Introduction

The Cyberspace Administration of China on 30 May 2023 released the Guidance for the Filing of the Standard Contracts for the Outbound Transfer of Personal information.

The Guidance supplements the Measures for Standard Contract forthe Outbound Transfer of Personal information, and sets out the filing process that data controllers (called "personal information processors" under the PIPL, that is an organisation or individual that independently determines the purposes and means of the processing) are required to undertake under the Measures (and pursuant to the Personal information Protection Law ). Importantly, the Guidance contains a long awaited template contract for data transfer – the SCC.

The Measures came into effect on 1 June 2023. For companies that are required to file a standard contract for data transfer, the Measures provide a grace period of six months, during which they can continue any already-commenced outbound transfer of personal information. After that, companies that have not completed the standard contract's filing or whose filing has not been approved may not continue outward transfer of personal data.

Background to, and applicability of, the Guidance

The PIPL sets out three routes that personal information can be exported, namely:

• entering into a data transfer agreement with relevant overseas party, that adopts the PRC SCC;
• attaining a personal information protection certification from a designated certification agent or
• passing a security assessment required for critical information infrastructure operators and other organisations that process personal information reaching one of the three thresholds specified by the CAC.

The Certification regime is generally aimed at intragroup personal information transfer within large multinational companies, and involves a lengthy list of requirements. Most data controllers do not reach the CAC-specified thresholds and therefore cannot use the Security Assessment method. We expect that the SCC will be the most commonly used data export route for data controllers, so the Guidance is highly welcomed (being released two days before the Measures came into effect).

Both the Measures and Guidance remind data controllers not to evade the Security Assessment by dividing up the amount of personal information for exporting to overseas recipients through SCC.

The Guidance also clarifies that the Measures apply to:

• data controllers transmitting / storing personal information collected in domestic operations outside of China;
• personal information compiled and generated within China and made available to overseas institutions, organisations or individuals through inquiry, retrieval, download and export; and
• other export of personal information as set out by the CAC.

Data controllers who have not submitted the filings may continue their personal information transfer activities until 30 November 2023; from 1 December 2023, those who fail to submit or whose submissions are pending approval will be required to suspend exporting of personal information. One outstanding point to be confirmed during this period is whether data controllers and their affiliated entities are eligible for a combined filing.

Filing process

Formalities

Physical copies of the executed SCC and electronic copies of the filing materials should be filed to the CAC office of the province where the data controller is located – noting that currently, there is no online channel for applications, and so the specific requirements for submission may differ between CAC offices. For example, the Beijing CAC office has released guidance specifying that filing materials should be submitted via email before physical copies are submitted. The different requirements may be particularly onerous for those controllers whose initial submissions are unsuccessful (and therefore supplemental applications (and additional filings) are required).

Materials to be filed

The following material will need to be filed with the CAC by the relevant data controller:

1. Originals of:

• the Power of Attorney document authorizing the agent to handling the filing;
• the letter of undertaking;
• the executed SCC (note that we are not clear whether this means whether electronically executed SCCs would be accepted, and the Guidance does not provide specific execution-related requirements); and
• the Personal information Protection Impact Assessment Report.

2. Photocopies (with the data controller's official seal) of:

• their Unified Social Credit Code;
• the identity document of the data controller's legal representatives; and
• the identity document of the data controller's authorised person handling the filing.

Process and timing

Under the Guidance the data controller's process for filing a SCC will be divided into four phases:

• complete a PIA Report no more than three months before the submission of filing materials, with no material changes leading up to or during the filing date;
• submit filing materials within 10 working days from the data that the SCC was signed;
• await review from the relevant provincial CAC, who will notify the data controller of the conclusion of such review within 15 working days of submission. We note that specific CAC offices may change such timing, for example  the Beijing CAC has committed to reviewing within 10 working days of submission; and
• if the filing is unsuccessful, the provincial CAC will notify the data controller of the grounds of rejection. The data controller should then submit supplemental materials within 10 working days of such notice.

