Hoi Tak Leung explains the new guidance on standard contracts when exporting personal data from China.
Introduction
The Cyberspace Administration of China on 30 May 2023 released the Guidance for the Filing of the Standard Contracts for the Outbound Transfer of Personal information.
The Guidance supplements the Measures for Standard Contract forthe Outbound Transfer of Personal information, and sets out the filing process that data controllers (called "personal information processors" under the PIPL, that is an organisation or individual that independently determines the purposes and means of the processing) are required to undertake under the Measures (and pursuant to the Personal information Protection Law ). Importantly, the Guidance contains a long awaited template contract for data transfer – the SCC.
The Measures came into effect on 1 June 2023. For companies that are required to file a standard contract for data transfer, the Measures provide a grace period of six months, during which they can continue any already-commenced outbound transfer of personal information. After that, companies that have not completed the standard contract's filing or whose filing has not been approved may not continue outward transfer of personal data.
Background to, and applicability of, the Guidance
The PIPL sets out three routes that personal information can be exported, namely:
The Certification regime is generally aimed at intragroup personal information transfer within large multinational companies, and involves a lengthy list of requirements. Most data controllers do not reach the CAC-specified thresholds and therefore cannot use the Security Assessment method. We expect that the SCC will be the most commonly used data export route for data controllers, so the Guidance is highly welcomed (being released two days before the Measures came into effect).
Both the Measures and Guidance remind data controllers not to evade the Security Assessment by dividing up the amount of personal information for exporting to overseas recipients through SCC.
The Guidance also clarifies that the Measures apply to:
Data controllers who have not submitted the filings may continue their personal information transfer activities until 30 November 2023; from 1 December 2023, those who fail to submit or whose submissions are pending approval will be required to suspend exporting of personal information. One outstanding point to be confirmed during this period is whether data controllers and their affiliated entities are eligible for a combined filing.
Filing process
Formalities
Physical copies of the executed SCC and electronic copies of the filing materials should be filed to the CAC office of the province where the data controller is located – noting that currently, there is no online channel for applications, and so the specific requirements for submission may differ between CAC offices. For example, the Beijing CAC office has released guidance specifying that filing materials should be submitted via email before physical copies are submitted. The different requirements may be particularly onerous for those controllers whose initial submissions are unsuccessful (and therefore supplemental applications (and additional filings) are required).
Materials to be filed
The following material will need to be filed with the CAC by the relevant data controller:
1. Originals of:
2. Photocopies (with the data controller's official
seal) of:
Process and timing
Under the Guidance the data controller's process for filing a SCC will be divided into four phases:
The Measures and the Guidance both do not specify the level of scrutiny to which the CAC will review submissions. From our experience and given the purpose of the PIPL regime, it appears that specific CAC offices may differ in their level of scrutiny, but are likely to particularly focus on reviewing the PIA Report as part of assessing the risk and operation of the relevant data transfer. We also recommend that data controllers be prepared for the submission of supplemental materials in response to questions from the relevant CAC office, which in turn may extend the timeline for any review. Consultations with specific relevant CAC offices may be helpful for data controllers in relation to the above.
PIA Report
The PIA Report template attached to the Guidance is similar to the self-assessment report used for the PIPL's governmental security assessment regime for critical information infrastructure operators. There are also additional requirements for such Reports, such as specifying further details on the personal information being exported, any sensitive personal information involved, and any automated data processing involved. Key sections of this template include:
The Guidance also re-states situations when data controllers should undertake to submit a fresh PIA Report and amend or supplement a previously-executed SCC. For example, where there are:
In addition to the above situations, data controllers should file a signed restated or supplemental SCC with the CAC within the specified timeframe. The SCC should be up-to-date and fulfil the filing obligations as per the PIPL from time to time.
One important point to note – we have seen many organisations proactively complete PIA Reports using the relevant requirements under the GDPR as a guideline. While this is helpful, such exercises may need to further consider the requirements specified by the Guidance.
Consequences of non-compliance
Data controllers who are not compliant with the filing requirements under the Measures will be subject to penalties stipulated under the PIPL and other relevant laws and regulations. Under the PIPL, warnings, correction orders, suspension of personal information export activities, and forfeiture of illicit gains may be ordered in case of a violation; in particular, a fine of not more than RMB 1 million may be imposed for data controllers who refuse to rectify the breach. For serious breaches, the penalty may include a maximum fine of RMB 50 million or five percent of the data controller's annual turnover from the previous year.
Conclusion and thoughts
The Guidance provides welcome guidelines regarding both the SCC itself and the filing process required for the SCC, including in relation to the PIA Report.
At a more general level, we anticipate the CAC will take enforcement actions against those who do not comply with the cross-border transfer provisions of the PIPL, as there are significant sensitivities regarding international data transfers (both within and outside of mainland China). We would therefore highly recommend that exporters of personal information from mainland China actively seek to comply with the PIPL, whether via the SCC or other available mechanisms.
For those who are considering using the SCC, we would specifically recommend the following:
1. Conduct a deep dive into your organization and identify what personal information is being exported, and which specific entities are exporting (and receiving) the relevant personal information.
2. Ensure that for any cross-border data transfers, you have:
3. File executed SCCs with the relevant CAC, pursuant to the above requirements – including ensuring that you are prepared for any supplemental submissions.
It will also be interesting to see how the PIPL cross-border data transfer mechanisms will be implemented within the Greater Bay Area, given the recent execution of a personal data transfer-related MOU between the CAC and the Innovation, Technology and Industry Bureau in Hong Kong.
Hoi Tak Leung, Counsel, Ashurst Hong Kong is admitted in New South Wales and Hong Kong and his practice involves TMT-related advisory work – including in relation to fintech, cybersecurity, data privacy and emerging technologies.
With thanks to Jessica Chan (Trainee Lawyer) and Hannah Chiu (Intern) for their assistance with this article.
Published: 2023-08-29T11:42:00