Background
On June 30, 2022, the Cyberspace Administration of China ("CAC") issued the Provisions on Standard Contract for Cross-border Transfer of Personal Information (Draft for Comments) ("Draft for Comments") to solicit public opinions until July 29, 2022.
Clarifying the regulation and supervision of cross-border data transfer is important to maintain opening-up and optimize business environment and is also key to protect national security and personal information rights and interests. The first paragraph of Article 38 of the Personal Information Protection Law provides the following four conditions for transferring personal information("PI") overseas, and where any condition is satisfied, personal information can be transferred across the border: (1) a security assessment organized by the national cyberspace authority has been passed; (2) a certification of personal information protection has been given by a professional institution in accordance with the regulations of the national cyberspace authority; (3) a contract in compliance with the standard contract (the "Standard Contract") provided by the national cyberspace authority has been concluded with the overseas recipient, establishing the rights and obligations of both parties; or (4) any other condition prescribed by law, administrative regulations or the national cyberspace authority is met. By making a comparison among the four options, the benefits for signing a Standard Contract are self-evident --- it can be carried out directly by the contracting parties themselves without the need of involving the regulators or a recognized third-party certification body and therefore enjoys more flexibility and convenience. Thus, since the Personal Information Protection Law took effect on November 1, 2021, the release of the Standard Contract is always drawing the attention of the public and the legal professionals.
In fact, Standard Contract, serving as one of the most important means for cross-border transfer of personal information, has been widely used internationally. For instance, the Standard Contractual Clause (SCC) has been established and developed for more than 20 years in the European Union (EU) and has been updated for several times in response to the development of EU 95 Directive and the EU GDPR. In early 2021, the ASEAN Digital Senior Officials' Meeting approved the ASEAN Model Contractual Clauses as a Legal Basis for Data Transfer, helping parties ensure that the transfer of personal data is done in a manner that complies with the ASEAN Member States’ (AMS) legal and regulatory requirements and protecting the data of data subjects based on the principles of the ASEAN Framework on Personal Data Protection (2016) and promoting trust among citizens in the ASEAN digital ecosystem. Recently, the Office of the Privacy Commissioner for Personal Data, Hong Kong also issued the Guidance on Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data and provided two sets of Recommended Model Contractual Clauses (RMCs) to cater for two different scenarios in cross-border data transfers.
Given the international common practice, the CAC issued the Draft for Comments, adopting the methodology of "independent contracting + record-filing management". The Draft for Comments is formulated by learning from the experience accumulated by the EU and other regions and, at the same time, fully considering China's previous practical experience in the design of various legal systems. The Draft for Comments aims to consider both the promotion of an orderly flow of personal information and the safeguard of the rights and interests of personal information subjects, and to balance the effective management of the cross-border transfer of personal information and improvement of the supervision efficiency.
Scenarios Where Standard Contract Is Applicable
Article 38 of the Personal Information Protection Law lists three specific methods for the personal information processor to transfer personal information across the border based on business needs. Although the personal information processor can generally choose any of the three methods, the Personal Information Protection Law also requires that the personal information processor with special identities, i.e., the operator of critical information infrastructure ("CIIO”) and the personal information processor who processes personal information in an amount larger than the threshold stipulated by the national cyberspace administration authority, can only choose the security assessment organized by the national cyberspace administration authority. For the cross-border transfer of personal information initiated by processors other than those with the specific identities, the personal information processor can either choose obtaining a certification of personal information protection or signing Standard Contract to save regulatory resources and accelerate the efficiency of personal information flows.
Therefore, prior to transferring personal information to overseas recipient, the personal information processor shall first determine whether it is a CIIO or whether the quantity of personal information it has processed has reached the threshold stipulated by the national cyberspace administration authority. If either condition is met, then, on the one hand, the personal information collected and generated within the China should be stored within the territory by default; and, on the other hand, the personal information processor can only choose passing the security assessment organized by the national cyberspace administration authority as the cross-border transfer route.
