Brief Analysis on Measures for the Standard Contract for Outbound Transfer of Personal Information

Written by Mr. Charles Feng, IP Expert and collaborator of the China IP SME Helpdesk

On 24 February 2023, the Cyberspace Administration of China (“CAC”) published the Measures for the Standard Contract for Outbound Transfer of Personal Information (hereinafter referred to as the "Measures") and its annexes of Standard Contract for Outbound Transfer of Personal Information (hereinafter referred to as the "Standard Contract"), which will be implemented from June 1, 2023. The Measures was issued after the issuance of the Security Assessment Measures for Outbound Data Transfers in September 2022. The Measures, along with security assessment and personal information protection certification will be one of the three major approaches for the outbound transfer of personal information (the“PI”).

In comparison to two other routes namely security assessment and security certification, the route of Standard Contract for personal information outbound transfer is of lower costs and easier operation which is the most cost-effective approach for enterprise who needs to conduct cross-broader personal information but not in the large amount as required by CAC, namely . In conjunction with the newly promulgated Measures and the Standard Contract, there are the following key points that enterprises need to focus on in their compliance work for cross-broader personal information transfer.

 

I. Specialty of the Standard Contract

1. Contract of Strict Format

In comparison to previous drafts of Measures and Standard Contract for public comments, the official version of the Standard Contract further restricted the autonomy of will. The domestic personal information processor and the overseas recipient must sign and perform in strict accordance with the terms provided by the CAC. In addition, only CAC is authorized to amend and modify the Standard Contract. The Standard Contract of the Measures is complete and specific, covering various aspects including basic information, obligations of personal information processors and overseas recipients, rights and obligations of subjects of personal information, the relationship between laws and regulations of the receiving place and the performance of the Standard Contract, remedies and liability for breach of contract. In addition, the Measures clearly stipulate that enterprises must not make additional agreements or any other forms of documents that are in conflict with the terms of the Standard Contract that has been established.

2. Recordation of the Standard Contract

According to the Measures, personal information processors are required to file a recordal of the Standard Contract with the provincial level of cyberspace administration where they are located, within 10 working days from the effective date of the Standard Contract. In comparison to the Security Assessment, the application of the Standard Contract is ampler in terms of preparation time and simpler in terms of administrative procedures. For enterprises that meet the requisite scenario of the application of the Standard Contract, such a path will be substantially convenient and flexible.

3. Protection of Rights of the Owner of Personal Information

The Standard Contract embodies the rights and obligations of three parties, namely, the domestic personal information processor, the overseas recipient and the owner of personal information. The establishment and implementation of the Standard Contract between the domestic personal information processor and the overseas recipient as the contracting parties will have a direct impact on the rights of the owner of personal information. The Standard Contract provides the owner of personal information as a beneficiary, authorizes the owner of personal information to sue the personal information processor and the overseas recipient directly as well as facilitates litigation and remedies for the owner of personal information through joint and several liability clauses if infringement occurs.

II. Application for the Transfer via Standard Contract Route

According to Article 4 of the Measures, any personal information processor transferring personal information overseas by entering into the Standard Contract shall meet all of the following conditions:

1. It is not a critical information infrastructure operator;
2. It processes the personal information of less than 1 million individuals;
3. It has cumulatively transferred abroad the personal information of less than 100,000 individuals since January 1 of the previous year; and
4. It has cumulatively transferred abroad the sensitive personal information of less than 10,000 individuals since January 1 of the previous year.

In comparison to the approach of Security Assessment Measures for Outbound Data Transfer, CAC has clearly delineated the application of the two mechanisms in terms of the specific identity of the data processor and the level of personal information processed. This provides a clear reference for enterprises to determine the path they need to apply based on their own identity and the specific circumstances of their cross-broad data transfer, and facilitates their choice of path.

In general, we noted that the Standard Contract may apply to small scaled personal information processors and personal information processors, rather than operators of critical information facilities that have a much larger impact to public interest. For personal information processors that may fall within the scope of application of the Security Assessment Measures for Outbound Data Transfers, they should submit the security assessment application to the cyberspace administration in accordance with the law, and not allowed to take the approach of Standard Contract by splitting the amount of information and transfer them in multiple times.

