Cross-border transfer of personal information (hereinafter referred to as "PI"1 and the cross-border transfer of PI as "PI export") is a daily occurrence and business necessity for many companies operated in China, especially for multinational companies and domestic companies using ERP software provided by foreign operators with servers located abroad. With the continuous release of supporting rules of the Personal Information Protection Law ("PIPL") in terms of restrictions on PI export in China, PI export compliance is attracting increasing attention.

This series consists of four articles. The first article will introduce the development and framework of China's restrictions on PI export, and the next three articles will respectively introduce the three PI export mechanisms provided by the PIPL in detail, namely the compulsory notification mechanism (Security Assessment) and two self-management mechanisms (Standard Contract & Certification).

The is the third of the four articles and will review the PI export mechanism of Standard Contract under the Chinese PIPL from the perspective of local practitioners.

As introduced before, Standard Contract and Certification are optional for companies in China to export PI only if the mandatory Security Assessment introduced before is not triggered. Different from Security Assessment, these two self-management mechanisms have been established but have not been widely implemented in practice.

Among the three mechanisms, Standard Contract is the most welcome and widely adopted approach by companies in China. Eight months after the issue of the draft version, the CAC officially released the final version of Measures for Standard Contract of Cross-border Transfer of Personal Information (《个人信息出境标准合同办法》in Chinese, "SCC Measures") and the Standard Contract for Cross-border Transfer of Personal Information ("SCC") on February 24, 2023.

  1. How does the Chinese SCC differ from the EU SCC?

Major differences between the Chinese SCC and the EU SCC include:

  • Form:The Chinese SCC is a complete contract where PI handlers are only allowed to add clauses in the appendixes, while the EU SCC are clauses that can be freely included in the wider contract. The similarity is that, neither in China nor in EU is it allowed to add clauses that are in conflict with the SCC.
  • Limitation on data volume: The Chinese SCC is not applicable to many MNCs since it is applicable only when all of the following conditions are met:
    1. the PI handler is NOT a CIIO;
    2. the PI handler has processed PI of LESS THAN 1 million individuals;
    3. the PI handler has NOT provided abroad PI of MORE THAN 100,000 individuals accumulatively since January 1st of last year; and
    4. the PI handler has NOT provided abroad sensitive PI of MORE THAN 10,000 individuals accumulatively since January 1st of last year.

The SCC Measures particularly emphasized that PI handler shall not resort to quantity slicing or other means to provide PI overseas that is legally required to pass Security Assessment by entering into a Chinese SCC.

  • Limitation on contracting parties: The PIPL merely imposes restrictions on PI handlers' PI export, excluding PI processors' PI export. Correspondingly, the Chinese SCC has not specified the rules for the transfer from PI processors to overseas PI handlers/processors.
  • Filing requirement: The Chinese SCC requires the filing obligation to the local CA at the provincial level for records, and the PIPIA report is required as an essential component of the filing materials.
  1. What is the relationship between the Chinese SCC and the binding legal documents required in Security Assessment or Certification?

For PI export, the Chinese SCC may be deemed as the binding legal documents as required in Security Assessment and Certification, although other documents such as internal management documents circulated in the group company may also be identified as such binding legal documents.

  1. What should be contained in the Chinese SCC?

In general, the Chinese SCC has nine articles, regarding the five aspects: (1) the relevant definition and basic elements of the contract; (2) contractual obligations of the PI handler and the overseas recipient; (3) the impact of the PI protection policies and regulations of the country or region where the overseas recipient is located on the performance of the contract; (4) the rights and related remedies of the PI subject; and (5) the termination of the contract, liability for breach of contract, dispute resolution and other matters.

Meanwhile, two appendices are provided. One is to fill in the basic information of the transfer of PI, such as the purpose, method of processing, the categories of PI to be exported, location of storage and retention period, etc., and another is to add other terms agreed upon by both parties. Notably, the terms of the Chinese SCC cannot be changed, and other terms that the PI handler may agree with the overseas recipient shall not be in conflict with the terms of the Chinese SCC as well.

Unlike the EU SCCs, which have four types based on the roles of data provider and recipient, the Chinese SCC adopts a one-stop structure. This does not mean that the Chinese SCC ignores the issue at all, since in the specific terms, the obligations of "entrusted party" (which means data processor under the GDPR) are mentioned separately. For example, the consent of the PI handler shall be obtained when the entrusted party re-entrusts a third party (i.e. sub-processor) to process PI; and the obligations of report (to authority) and notification (to PI subjects) shall be borne by the PI handler, rather than the entrusted party, when security incidents like data breach occur.

Compared with the draft version, the final version adds an obligation of the overseas recipient, that is, the overseas recipient shall immediately notify the PI handler if it receives the request of the government department or judicial institution of the country or region where it is located regarding the provision of PI under such the Chinese SCC.

  1. Shall the Chinese SCC be filed with the authority for records?

As prescribed in the SCC Measures, the PI handler shall, within 10 working days after the effective date of the Chinese SCC, file the SCC and the PIPIA report with the local provincial-level CA.

  1. When shall the Chinese SCC be re-signed?

The SCC Measures specifies in Article 8 that, if any of the following circumstances occurs during the validity period of the contract, a new PIPIA shall be conducted, and the Chinese SCC shall be re-concluded and filed with the authority:

  • changes in the purpose, scope, type, sensitivity, manner, and place of storage of PI provided abroad or in the use or manner of processing PI by the overseas recipient, or extension of the storage period of PI abroad;
  • changes in the policies and regulations on the protection of PI in the country or region where the overseas recipient is located, etc. that may affect the PI related rights and interests; or
  • any other circumstances that may affect the PI related rights and interests.
  1. What are the legal consequences for violations?

Pursuant to the SCC Measures, any violation of the SCC Measures shall be dealt with in accordance with the PIPL and other relevant laws and regulations; and if a crime is constituted, criminal liability shall be pursued accordingly.

Meanwhile, as a new provision in the final version, it is provided that if a CA at or above the provincial level finds that there is a greater risk in the PI export activities, or that a PI security incident has occurred, it may conduct an interview with the PI handler in accordance with the law. The PI handler shall make rectification then.

Footnotes

1 Under the PIPL, PI is defined as any kind of information, electronically or otherwise recorded, related to an identified or identifiable natural person within PRC, excluding anonymized information that cannot be used to identify a specific natural person and is not reversible after anonymization.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.