One of the legal bases for a personal information processor to export personal information is to execute a contract with an overseas recipient based on a standard contract enacted by Cyberspace Administration of China (“CAC”) according to the Personal Information Protection Law of the People’s Republic of China. On February 22, 2023, CAC issued the Regulations on Standard Contract for Cross-border Personal Information Transfer (“Regulations”) with a standard contract attached, which will come into force on June 1, 2023, aiming to better protect personal information by specifying procedures and requirements for exporting personal information overseas.
1. Conditions to Use Standard Contract
A personal information processor may cross-border transfer personal information through executing a standard contract only when all the following conditions are met:
- ·It is not a critical information infrastructure operator;
- It processes not more than one million individuals’ personal information;
- It has accumulatively transferred abroad personal information of not more than 100,000 individuals since January 1 of the preceding year; and
- It has accumulatively transferred abroad sensitive personal information of not more than 10,000 individuals since January 1 of the preceding year.
The Regulations expressly prohibit processors from circumventing mandatory CAC-led security review by splitting volume of personal information and executing standard contracts.
2. Prior Impact Assessment
Processors should conduct a personal information protection impact assessment prior to cross-border transfer of personal information, focusing on the following:
· whether the purpose, scope and means of personal information processing of the pressor and the overseas recipient are lawful, fair and necessary;
· the volume, scope, categories and sensitivity of personal information to be transferred abroad, and risks to legitimate rights and interests of individuals;
· obligations that the overseas recipient undertakes to perform; whether managerial and technical measures and capability for performing such obligations can ensure the security of personal information to be transferred abroad;
· risks of personal information falsification, damage, leakage, loss, abuse after cross-border transfer; whether individuals may easily defend their rights and interests with respect to their personal information;
· the impact on the performance of standard contract by the personal information protection policies and laws in the country/region of the overseas recipient; and
· other matters that may affect the security of personal information transferred abroad.
3. Standard Contract
The Regulations require processors to enter into their standard contracts strictly in accordance with the one released by CAC while they are free to add their discretionary clauses which however shall not conflict with the standard contract clauses.
The Regulations further underscore that processors shall not transfer personal information abroad unless and until the standard contract has become effective.
The standard contract released by CAC mainly includes the following:
- basic information of the personal information processor and the overseas recipient, including but not limited to name, address, name and contact information of contact person, etc.;
- description of personal information cross-border transfer, including the processing purpose, means of processing, quantity, types, storage period, storage place, etc. of personal information to be transferred abroad;
- obligations that the personal information processor and the overseas recipient undertake to perform for protecting personal information, as
- well as the technical and managerial measures adopted to prevent the possible security risks arising from the cross-border transfer of personal information;
- impact on the performance of the terms of the standard contract by the personal information protection polices and laws in the country or region where the overseas recipient is located;
- rights of personal information subjects, as well as approaches and means to safeguard the rights of personal information subjects;
- remedy, contract termination, liability for breach of contract and dispute resolution, etc.
4. Filing with CAC
Personal information processors should file the standard contract together with the personal information protection impact assessment report with provincial-level cyberspace administration within 10 working days from the date when the standard contract takes effect.
The Regulations require personal information processors to reconduct an impact assessment, resign a standard contract and make a new filing in the event of any of the following circumstances during the term of the standard contract:
- changes to the purpose, scope, categories, sensitivity, means, storage place of the cross-border personal information transfer; changes to use and means of processing of personal information by overseas recipient; or extension of overseas storage period of personal information;