On February 24, 2023, the Cyberspace Administration of China released the Measures for the Standard Contract for Outbound Cross-border Transfer of Personal Information (in Chinese “《个人信息出境标准合同办法》”, the “Measures”), which will take effect on June 1, 2023. For enterprises to have a quick understanding of the content of the Measures, we prepare a brief analysis on the Measures below:
1. Application scope
According to the Measures, a personal information processor under the Personal Information Protection Law (“PIPL”) may provide personal information to an overseas recipient under a standard contract (“Standard Contract”) executed only when it does not meet any of the following criteria:
According to the Measures for the Security Assessment of Outbound Data Transfers (in Chinese “《数据出境安全评估办法》”) that is effective on September 1, 2022, once a personal information processor reaches any of the criteria above, it shall apply for security assessment for the provision of the personal information to an overseas recipient. Given the correlation between the scenarios of applying for security assessment and entering Standard Contract, the Measures explicitly specify that, a personal information processor must not split up the amount of the personal information to be transferred overseas or adopt other means to provide to any overseas recipient under a Standard Contract such personal information whose outbound cross-border transfer should be subject to a security assessment according to law.
2. Main obligations: independent contracting combined with compliance with the record-filing requirement
For personal information processors who are to provide personal information through Standard Contract, the Measures require them to strictly follow the content of the Standard Contract as annexed in the Measures. Where the personal information processor agrees on other terms with the overseas recipient, such terms must not conflict with the terms of the Standard Contract.
Only after the Standard Contract for the transfer takes effect, may the personal information processor transfer personal information. Within 10 working days from the effective date of the Standard Contract executed, the personal information processor shall file a record with the provincial cyberspace authority where it is domiciled by submitting the following materials:
(1) the Standard Contract; and
(2) a personal information protection impact assessment ("PIPIA") report.
In addition, if any of the following circumstances occurs during the validity term of the Standard Contract, the personal information processor shall conduct a PIPIA again, and supplement the existing Standard Contract or execute a new Standard Contract, as well as file a record again:
The Measures provide that, where a cyberspace authority at or above the provincial level finds any considerable risk or any personal information security incident in relation to an activity of outbound cross-border transfer of personal information, it may conduct a regulatory talk with the personal information processor concerned according to law. The personal information processor shall rectify and eliminate the risk as required.
The Measures further provide that, anyone who violated the Measures shall be dealt with in accordance with the PIPL and other laws and regulations; and there shall be investigation for criminal liability according to law if the violation constitutes a criminal offense.
According to the PIPL, anyone processing personal information in violation of the PIPL or failing to perform any obligation of personal information protection specified the PIPL in the processing of personal information, such as transferring personal information to overseas recipient without passing the security assessment, certification and signing Standard Contract as required by Article 38(1) of the PIPL, will be:
ordered to make a correction, given a warning, and confiscated of any illegal gain, and any application program that illegally processes personal information will be ordered to suspend or terminate its services; and
if the required correction is not made, a fine of up to CNY1 million will be imposed on the violator; and any person in charge or any other individual directly liable for the violation will be fined between CNY10,000 and CNY100,000.
If the illegal activity specified is of a grave nature, the violator will be ordered to make a correction, confiscated of any illegal again, and fined up to CNY50 million, or 5% of last year's annual revenue; and may also be ordered to suspend any related activity or to suspend business for rectification, and/or be reported to the relevant authority for the revocation of the related business permit or the business license; and any person in charge or any other individual directly liable for the violation will be fined between CNY100,000 and CNY1 million and may also be banned for a certain period of time from serving as a director, supervisor, senior officer or personal information protection officer of a relevant enterprise.
4. Grace period
The Measures provide that any activity of outbound cross-border transfer of personal information initiated before the entry into force of the Measures, i.e., June 1, 2023, that does not comply with the Measures shall be rectified within 6 months from the date of entry into force of the Measures, i.e., December 1, 2023.
For enterprises transfer personal information collected or generated within China to overseas recipient, it is suggested that an internal assessment should conduct as soon as possible to identify whether they fall into any of the scenarios where a security assessment should be applied.
If they fall into any of the scenarios, it is suggested that they should apply to the national cyberspace administration authority for the security assessment via the local provincial-level cyberspace administration authority as soon as possible.
If they do not fall into any of the scenarios, they may provide personal information through entering into Standard Contract and record-filing, it is suggested that they should notify the overseas recipient of the requirements of the Measures and consider executing the Standard Contract and carrying out record-filing before December 1, 2023.