On 24 February 2023, the Cyber Administration of China (“CAC”) issued measures containing a standard contract template for transfers of personal information, detailed guidelines including for a required impact assessment and a filing-requirement for transfers of personal information from China to other countries.
These measures come into effect on 1 June 2023 and are highly relevant for multinational companies with a presence in China.
1 Processing and cross-border transfer of personal information in China
China’s data privacy law, the Personal Information Protection Law (“PIPL“) entered into force on 1 November 2021 and it also regulates cross-border transfers of personal information.
On 24 February 2023, CAC issued the “Circular on the Measures for the Standard Contract for Outbound Cross-border Transfer of Personal Information” (“Measures“), together with an enclosed standard contract template to be used for cross-border transfers in applicable scenarios.
2 Standard contract as legal basis for transfers
Pursuant to the issued Measures, those personal information processors adhering to all of the following four requirements may use the standard contract:
- The personal information processor is not a critical information infrastructure operator (often referred to as “CIIO“); 非关键信息基础设施运营者;
- The personal information processor handles personal information of less than one million individuals;处理个人信息不满100万人的;
- The personal information processor transfers personal information of less than 100,000 individuals, in aggregate, to overseas recipients since 1 January of the previous calendar year; and 自上年1月1日起累计向境外提供个人信息不满10万人的；以及
- The personal information processor processes sensitive personal information of less than 10,000 individuals, in aggregate, to overseas recipients since 1 January of the previous year. 自上年1月1日起累计向境外提供敏感个人信息不满1万人的。
Personal information processors who do not qualify for the above requirements shall rely on other legal basis for cross-border transfer, such as passing the special security assessment of local CAC, etc.
Pursuant to the template standard contract enclosed with the Measures, a standard contract must include basic information on the personal information processor, the overseas recipient, the purpose, scope, type, sensitivity and quantity of personal information, method, retention period, storage location, and other aspects of the personal information to be transferred.
3 Requirement for personal information protection impact assessment
In addition to the standard contract, the personal information processor transferring personal information out of China must also conduct a “personal information protection impact assessment” (“PIPIA“), cf. the Measures, article 5. A PIPIA must containing the following:
- description of the legality, legitimacy, and necessity of the purpose, scope, and method for processing personal information by the personal information processor and the overseas recipient; 个人信息处理者和境外接收方处理个人信息的目的、范围、方式等的合法性、正当性、必要性；
- listing of the quantity, scope, type, and sensitivity of the personal information to be transferred overseas, and the risk(s) that the cross-border transfer may pose; 出境个人信息的规模、范围、种类、敏感程度，个人信息出境可能对个人信息权益带来的风险；
- the obligations that the overseas recipient undertakes, and whether its management, technical measures and capabilities sufficiently fulfil such obligations ensuring safety of the personal information to be transferred; 境外接收方承诺承担的义务，以及履行义务的管理和技术措施、能力等能否保障出境个人信息的安全；
- after transfer abroad, the risk of disclosure, destruction, or interference of the personal information, and whether there is a channel for individuals to protect their rights and interests in their personal information; 个人信息出境后遭到篡改、破坏、泄露、丢失、非法利用等的风险，个人信息权益维护的渠 道是否通畅等；
- the impact of personal information protection policies and regulations in the country or region of the overseas recipient on the performance stipulated in the standard contract; and 境外接收方所在国家或者地区的个人信息保护政策和法规对标准合同履行的影响;以及
- 0ther matters that may affect the security of the personal information to be transferred overseas. 其他可能影响个人信息出境安全的事项。
4 Filing requirement
Once a standard contract has been executed and the PIPIA has been completed, the personal information processor in China is required to file both of these documents with the local or higher-level CAC at the place where the personal information processor is located. Such filing must occur within 10 working days from the effective date of the standard contract.
It is worth noting that regardless of whether the personal information processor is a larger group of companies who share personal information with other group companies or whether the overseas recipient is an external third party provider outside of China, the personal information processor in China needs to have a separate standard contract and conduct a separate impact assessment report for each overseas recipient.
5 Key take-away
With the announcement of the Measures and the standard contract template, all companies transferring personal information from China got a new set of detailed requirements it must adhere to from 1 June 2023. Especially the preparation for entering into the standard contracts and conducting PIPIA in accordance with the Measures can be challenging.
It is therefore our recommendation that companies initiate these processes as soon as possible to avoid that their cross-border transfer of personal information are in breach of PIPL. Non-compliance with PIPL may lead to fines up to RMB 100,000 for persons in charge or directly liable for the violation and/or fines up to RMB 50,000,000 or 5% of previous year’s turnover for the company and even withdrawal of the right to conduct business in China.
Content provided by SwedCham Gold Partner: Wikborg Rein
if you have any questions, please contact:
Xiaomin Qu at: firstname.lastname@example.org