Q&A on the Standard Contract for Transferring PI Abroad

The Measures for the Standard Contract for Cross-border Transfer of Personal Information (hereinafter the "Standard Contract Measures") has been officially promulgated on February 24, 2023, and will come into force on June 1, 2023[1]. In light of this, we have prepared the following ten Q&As for enterprises to learn how they could transfer personal information across borders legally through entering into a standard contract.

Q1How should data be transferred legally across borders?

According to the currently applicable laws and regulations, there are three main approaches:

(1)Passing a security assessment organized by the Cyberspace Administration of China ("CAC”).

(2)Acquiring a personal information protection certification at a specialized institution in accordance with the provisions issued by the CAC.

(3)Entering into a contract with the overseas recipient in accordance with the standard contract formulated by the CAC, agreeing on both parties' rights and obligations.

Q2In which scenarios can a standard contract be concluded for the Cross-border transfer of data?

According to the Standard Contract Measures, the scope of information processor permitted to enter into the standard contract to transfer data across borders is narrow, since they must fulfill all following conditions simultaneously:

(1)it is not a critical information infrastructure operator；

(2)it processes the personal information of less than 1 million individuals；

(3)it has cumulatively transferred abroad the personal information of less than 100,000 individuals since January 1 of the previous year; and

(4)it has cumulatively transferred abroad the sensitive personal information of less than 10,000 individuals since January 1 of the previous year.

In addition, the Standard Contract Measures also explicitly stipulated that a personal information processor shall not use methods such as quantity splitting of the personal information that is required by law to undergo the cross-border security assessment.

Q3What is the procedure needed for entering into a standard contract?

Prior to entering into the standard contract, enterprises shall conduct a personal information protection impact assessment. The contents of such assessment shall mainly include: the legality, legitimacy, and necessity of cross-border data transfer; the volume, scope, category, and sensitivity of personal information to be transferred abroad and the risks that may be caused; whether the foreign recipient can ensure the security of the personal information to be transferred abroad, etc.

While the personal information processor may initiate cross-border transfer once a standard contract is executed and becomes effective, it shall fill the standard contract and the personal information protection impact assessment report with the cyberspace administration at the provincial level within 10 working days. It is worth noting that the Standard Contract Measures did not provide for a substantive review of the filed materials by cyberspace administrations, nor does it make the filing of contracts a precondition for cross-border data transfer.

Q4What are the requirements on the contract itself?

(1)According to Article 6 of the Standard Contract Measures, the standard contract shall be concluded in strict accordance with the annexed Standard Contract for Cross-border Transfer of Personal Information (the “Standard Contract Template”, and the CAC may adjust the annex based on actual circumstances. Therefore, we understand that enterprises shall enter into standard contracts in strict accordance with the Standard Contract Template which shall not be amended at their will. However, the parties may agree upon other terms not in conflict with the text of the Standard Contract Template.

(2)Impact of local policies and regulations on personal information protection in foreign countries: the Standard Contract Template takes a more liberal approach, only requiring the personal information processor and the foreign recipient to warrant that they have exercised reasonable care when entering into the contract and is not aware of personal information protection policies and regulations in the foreign recipient’s country or region that would have an impact on the foreign recipient’s performance of its obligations under the contract.

(3)Dispute Resolution: If any dispute arises during the performance of the standard contract, the parties to the contract may choose to bring a lawsuit in a Chinese court or choose an arbitration institution of one of the member states of the New York Convention to settle the dispute. There are no requirements on the seat of arbitration. Such an arbitration option provided in the standard contract may potentially lead to overseas data recipients more willing to enter into the standard contract.

Q5What is the third-party beneficiary under the standard contract?

The Standard Contract enhances the protection of personal information subjects by endowing them with the status of "third-party beneficiary". The specific process is as follows:

(1)The data processor grants the personal information subject the right to become a "third party beneficiary" by informing the subject of the same in accordance with Section 2 (iv) of the Standard Contract Template.

(2)The Standard Contract Template stipulates several obligations (such as its Section 3) that the personal information processor and/or the foreign recipient shall bear to the personal information subject as well as providing for the rights of the subject of personal information (Section 5).

(3)Section 6, item 3 of the Standard Contract Template specifies the approaches that the subject of personal information can realize his rights as a "third-party beneficiary" through either litigation or filing a complaint to the regulatory authority.

(4)Either party shall bear civil liabilities if it infringes upon the rights of the personal information subject due to a violation of the standard contract. Should both parties bear joint and several liabilities in accordance with law, the personal information subject shall have the right to request either party or both parties to bear the liabilities.