The Measures will apply to transfer of personal information of employees between the headquarters and branches of multinational companies within and without China as well as the transfer via third party Chinese service providers as well.

III. Process of Establishment of Standard Contract

If the cross-broader personal information transfer of enterprise falls within the scope of the Standard Contract under the Measure, the general process for personal information processor to enter into a Standard Contract is as follows.

1. Conduct a personal information protection impact assessment;
2. Conclude the contract in accordance with the Standard Contract;
3. File a recordal to the provincial cyberspace administration;
4. Submit materials including Standard Contract and result of personal information protection impact assessment;
5. Receive feedback from cyberspace administration on possible supplementation, re-establishment of Standard Contracts or Completion of recordals.

IV. Assessment of Impact for Personal Information Protection

The Measure requires that the operator shall conduct Assessment of Impact against Personal Information Protection(“AIPIP”) before conduct the cross-border transfer. The factors that shall be evaluated include the follows.

(1) Legality and necessity of the purpose, scope and method of the personal information processing by the personal information processor and the overseas recipient;

(2) Volume, scope, category, and sensitivity of personal information to be transferred abroad, and the risks to the personal information rights and interests that may be caused by the cross-broader personal information transfer;

(3) Obligations that the overseas recipient promises to undertake, and whether the management, technical measures and capabilities of the overseas recipient to perform the obligations can ensure the security of the personal information to be transferred;

(4) Risk of tampering, damage, leakage, loss and abuse of personal information after its transfer, and whether the channels for individuals to exercise their personal information rights and interests are accessible and smooth;

(5) Impact of policies and regulations for the protection of personal information and performance of the Standard Contract in the jurisdiction where the overseas recipient is located; and

(6) Other factors that may affect the security of cross-broader personal information transfer.

V. Application of the Standard Contract

Enterprises shall enter into the contracts for the cross-broader personal information transfer strictly in accordance with the Standard Contract provided in the Annex to the Measures, which stipulates that the personal information processor may agree with other terms with the overseas recipient, provided that they do not conflict with the Standard Contract.

Besides, if the Standard Contract is in conflict with other legal documents entered by the parties, the terms of the Standard Contract shall prevail. Therefore, data processors need to pay attention to the relevant overseas legislations and regulations as well as the contracts previously entered into with overseas recipients for any conflicts, thus make amendments accordingly.

If the circumstances specified in Article 8 of the Measures change during the performance of the Standard Contract, the processor is required to re-conduct the assessment of impact of personal information protection, supplement or re-conclude the Standard Contract and re-file the recordal to the cyberspace administration.

VI. Important time points

Within 10 working days from the effective date of the Standard Contract, processors shall file a recordal with the provincial cyberspace administration where they are located.

 

Conclusion

The Measures is widely regarded as an important regulation for cross-broader personal information transfer, which significantly strengthened the protection of personal information. The Standard Contract system will also be helpful to unify the application of national standards with different administrative organs.

During the preparatory period from now on, processors of cross-broader personal information transfer may want to develop corresponding compliance systems timely, complete the assessment and rectification, as well as complete the recordation, in order to ensure that their relevant business continues to run smoothly, prevent risks and avoid information security incidents.

 

Intro of Author

Mr. Feng is an Expert of EU SME Helpdesk in China. Director of International Business Department and a Senior Partner of Tahota (Beijing) Law Firm. Mr. Feng is a reputable IP and cyber law expert with substantial experience on intellectual property law, data protection law and anti-trust law with reputable international law firm and Chinese law firms, focusing on IP litigation, enforcement trademark and patent portfolio management, as well as cyber law related legal matters. Mr. Feng has represented numerous foreign clients from US, EU and Japan at various levels of courts as well as administrative organs in China. Mr. Feng is particularly experienced in addressing clients' commercial needs in the areas of IP litigation, arbitration and prosecution, including patent, copyright, trademark, and domain names, unfair competition, trade secrets. In addition to his work in the courtrooms, he has been involved in IP transactional work, including the drafting, negotiation and enforcement of IP assignment or licensing agreements. Besides, Mr. Feng and his team also represented a number of multinationals in dealing with their legal matters in relation to cyber security, privacy and data protection.

 

E: Charlesfengtahota [dot] com (Charlesfeng[at]tahota[dot]com)

T: +86-13910336970

TAHOTA LAW FIRM