Protection of personal information and specifically, in the context of transferring the same out from China is one of the hottest issues in the field of data law. This is almost relevant to all foreign companies conducting business in China, as it may be inevitable that personal information collected by Chinese subsidiaries may have to be passed to the foreign headquarters.
Following the implementation of the Personal Information Protection Law (“PIPL”) in 2021, which outlines the framework of requirements for outbound transfer of personal information from China, the Cyberspace Administration of China (“CAC”) has finally published the Measures for the Standard Contract for the Outbound Transfer of Personal Information (the “Measures”) along with the finalized version of the Standard Contract for the Outbound Transfer of Personal Information (the “Standard Contract”), and will take effect starting from June 2023.
In particular, the Standard Contract which sets out the standard contractual clauses to be entered between the data processor transferring personal information out of China and the overseas recipient receiving such personal information outside China, sheds light on the specific obligations of the parties. In this article, we will go through the must-know compliance requirements for outbound data transfer under the existing legal framework.
The Requirements on Outbound Transfer of Personal Information
Among the other more general requirements under the PIPL, it is specifically set out in Article 38 of the PIPL that at least one of the following conditions shall be met before personal information may be transferred out from China:-
1. To pass the security assessment organized by the CAC;
2. To obtain the personal information protection certification from specialized institution approved by the CAC;
3. To enter into the Standard Contract with the overseas recipient; or
4. To meet other conditions provided in laws or administrative regulations or by the CAC.
It is further specified under Article 4 of the Measures for the Security Assessment of Outbound Data Transfer, which came into effect in September 2022 that security assessment organized by the CAC (under No. 1 above) must be conducted in the following circumstances:-
(a) The data processor transfers important data out of China;
(b) The data processor which transfers personal information out of China is an operator of critical information infrastructure or that it has processed the personal information of over 1 million individuals;
(c) The data processor has transferred out of China the personal information of over 100,000 individuals or the sensitive personal information of over 10,000 individuals, cumulatively since January 1 of the previous year; and/or
(d) As required by the CAC.
However, how one may pass the security assessment organized by the CAC remains uncertain, and the implementation details for obtaining the personal information protection certification (under No. 2 above) are yet to be published. As such, unless the above circumstance(s) for security assessment is/are triggered, the Standard Contract (under No. 3) is generally considered the most practical way to fulfil the requirements on outbound transfer under Article 38 of the PIPL.
Main terms of the Standard Contract
It is expressly specified in the Measures that the Standard Contract shall be adopted in its entirety and without deviation. For example, by entering into the Standard Contract, the data processor and the overseas recipient agree to submit to supervision of their data processing activities by the relevant authorities in China. Further, the data subject, as a third party beneficiary under the Standard Contract, may enforce his/her rights under the Standard Contract against the data processor and/or the overseas recipient by litigation in China.
On the other hand, the obligations of the data processor under the Standard Contract are generally in line with the requirements under the PIPL, and the same include:-
1. To inform the data subject of the name and contact of the overseas recipient, the processing purpose(s), processing method, type(s) of personal information to be transferred, retention period, and the method and procedures for the data subject to exercise his/her rights, etc.;
2. To obtain separate consent from the data subject for the outbound transfer; and
3. To conduct a personal information protection impact assessment to assess the impact of the intended transferring of the personal information to the overseas recipient, and to retain the assessment report for at least 3 years.
Further, it should be noted that even in case the main data processing activities are outsourced to the overseas recipient, the data processor transferring such personal information abroad is still responsible to supervise the activities of the overseas recipient. It is further stipulated under the Standard Contract that the data processor undertakes:-
1. To use reasonable endeavor to ensure that the overseas recipient fulfils its obligations under the Standard Contract by adopting appropriate technical and management measures (e.g. encryption, anonymization, de-identification of the personal information, and access control to the personal information, etc.);
2. To respond to inquiries from the regulatory authorities regarding the personal information processing activities of the overseas recipient; and
3. To bear the burden of proof to prove that the obligations under the Standard Contract have been performed.
As for the overseas recipient, with the extra-territorial effect of the PIPL, the requirements on a data processor under the PIPL apply to it, and it is expressly obliged under the Standard Contract, among others:-
1. To obtain separate consent from the data subject if the agreed scope of the purpose(s) of processing, the manner of processing and the type(s) of personal information to be processed are to be exceeded, or if the personal information is to be further transferred to a third party;
2. To ensure safe processing of personal information by adopting appropriate technical and management measures, conducting regular checks, and restricting access to the personal information, etc.;
3. To take immediate remedial actions, notify the data processor and report to the regulatory authorities in China in case of tampering, destruction, leakage, loss, illegal use of, or unauthorized provision of or access to the personal information processed;
4. To keep records of the personal information processing activities and retain the records for at least 3 years; and
5. To promptly return or delete the personal information it has received from the data processor upon termination of the Standard Contract.
The Timeframe
The Measures and the Standard Contract will become effective on 1st June 2023, and after such effective date, in applicable cases as discussed above, the Standard Contract must be entered into between the data processor and the overseas recipient before any personal information is transferred out from China.
It is to be further stressed that in addition to the adoption of the Standard Contract (which was previously considered to be a private agreement between the data processor in China and the data recipient overseas), the Measures specifically requires that the data processor collecting data in China and transferring the same out of China shall make a recordation with the CAC within 10 working days from the effective date of the Standard Contract. Not only should the Standard Contract be recorded, the data processor shall also conduct the personal information protection impact assessment (the “PIPIA”), and the corresponding report shall be recorded together with the Standard Contract. Therefore, besides ensuring the adoption and execution of the finalized version of the Standard Contract with the overseas recipients, data processors shall also ensure that their PIPIA reports are ready to be submitted for recordation purpose, by the requisite deadline.
On the other hand, a grace period is provided for transfers occurring before 1st June 2023, that there is a six-month period (i.e. until 1st December 2023) to rectify existing practice for compliance with the Measures and adoption of the Standard Contract. Data processors who wish to rely on the Standard Contract shall therefore immediately review their data transfer activities and agreements entered into with overseas recipients, and to bring the same into compliance within the grace period.
It is expected that further rules and guidelines on the implementation of the PIPL and related regulations, including the details for the recordation with the CAC will be published. We will closely monitor the same and keep you posted on any further developments.