The Measures and the Guidance both do not specify the level of scrutiny to which the CAC will review submissions.  From our experience and given the purpose of the PIPL regime, it appears that specific CAC offices may differ in their level of scrutiny, but are likely to particularly focus on reviewing the PIA Report as part of assessing the risk and operation of the relevant data transfer. We also recommend that data controllers be prepared for the submission of supplemental materials in response to questions from the relevant CAC office, which in turn may extend the timeline for any review. Consultations with specific relevant CAC offices may be helpful for data controllers in relation to the above.

PIA Report

The PIA Report template attached to the Guidance is similar to the self-assessment report used for the PIPL's governmental security assessment regime for critical information infrastructure operators. There are also additional requirements for such Reports, such as specifying further details on the personal information being exported, any sensitive personal information involved, and any automated data processing involved. Key sections of this template include:

• The introduction to the PIA Report - including commencement and completion dates, parties' involvements and assessment methodology.
• Overview of personal information export activities – including corporate information for both the data controller and overseas recipient, the technology infrastructure involved, personal information protection capabilities, and description of the scope and mode of personal information transfer.
• Impact assessment – including item-based risk identification and evaluation, conclusion and justification on the adopted personal information transfer regime.

The Guidance also re-states situations when data controllers should undertake to submit a fresh PIA Report and amend or supplement a previously-executed SCC. For example, where there are:

• changes in the purpose, scope, type, sensitivity, quantity, provision manner, retention period, storage location of the personal information transferred and the purpose and manner of processing by the overseas recipient, or extension of the retention period of the personal information transferred;
• changes in the personal information protection policies and regulations of the country or region where the overseas recipient is located which may affect the rights and interests of the data subjects; or
• any other circumstances that might affect the rights and interests of the data subjects.

In addition to the above situations, data controllers should file a signed restated or supplemental SCC with the CAC within the specified timeframe. The SCC should be up-to-date and fulfil the filing obligations as per the PIPL from time to time.

One important point to note – we have seen many organisations proactively complete PIA Reports using the relevant requirements under the GDPR as a guideline. While this is helpful, such exercises may need to further consider the requirements specified by the Guidance.

Consequences of non-compliance

Data controllers who are not compliant with the filing requirements under the Measures will be subject to penalties stipulated under the PIPL and other relevant laws and regulations. Under the PIPL, warnings, correction orders, suspension of personal information export activities, and forfeiture of illicit gains may be ordered in case of a violation; in particular, a fine of not more than RMB 1 million may be imposed for data controllers who refuse to rectify the breach. For serious breaches, the penalty may include a maximum fine of RMB 50 million or five percent of the data controller's annual turnover from the previous year.

Conclusion and thoughts

The Guidance provides welcome guidelines regarding both the SCC itself and the filing process required for the SCC, including in relation to the PIA Report.

At a more general level, we anticipate the CAC will take enforcement actions against those who do not comply with the cross-border transfer provisions of the PIPL, as there are significant sensitivities regarding international data transfers (both within and outside of mainland China). We would therefore highly recommend that exporters of personal information from mainland China actively seek to comply with the PIPL, whether via the SCC or other available mechanisms.

For those who are considering using the SCC, we would specifically recommend the following:

1. Conduct a deep dive into your organization and identify what personal information is being exported, and which specific entities are exporting (and receiving) the relevant personal information.

2. Ensure that for any cross-border data transfers, you have:

• conducted PIA Reports;
• entered into the appropriate SCC and other agreements as required; and
• for those agreements already in place, update them to reflect both the above requirements and what the operation of your organisation.

3. File executed SCCs with the relevant CAC, pursuant to the above requirements – including ensuring that you are prepared for any supplemental submissions.

It will also be interesting to see how the PIPL cross-border data transfer mechanisms will be implemented within the Greater Bay Area, given the recent execution of a personal data transfer-related MOU between the CAC and the Innovation, Technology and Industry Bureau in Hong Kong.

Hoi Tak Leung, Counsel, Ashurst Hong Kong is admitted in New South Wales and Hong Kong and his practice involves TMT-related advisory work – including in relation to fintech, cybersecurity, data privacy and emerging technologies.

With thanks to Jessica Chan (Trainee Lawyer) and Hannah Chiu (Intern) for their assistance with this article.