For the circumstances where passing the security assessment organized by the national cyberspace administration authority is compulsory, the CAC issued the Measures for the Security Assessment of Cross-border Data Transfer on July 7, 2022, to set out more details. We selected the items related to personal information and made a comparison with the content under the Draft for Comments as the table below:
Table 1 Circumstances Where Standard Contract Is Applicable (Not)
No. | Measures for the Security Assessment of Cross-border Data Transfer Circumstances in which a cross-border data transfer security assessment is required (where any condition is met) | Draft for Comments Circumstances in which cross-border transfer of personal information by means of signing Standard Contract is allowed (where all conditions are all met) |
1. | Cross-border transfer of personal information by a CIIO or a data processor who has processed the personal information of more than 1,000,000 people | Cross-border transfer of personal information by a non-CIIO |
2. | Cross-border transfer of personal information by a personal information processor who has processed the personal information of less than 1,000,000 people | |
3. | Cross-border transfer of personal information by a data processor who has made cross-border transfer of personal information of 100,000 people cumulatively or the sensitive personal information of 10,000 people cumulatively since 1 January of the previous year | Where the personal information processor has provided personal information of less than 100,000 individuals in aggregate to overseas recipients since January 1 of the previous year |
4. | Where the personal information processor has provided sensitive personal information of less than 10,000 individuals in aggregate to any overseas recipients since January 1 of the previous year | |
5. | Other circumstances where an application for the security assessment of a cross-border data transfer is required as prescribed by the national cyberspace administration authority | NA |
It can be seen from the table above that the Measures for the Security Assessment of Cross-border Data Transfer and the Draft for Comments have reached a consensus on the circumstances in which cross-border transfer security assessment shall be used.
Requirements on Cross-border Data Transfer Administration
(1) Personal Information Protection Impact Assessment
The Personal Information Protection Law provides that where personal information is to be transferred abroad, the personal information processor shall conduct personal information protection impact assessment in advance and keep a record of the processing. The personal information protection impact assessment shall include the following content:
Whether the purpose and method of processing personal information are legitimate, justifiable and necessary;
Impact on personal rights and interests and the security risk;
Whether the protection measures taken are legitimate, effective and appropriate to the degree of risks.
The report of the personal information protection impact assessment and the processing record shall be kept for at least three years.
The Draft for Comments further elaborates on the contents to be covered in the assessment, which is very similar to those items that data processors are required to make in the self-assessment as provided in the Measures for the Security Assessment of Cross-border Data Transfer. Therefore, it is possible for enterprises to manage both assessments together in practice.
Table 2 Key Points of Personal Information Protection Impact Assessment
No. | Measures for the Security Assessment of Cross-border Data Transfer | Draft for Comments |
1. | Legality, legitimacy, and necessity of the cross-border data transfer and the data processing by the overseas recipient in terms of the processing purpose, scope, method, etc. | Legality, legitimacy, and necessity of the purpose, scope, and method for processing personal information by the personal information processor and the overseas recipient |
2. | Quantity, scope, type, and sensitivity of the data to be transferred overseas, and the risks that may be brought about by the cross-border data transfer to national security, public interests, or the lawful rights and interests of individuals or organizations | Quantity, scope, type, and sensitivity of personal information to be transferred overseas, and the risk that the cross-border transfer of personal information may pose to the rights and interests in personal information |
3. | Responsibilities and obligations undertaken by the overseas recipient and whether the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations can ensure the security of the data to be transferred overseas | Responsibilities and obligations undertaken by the overseas recipient and whether the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations can ensure the security of the personal information to be transferred overseas |
4. | Risk of the data to be transferred overseas being tampered with, damaged, leaked, lost, relocated or illegally acquired or used during and after the cross-border data transfer, whether the channels for individuals to safeguard their personal information rights and interests are unobstructed, etc. | Risk of the personal information to be transferred overseas being disclosed, destroyed, tampered with, or misused after the cross-border transfer, and whether there is a smooth channel for individuals to protect their rights and interests in the personal information |
5. | Whether data security protection responsibilities and obligations are sufficiently stipulated in the contract or other documents with legal force to be executed with the oversea recipient in relation to the cross-border data transfer | Impact of personal information protection policies and regulations in the country or region where the overseas recipient is located on the performance of the Standard Contract |
6. | Other matters that may affect the security of the cross-border data transfer | Other matters that may affect the security of the cross-border transfer of personal information |
(2) Record-filing Management
Record-filing is one of the important means to manage the cross-border transfer of personal information under the Draft for Comments. The Draft for Comments specifies the time for filing, the management authority and the materials to be submitted for the filing.
