On 24 February 2023, the CAC released a draft of the long-awaited finalised standard contract for personal information export and an accompanying regulation (Standard Contract Regulation) for public consultation, providing us a preview of the standard contract regime set out by Article 38 of the PIPL.
Under the PIPL, the PI processor (i.e. the counterpart concept of the data controller under the GDPR) may consider using the Standard Contract as its route for exporting PI, only if the proposed export is not subject to the Security Assessment that applies to the following scenarios:
The Standard Contract Regulation refers to the exporter as the “PI processor”, which is in line with the PIPL. Apparently, neither the PIPL nor the Standard Contract Regulation contemplates that the restrictions on data export will apply to exporters who are entrusted by the PI processor with processing PI (Entrusted Parties). The Standard Contract does not differentiate the role of the data importer as a PI processor or an entrusted party. In summary, a data exporter that is a PI processor may use the Standard Contract to export personal information to a data importer that is either a PI processor or an Entrusted Party.
The Standard Contract Regulation requires a PI processor to conduct a PIPIA and further provides for key aspects that a PIPIA for data export must cover, including the assessment of the impact of the PI protection policies, laws and regulations of the country or region where the data importer is located upon the performance of the Standard Contract.
The Standard Contract Regulation also requires PI processors to file with the local provincial CAC within 10 working days from the effective date of the standard contract and submit the standard contract and the PIPIA report.
In the Standard Contract, the data exporters must notify the individuals that they have been made third-party beneficiaries unless they expressly refuse within 30 days of being notified. The data exporters will now need to make sure that they have included in the privacy notice content on third-party beneficiaries and contact details, via which the individuals express their objection. In addition, as third-party beneficiaries, individuals are given the rights to enforce the obligations of the data exporters and importers under the Standard Contract.
The finalised Standard Contract and the relevant regulation marks that China has established mechanism for exporting PI via Standard Contract.
Compared with Security Assessment and Certification (see here), the Standard Contract would be the most convenient and commonly used route for exporting PI. Whilst the Standard Contract of China bears many similarities with the SCCs under the GDPR, the data importers and exporters should pay attention to the worth- noting differences and consider its compatibility with the current cross-border transfer tools.
*Information is accurate up to 27 November 2023