Q6In what aspects might the cyberspace administrations supervise a standard contract and the parties thereto?

Section 3, item 13 of the Standard Contract Template provides the obligation of the foreign recipient, in which the foreign recipient shall agree to be subject to supervision by the PRC regulatory authorities during an enforcement procedure related to supervising the implementation of the contract, including but not limited to responding to inquiries, following the actions taken or decisions made by the Regulatory Authority, and providing written confirmation that necessary measures have been taken, etc.

In addition, the Standard Contract Template also prescribes that the personal information processor shall cooperate with regulatory measures. On the one hand, the Personal Information Protection Law applies to personal information processors that process personal information domestically and shall be subject to the supervision of regulatory authorities in accordance with the law. On the other hand, according to Section 2 (vii) of the Standard Contract Template, the personal information processor shall reply to inquiries from the Regulatory Authority about the foreign recipient’s processing activities.

Q7Under what circumstances can cross-border data transfer be suspended or a standard contract be rescinded?

According to Section 7, item 1 of the Standard Contract Template, if the foreign recipient breaches the obligations specified in the contract or the foreign recipient is unable to perform the contract due to a change in the policies and regulations on personal information protection in the foreign recipient’s country or region (including an amendment to the laws or adoption of compulsory measures in the foreign recipient’s country or region), the personal information processor may suspend the provision of personal information to the foreign recipient until the breach is corrected or the contract is terminated.

In addition, the Standard Contract Template provides some circumstances in which the personal information processor or both parties are entitled to terminate the contract:

(1)Where the personal information processor has suspended the provision of personal information to the foreign recipient for more than one month in accordance with Section 7, Item 1 - both parties may terminate the contract.

(2)By following the standard contract, the foreign recipient will violate the laws and regulations of its own country or region- both parties may terminate the contract.

(3)The foreign recipient seriously or persistently breaches the obligations under the contract - only the personal information processor may terminate the contract.

(4)The foreign recipient or the personal information processor has breached this contract pursuant to a final decision of a competent court or the regulatory body supervising the foreign recipient - both parties may terminate the contract.

Q8Does the standard contract have a validity period? Under what circumstances should the contract be re-entered into?

Since there is no provision on the term of validity in the Standard Contract Measures or the Standard Contract Template, we understand that both parties are free to stipulate the term of validity. However, if any of the following circumstances occur during the validity period, the personal information processor shall conduct the following formalities again: a) conduct a personal information protection impact assessment, b) supplement or re-sign the contract, and c) conduct relevant record-filing formalities:

(1)the purpose, scope, category, sensitivity, method, and storage location of personal information transferred abroad, or the purpose and method of personal information processing by the foreign recipient has changed, or the retention period of personal information located abroad has been extended;

(2)the personal information rights and interests may be affected by the changes in the policies and regulations on personal information protection in the country or region where the foreign recipient is located; or

(3)other circumstances that may affect personal information rights and interests.

Q9Does the Standard Contract Measures provide for a “grace period” similar to the Measures for the Security Assessment of Cross-border Data Transfer?

Yes. The Standard Contract Measures will enter into force on June 1, 2023. For noncompliant cross-border transfers that has already occurred before it takes effect, rectification shall be completed within 6 months upon the effective date of the Measures (i.e., before December 31, 2023). As there is only a post-process filing requirement under the Standard Contract Measures, the time available for companies under such grace period is greater than the security assessment approach.

Q10Besides entering into a standard contract, what are the other ways to comply with the Cross-border data transfer?

As mentioned in Q1, there are two additional approaches available: acquiring a personal information protection certification at a specialized institution in accordance with the provisions issued by the CAC, and entering into a contract with the overseas recipient in accordance with the standard contract formulated by the CAC, agreeing on both parties' rights and obligations. These two paths will be explained in our next article.

● 注释：

[1]Please refer to Standard Contract Measures published on the CAC’s official WeChat account:

https://mp.weixin.qq.com/s/5T7pCReDif6tzCd56m3zKA

特别声明：

大成律师事务所严格遵守对客户的信息保护义务，本篇所涉客户项目内容均取自公开信息或取得客户同意。全文内容、观点仅供参考，不代表大成律师事务所任何立场，亦不应当被视为出具任何形式的法律意见或建议。如需转载或引用该文章的任何内容，请私信沟通授权事宜，并于转载时在文章开头处注明来源。未经授权，不得转载或使用该等文章中的任何内容。