Figure 1 Standard Contract Record-filing Management
In case of any of the following circumstances, the personal information processor shall re-sign the Standard Contract and make the record-filing again:
Figure 2 Circumstances Where the Standard Contract Needs to Be Re-signed and the Record-filing Needs to Be Made Again
The Draft for Comments stipulates that where the cyberspace administration authorities at provincial level or above find that the cross-border transfer of personal information by way of signing Standard Contract no longer meets the security requirements on cross-border transfer of personal information in the actual processing process, they shall notify the personal information processor in writing to terminate the cross-border transfer of personal information. Upon receipt of such a notification, the personal information processor shall forthwith terminate the cross-border transfer of personal information.
We consider that the situations where the cross-border transfer of personal information no longer meets the security requirements may vary but generally will be related to those listed above where the Standard Contract shall be re-signed and the record-filing needs to be made again. The Draft for Comments also stipulates that any organization or individual who finds that a personal information processor violates these provisions of the Draft for Comments shall have the right to file a complaint or report to a cyberspace authority at the provincial level or above, which will be a main channel for the cyberspace authority to discover the violations or incompliance.
In addition, the Draft for Comments provides that, if the personal information processor who signs the Standard Contract with an overseas recipient to provide personal information overseas: (1) fails to perform the record-filing procedure or submits false materials for filing; (2) fails to perform the responsibilities and obligations agreed in the Standard Contract, infringing the personal information rights and interests and causing damages thereto; or (3) having other situations affecting the personal information rights and interests, then they will be subject to the following measures:
Figure 3 Legal Liabilities
By combining independent contracting and record-filing management, the Draft for Comments solidifies rights and obligations regarding protection of personal information in the form of Standard Contract, prevents the security risk of cross-border transfer of personal information and guarantees the orderly and free flow of personal information in accordance with the law.
Content of Standard Contract
Article 6 of the Draft for Comments stipulates that the Standard Contract shall include the following content:
Figure 4 Main Content of Standard Contract
On this basis, the Standard Contract includes nines articles, i.e., definitions, obligations of personal information processor, obligations of overseas recipient, impact of local personal information protection policies and regulations on compliance with the terms hereof, rights of personal information subject, remedy, termination of contract, liability for breach of contract and miscellaneous, which respectively correspond to the main content showed in the above figure. We introduce and analyze the key points of the above content in order below.
(1) Basic Information of Personal Information Processor and Overseas Recipient
The Standard Contract applies to the situation where personal information processor transfers personal information to overseas recipient.
As to the "personal information processor", the Standard Contract provides that it has the same meaning as that under the Personal Information Protection Law. Unlike the EU GDPR, the Personal Information Protection Law defines the "personal information processor" as "any organization or individual that independently determines the purpose and method of processing in their activities of processing of personal information", which is similar to the concept of "controller" rather than "processor" under the EU GDPR. Accordingly, the Standard Contract excludes the entity entrusted by the personal information processor to process personal information from signing the Standard Contract. In such circumstance, the said personal information processor shall sign the Standard Contract instead. One of the typical scenarios is that, if a cloud service provider accepts an instruction from the cloud service user to transfer personal information to an overseas recipient, it is the cloud service user, rather than the cloud service provider, who should sign the Standard Contract with the overseas recipient.
