On February 24, 2023, the Cyberspace Administration of China (“CAC”) released its final version of the Standard Contract Measures for Exporting Personal Information (“Standard Contract Measures”), accompanied by a template contract outlining the standard contractual clauses (the “PIPL SCCs”). The Standard Contract Measures are effective June 1, 2023, however, organizations transferring personal information outside of China prior to June 1, 2023 will have a six-month grace period to come into compliance with and enter into the PIPL SCCs with the overseas recipient.
As a background, Article 38 of China’s Personal Information Protection Law (“PIPL”) outlines three adequate cross-border transfer mechanisms for sending personal information of Chinese individuals outside of China: (1) passing a security assessment organized by the CAC, (2) obtaining a certificate from a CAC-recognized professional organization, or (3) entering into standard contractual clauses (the “PIPL SCCs.”). The Standard Contract Measures and PIPL SCCs provide much needed clarity for companies intending to rely on the PIPL SCCs for cross-border data transfers and we highlight some of the key requirements of the Standard Contract Measures and contractual terms of the PIPL SCCs below.
Who can enter into the PIPL SCCs? Personal Information Processors (which is defined similarly to the EU’s General Data Protection Regulation (“GDPR”)’s definition of “data controller”) that meet the following conditions:
- The data exporter is not a “Critical Information Infrastructure Operators,” which is broadly defined to cover businesses in the financial, energy, telecom, public utility, healthcare, transportation and other entities that are important to China’s national security and welfare;
- The data exporter processes personal information of less than one million data subjects;
- The data exporter has not transferred personal information of more than 100,00 data subjects (in the aggregate) since January 1st of the preceding year; and
- The data exporter has not transferred sensitive personal information (e.g., biometric information, religion, medical information, financial information) of more than 10,00 data subjects (in the aggregate) since January 1st of the preceding year.
Personal Information Processors that do not meet the above conditions must pass a security assessment by the CAC (the first approved transfer mechanism specified above) prior to transferring personal information outside of China. Article 4 of the Standard Contract Measures explicitly prohibit dividing the volume of personal information into smaller subsets to avoid the CAC’s security assessment.
Notably, unlike the GDPR standard contractual clauses (“GDPR SCCs”), which offer four different standard contract modules (controller-to-controller, controller-to-processor, processor-to-processor, and processor to controller), the CAC has taken a “one-size-fits-all” approach, offering only one module. This may prove difficult, particularly for China-based Entrusted Parties (which are similar to “data processors” under the GDPR) who are explicitly not able to use the PIPL SCCs to transfer personal information overseas.
Key terms in PIPL SCCs. The PIPL SCCs are similar to the GDPR’s SCCs and outline certain requirements of both the Personal Information Processor and the overseas recipient.
- The Personal Information Processor’s obligations, outlined in Article 2 of the PIPL SCCs, include the following non-exhaustive requirements:
- Notify data subjects of the details of the cross-border transfer (such as the purpose of the transfer, the retention period, and how data subjects may exercise certain rights);
- Obtain a separate consent from the data subjects if the cross-border transfer relies on consent as the legal basis for processing;
- Notify data subjects that they are third-party beneficiaries to the PIPL SCCs (a notable difference from the GDPR SCCs);
- Use reasonable efforts to ensure the overseas recipient maintains technical security measures to protect the personal information;
- Respond to inquiries from the CAC relating to the cross-border transfer; and
- Conduct a personal information protection impact assessment (“PIPIA”), which must be retained for at least three years.
- The obligations for overseas recipients (which may be a Personal Information Processor or Entrusted Party) are outlined in Article 3 of the PIPL SCCs, and include the following non-exhaustive requirements:
- Personal information may only be processed for the purposes specified within the PIPL SCCs or pursuant to the consent obtained from the data subject;
- Personal information must be deleted after the specified retention period expires (as noted in the relevant contract between the parties);
- Implement and maintain technical security measures and access controls to protect personal information;
- In the event of a data breach (as summarized in more detail in the Regulations on the Management of Online Data Security), notify the Personal Information Processor, data subjects (when required), and Chinese regulators;
- Onward transfers of personal information are permitted only if certain conditions are met, including notifying the data subjects of the onward transfer;
- Accept supervision by the CAC, including cooperation with inquiries, inspections, and decisions. A noteworthy addition to the final version of the PIPL SCCs requires overseas recipients to immediately inform the Personal Information Processor/data exporter if it receives a request from local non-Chinese authorities to disclose the transferred personal information.
Lack of flexibility in PIPL SCCs. The Personal Information Processor and overseas recipient must enter into the PIPL SCCs as is; the PIPL SCCs cannot be revised/customized. The parties may enter into a separate related agreement, but the terms may not conflict with the PIPL SCCs. While there are clear disadvantages to being unable to adjust the contract terms in certain circumstances, the lack of flexibility may present certain advantages, as companies will not need to expend significant time/resources negotiating the contract terms and creating one-off adjustments for specific contracts.
PIPIA. In addition to entering into the PIPL SSCs, Personal Information Processors must perform and document a PIPIA (similar to the GDPR’s privacy impact assessment requirement) prior to transferring personal information outside of China. The PIPIA must consider multiple factors, including:
- The legality, legitimacy, and necessity of the cross-border data transfer and the purpose, scope, and method of processing;
- The volume, scope, and type of personal information, including the sensitivity of the personal information, being exported abroad, and the risks to the data subjects’ rights and interests;
- The technical measures implemented and maintained by the overseas recipient to protect the personal information;
- The risks that personal information may be compromised (destroyed, leaked, lost, etc.) and data subjects’ available remedies;
- The enforceability of the PIPL SCCs based on the data protection laws and policies of the foreign country where the recipient resides; and
- Other matters that may affect the cross-border data transfer.
The Personal Information Processor must conduct a follow-up PIPIA if (1) the purpose, scope, type of personal information, method of processing, or storage location changes, (2) the laws or policies of the data recipients’ country or region change, or (3) other circumstances arise that may impact the rights and interests of data subjects and their personal information.
Filing requirement. Within 10 business days following the execution of the PIPL SCCs, a Personal Information Processor must file the PIPL SCCs and a PIPIA report with provincial branches of the CAC.
Moving forward, Personal Information Processors intending to rely on the PIPL SCCs for cross-border data transfers appear to have a considerable amount of work to complete prior to June 1, 2023, including conducting (and documenting) due diligence of the overseas recipient, preparing and compiling documentation for the PIPIA, sending notifications to the data subjects about the intended cross-border data transfer, executing the PIPL SCCs, and filing the PIPL SCCs and PIPA report with the CAC. Organizations operating in China and intending to leverage the PIPL SCCs as the adequate transfer mechanism for cross-border data transfers will need to move swiftly to ensure compliance with the Standard Contract Measures and PIPL SCCs and avoid potentially significant fines (up to RMB50 million or 5% of the previous year’s turnover, from active Chinese regulators.