guidance – it appears that the examination of the filing documents will take place after the electronic submission of the documents, and that the filing of the paper documents is merely a procedural formality.
Interestingly, the Beijing Guidance provides for an even shorter examination timeline than the Guidelines (10 working days in the Beijing Guidance versus 15 days in the Guidelines), though it is unclear why the Beijing Guidance has diverged from the Guidelines, and whether the other local CAC offices will follow suit.