As to the "overseas recipient", the Standard Contract defines it as "an organization or individual located outside the territory of the People's Republic of China that receives personal information from the personal information processor", but does not specify whether it is a "personal information processor" under the Personal Information Protection Law. Therefore, it can be understood that the "overseas recipient" may be a personal information processor under the Protection of Personal Information Law or an entity entrusted by the aforesaid personal information processor to process personal information. However, from the description of the responsibilities and obligations of the parties (see "(3) Responsibilities and Obligations of the Parties" below), the Standard Contract specially sets forth separate provisions on the obligations of the overseas recipient in the event that the overseas recipient is entrusted by the personal information processor to process personal information, which indicates a high degree of consistency between the compliance obligations of the overseas recipient as the personal information processor and as an entrusted entity and that the Standard Contract mainly deems the overseas recipient as a "personal information processor".
The above design is different from the EU SCC. Whether the EU SCC’s version 1.0 which is made in 2001, 2004 and 2010 respectively under Directive 95 or its version 2.0 which is approved by the European Commission in June 2021 according to the GDPR, different SCC templates are provided based on the identities of the senders and recipients of the personal data. The Recommended Model Contractual Clauses issued by Office of the Privacy Commissioner for Personal Data, Hong Kong in May this year also have two templates to cater for two different scenarios in cross-border data transfers. With regards to the difference, we believe that although there is no version distinction made based on the roles in the Standard Contract, it has preliminarily achieved the effect that each contracting party knows its respective responsibilities and obligations. In addition, in practice, the overseas recipient may, under one single commercial contract, act as both a personal information processor and an entrusted entity at the same time, failure to provide different templates will help avoid the inconvenience of executing multiple contracts by both parties.
(2) Particulars of Personal Information to Be Transferred Overseas
Appendix 1 to the Standard Contract specifically describes the particulars of the personal information to be transferred overseas, including the categories of the personal information subject, the purpose of transfer, quantity of personal information, categories of personal information, categories of sensitive personal information, recipients who are to receive personal information from the overseas recipient (if any), means of transmission, storage time and location, etc. Among them, more details can be found in the recommended national standard Information Security Technology - Personal Information Security Specification (GB/T 35273) and other relevant standards for the categories of the personal information and sensitive personal information to be transferred overseas.
With regard to the quantity of the personal information and sensitive personal information to be transferred, as mentioned above, since the Standard Contract applies to situations where the personal information processor has provided personal information of less than 100,000 individuals in aggregate and sensitive personal information of less than 10,000 individuals in aggregate to overseas recipients since January 1 of the previous year, the quantity should be limited to such scopes.
(3) Responsibilities and Obligations of the Parties
The obligations of personal information processor and overseas recipient stipulated in the Standard Contract can be summarized in Table 3 below.
It can be seen that, as the sender and recipient of the personal information to be transferred overseas respectively, both the personal information processor and the overseas recipient process the personal information, and therefore, most of the obligations and liabilities of both parties are similar. For example, both parties shall comply with principles of legality, legitimacy, and necessity when processing the personal information, and shall acquire the consent from the personal information subjects, implement measures to protect the personal information, and provide cooperation to respond to the regulatory authority’s requests and to provide necessary information.
However, as the two parties deal with the personal information subject and the recipient who will receive personal information from the overseas recipient (if any) respectively, they both have its own special responsibilities and obligations, including:
For personal information processor, considering its closer connection with the personal information subject and higher familiarity with the requirements related to cross-border transfer of personal information under the Chinese laws and regulations as well as its identity of being responsible for transferring personal information overseas, it should therefore assume the responsibility of notifying the personal information subject that it is a third-party beneficiary of the Standard Contract, informing the overseas recipient of the legal provisions and related requirements with respect to cross-border data transfer, and proving that the obligations under the Standard Contract have been fully performed.
For overseas recipient, priority should be given to the requirements and obligations applicable to it in the case of further transfer (including sub-processing) of the personal information. In addition, if the overseas recipient uses personal information for automated decision-making, it shall ensure transparency in decision making and fair and equitable results and shall not apply unreasonable differential treatment to individuals in terms of transaction conditions and ensure individuals’ right to reject push information and commercial marketing to them through automated decision making.
