On 24 February, the Cyberspace Administration of China (CAC) released the Measures for the Standard Contract for Outbound Transfer of Personal Information (hereinafter referred to as the Measures). The measures will be put into force on 1 June 2023, but a 6-month transition period for the relevant activities will be given starting from the enforcement date.
The release of the Measures is the final piece of the puzzle regulating the outbound transfer of personal information, in line with the Personal Information Law. The other two solutions are security assessment and certification. Similar to the other two solutions, the standard contract is developed to meet the growing needs for outbound transfer of personal information and protect corresponding rights and interests of personal information subjects. The main difference among the three solutions lies in their applicability and levels of protection. The standard contract applies to small-scale cross-border transfer of personal information which does not fall under the definition of ‘key data’. In other words, it specifies the minimum level of protection requirements and obligations that the personal information processors and overseas recipient shall fulfill.
Specifically, the Measures contain 13 articles and a standardized contract sample, including the scope of application, impact assessment of personal information protection, conditions for re-assessment or re-signing of the transfer contract, duty of confidentiality of government officials, and liability for breach. The following is a brief introduction of the official interpretation of the Measures.
Application scope. The Measures apply to four types of personal information processors: (i) non-critical information infrastructure operators; (ii) processors that are dealing with personal information of less than one million individuals; (iii) processors that, since 1 January of the previous year, have cumulatively transferred overseas the personal information of less than 100,000 individuals; iv) processors that carry out cross-border transfer of sensitive personal information of less than 10,000 individuals. In short, the application scope is exactly the opposite of the Measures for the Security Assessment of Cross-border Data Transfer – which regulates large-scale or important personal information cross-border transfer.
Impact assessment of personal information protection. The impact assessment is one of the obligations of personal information processors that shall be fulfilled before signing the contract leading to outbound transfer of personal information. The Measures indicate the aspects to be covered by the impact assessment namely the legitimacy, legality and necessity of the transfer activities, the scale, scope, category and sensitivity of the transfer activities, etc. The impact assessment report is a required documentation to be submitted to the authorities for record-filing. Also, in case of significant changes in the agreed matters during the validity of the contract, the transfer activities shall be re-assessed and processors shall supplement or re-sign the standard contract, and comply with the required record-filing.
Standard contract. The standard contract is designed in accordance with “contract life cycle” management of civil contract under Chinese law, from contract establishment and fulfillment, to potential rescission or termination. Such architecture is universally recognized. The standard contract has nine main clauses, including the definition, the obligations of the personal information processor, the obligations of the overseas recipient, the impact of the personal information protection policies and regulations of the overseas recipients’ country or region on the fulfillment of the contract, the rights of the personal information subjects, remedies, contract rescission, liability for breach of contract, and other general provisions. Each provision is supplemented with specific requirements. The main feature of the contract is that it highlights the mechanism of pre-protection and post-relief of the “rights of the personal information subject”.
All in all, the implementation of the Measures will guide personal information processors and overseas recipients to identify and clarify their rights and obligations. Meanwhile, the articles about technical measures and management system in the standard contract are designed in a comprehensive and applicable manner that allows for easier dispute settlement.
