Protection of personal information and specifically, in the context of transferring the same out from China is one of the hottest issues in the field of data law. This is almost relevant to all foreign companies conducting business in China, as it may be inevitable that personal information collected by Chinese subsidiaries may have to be passed to the foreign headquarters.
Following the implementation of the Personal Information Protection Law (“PIPL”) in 2021, which outlines the framework of requirements for outbound transfer of personal information from China, the Cyberspace Administration of China (“CAC”) has finally published the Measures for the Standard Contract for the Outbound Transfer of Personal Information (the “Measures”) along with the finalized version of the Standard Contract for the Outbound Transfer of Personal Information (the “Standard Contract”), and will take effect starting from June 2023.
In particular, the Standard Contract which sets out the standard contractual clauses to be entered between the data processor transferring personal information out of China and the overseas recipient receiving such personal information outside China, sheds light on the specific obligations of the parties. In this article, we will go through the must-know compliance requirements for outbound data transfer under the existing legal framework.
Among the other more general requirements under the PIPL, it is specifically set out in Article 38 of the PIPL that at least one of the following conditions shall be met before personal information may be transferred out from China:-
It is further specified under Article 4 of the Measures for the Security Assessment of Outbound Data Transfer, which came into effect in September 2022 that security assessment organized by the CAC (under No. 1 above) must be conducted in the following circumstances:-
However, how one may pass the security assessment organized by the CAC remains uncertain, and the implementation details for obtaining the personal information protection certification (under No. 2 above) are yet to be published. As such, unless the above circumstance(s) for security assessment is/are triggered, the Standard Contract (under No. 3) is generally considered the most practical way to fulfil the requirements on outbound transfer under Article 38 of the PIPL.
It is expressly specified in the Measures that the Standard Contract shall be adopted in its entirety and without deviation. For example, by entering into the Standard Contract, the data processor and the overseas recipient agree to submit to supervision of their data processing activities by the relevant authorities in China. Further, the data subject, as a third party beneficiary under the Standard Contract, may enforce his/her rights under the Standard Contract against the data processor and/or the overseas recipient by litigation in China.
On the other hand, the obligations of the data processor under the Standard Contract are generally in line with the requirements under the PIPL, and the same include:-
Further, it should be noted that even in case the main data processing activities are outsourced to the overseas recipient, the data processor transferring such personal information abroad is still responsible to supervise the activities of the overseas recipient. It is further stipulated under the Standard Contract that the data processor undertakes:-
As for the overseas recipient, with the extra-territorial effect of the PIPL, the requirements on a data processor under the PIPL apply to it, and it is expressly obliged under the Standard Contract, among others:-
The Measures and the Standard Contract will become effective on 1st June 2023, and after such effective date, in applicable cases as discussed above, the Standard Contract must be entered into between the data processor and the overseas recipient before any personal information is transferred out from China.
It is to be further stressed that in addition to the adoption of the Standard Contract (which was previously considered to be a private agreement between the data processor in China and the data recipient overseas), the Measures specifically requires that the data processor collecting data in China and transferring the same out of China shall make a recordation with the CAC within 10 working days from the effective date of the Standard Contract. Not only should the Standard Contract be recorded, the data processor shall also conduct the personal information protection impact assessment (the “PIPIA”), and the corresponding report shall be recorded together with the Standard Contract. Therefore, besides ensuring the adoption and execution of the finalized version of the Standard Contract with the overseas recipients, data processors shall also ensure that their PIPIA reports are ready to be submitted for recordation purpose, by the requisite deadline.
On the other hand, a grace period is provided for transfers occurring before 1st June 2023, that there is a six-month period (i.e. until 1st December 2023) to rectify existing practice for compliance with the Measures and adoption of the Standard Contract. Data processors who wish to rely on the Standard Contract shall therefore immediately review their data transfer activities and agreements entered into with overseas recipients, and to bring the same into compliance within the grace period.
It is expected that further rules and guidelines on the implementation of the PIPL and related regulations, including the details for the recordation with the CAC will be published. We will closely monitor the same and keep you posted on any further developments.
© Vivien Chan & Co., Newsletter issue 03, March 2023
All Rights Reserved
Vivien Chan & Co. is a full-service law practice with offices in Hong Kong (1985) and Beijing (1993). We are consistently recognized as a premier law firm for and in Greater China. With over 35 years of doing business in Greater China, our Hong Kong and China teams have an in-depth understanding and knowledge of the legal culture and market dynamics.
Our long established licensed law offices in Greater China have allowed us to develop deep local roots and an integrated global perspective necessary to help domestic businesses and multinational companies alike seamlessly manage even the most complex local and cross border transactions.
We have advised on some of the most significant acquisitions, arbitrations, real estate projects and intellectual property enforcement to date. This is particularly evident from our leading position in areas such as intellectual property, tax, employment, mergers & acquisitions and dispute resolution. Our ability to collaborate across practices and borders with ease allows us to bring the right team to every transaction, regardless of location.