Table 3 Responsibilities and Obligations of the Parties Under the Standard Contract
No. | Obligations of the personal information processor | Obligations of the overseas recipient |
1. |
|
|
2. |
|
|
3. |
|
|
4. |
|
|
5. |
|
|
6. |
|
|
7. |
|
|
8. |
|
|
9. |
| |
10. |
| |
11. |
|
|
12. |
| |
13. |
|
(4) Impact of Local Policies and Regulations on Personal Information Protection
The policies and regulations on personal information protection of the country or region in which the overseas recipient is located are critical for the overseas recipient to effectively perform its responsibilities and obligations under the Standard Contract. Therefore, the Standard Contract requires that:
Both the personal information processor and the overseas recipient guarantee that, despite its reasonable efforts, they are not aware of the relevant local policies and regulations that would prevent the overseas recipient from performing its obligations under the Standard Contract; and
This guarantee is made on the premise that the overseas recipient has used its best efforts to provide the necessary relevant information, and the parties have comprehensively taken into account the particulars of the cross-border transfer of personal information and local policies and regulations on personal information protection and made assessments accordingly.
As to local policies and regulations on personal information protection, the Standard Contract provides that it shall include the status of existing laws and regulations and generally applicable standards for the personal information protection in such country or region; the regional or global organizations on personal information protection of which such country or region is a member, and the binding international commitments it has made; the mechanism for the implementation of personal information protection in such country or region, such as whether there is any personal information protection supervision and enforcement body and relevant judicial body, etc.
In addition, the parties shall document the processes and results of the assessment. If the overseas recipient is unable to perform the Standard Contract due to future changes in relevant policies and regulations, the overseas recipient shall immediately notify the personal information processor upon knowing of the changes.
(5) Rights of Personal Information Subject
The Standard Contract requires that both the personal information processor and the overseas recipient undertake to ensure that the personal information subject, as the third-party beneficiary, can implement the right under the Standard Contract regarding both parties’ obligations of personal information protection, including the following:
Figure 5 Rights of Personal Information Subject
In addition, as the third-party beneficiary under the Standard Contract, the personal information subject has the right to demand the performance of the provisions regarding the rights of the personal information subject from either the personal information processor or the overseas recipient.
(6) Remedy, Termination of Contract, Liability for Breach of Contract and Dispute Resolution
i
Remedy
It mainly includes:
Figure 6 Remedy Mechanism of Personal Information Subject
ii
Termination of Contract
It mainly includes:
Figure 7 Circumstances Triggering Termination of the Standard Contract
iii
Liability for Breach of Contract
Liability for breach of contract includes liability of each party to the other party and liability of each party to the personal information subject for breach of contract:
Figure 8 Liability for Breach of Contract
iv
Dispute Resolution
The Standard Contract is governed by the relevant laws and regulations of China. Therefore,
If the personal information subject files a lawsuit as a third-party beneficiary against the personal information processor or the overseas recipient, the jurisdiction shall be determined in accordance with the Civil Procedure Law of the People's Republic of China.
If the parties are unable to resolve the dispute through negotiation, either party may submit the dispute to arbitration at any of the China International Economic and Trade Arbitration Commission, the China Maritime Arbitration Commission, the Beijing Arbitration Commission (Beijing International Arbitration Center) or any other arbitration institution that is a member of the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards; alternatively, the parties may take legal proceedings in a people's court with jurisdiction in China.
Recommendations
The Draft for comments stipulates the compliance obligations to be performed by the personal information processor during the transfer of personal information to the overseas recipient and provides a Standard Contract to specify the obligations and duties of both parties. In this process, the regulatory authorities perform a "post supervision" function, leaving enterprises more leeway to perform compliance obligations at their own discretion. Therefore, we recommend that enterprises:
Before carrying out cross-border transfer of personal information:
Conduct assessment to determine which cross-border transfer mechanism is more suitable. The Personal Information Protection Law provides three specific legal methods for cross-border transfer of personal information: passing security assessment, obtaining personal information protection certification, and signing Standard Contract. At present, the authority has released the regulations and policies for all the three mechanisms. Therefore, it is recommended that an enterprise first determine whether it falls into the mandatory categories subject to security assessment: If it falls into the category, it shall go through the procedures of self-assessment, applying for security assessment with the cyberspace administration and other relevant procedures in accordance with the Measures for the Security Assessment of Cross-border Data Transfer; if it does not fall into the category, it shall then further determine whether the overseas recipient is affiliated to it within the same group. Affiliation under the same group means the enterprise may choose the personal information protection certification method; otherwise, it should enter into a Standard Contract with the overseas recipient and fulfill the corresponding requirements such as record-filing.
Carry out personal information protection impact assessment before cross-border transfer of personal information. Personal information protection impact assessment can help enterprises effectively identify the possible adverse impacts of cross-border transfer activities. Therefore, we recommend that enterprises strictly implement the impact assessment. For the specific procedures and requirements of personal information protection impact assessment, enterprises may refer to the national standard Information Security Technology - Guide to Personal Information Security Impact Assessment (GB/T 39335 - 2020). Although the said standard states that the assessment under the personal information cross-border transfer scenario may be carried out with reference to other relevant national standards, enterprises may still refer to principles and procedures of the assessment thereunder, as currently there is no specific national standard governing the cross-border transfer of personal information.
If personal information has been transferred across the border:
Re-evaluate the cross-border transfer agreements that have been signed previously. We understand that, before the release of the Draft for Comments, many enterprises with business needs for cross-border transfer of personal information, in order to manage and control risks, have entered into corresponding contractual arrangements with the overseas recipient. We recommend that such enterprises re-evaluate the cross-border transfer agreements that have been signed previously to ensure that there is no content in conflict with the Standard Contract.
Review the personal information protection impact assessment that has already been conducted. For enterprises that have already transferred the personal information across the border, we suggest reviewing the impact assessment carried out previously to check whether the assessment key points stipulated under the Draft for Comments have been covered or not.
Since the Draft for Comments has not yet come into force, if enterprises, after reviewing the signed cross-border transfer agreements and the content of the personal information protection impact assessment, find that there are inconsistencies with the requirements of the Draft for Comments, we recommend that:
if the inconsistencies are significant, enterprises shall assess relevant risks and make corresponding arrangements according to the risk level (such as starting negotiation procedures with overseas recipients) to avoid unpreparedness caused by the release of effective version of the Draft for Comments in a short time;
if the inconsistencies are trivial, enterprises may temporarily not make major business adjustments, but should pay close attention to the update and finalization of the Draft for Comments. If the relevant contents are retained in the final effective version, enterprises may make further adjustments then. Enterprises shall also formulate and revise the internal policies and procedures on cross-border transfer of personal information and provide special compliance training to relevant employees to implement the compliance requirements of cross-border transfer of personal information.
Annie Xue
Dr. XUE is a senior counsel (partner level) supervising the compliance practice of GEN Law Firm. She specializes in regulatory affairs in cybersecurity and data protection, antitrust and anti-unfair competition, anti-commercial bribery, and Chinese social credit system. Dr. Xue has extensive experience in the said areas and profound understanding of the complicated issues standing at the intersection of those topics. Dr. Xue studied competition law at the College of Law of the University of Illinois at Urbana Champaign and obtained J.S.D. degree. She also participated in many research topics led by law enforcement authorities and academia as a postdoctoral fellow at the Institute of Law of the Chinese Academy of Social Sciences, and actively contributed to the formulation of competition and data regulatory policies. Before joining GEN, Dr. Xue served as a senior attorney in two Chinese law firms. She authored many articles and reviews related to legal compliance and served as an editor of The China Competition Bulletin hosted by Australia and New Zealand Government College.
CHEN Yang
CHEN Yang focuses on cyber security and data protection, personal information protection and compliance supervision consulting, and has participated in many difficult and complex cases. Yang has the Chinese lawyer qualification and is a Certified Information Privacy Professional (Europe) and Certified Information Privacy Manager by the International Association of Privacy Professionals (IAPP), having rich experience in the field of data protection.