On 22 February 2023, the Cyberspace Administration of China (“CAC”) released the long-awaited standard contract (“Standard Contract”) for personal information export and an accompanying regulation (“Regulation”), seven months after it published the first draft for consultation. The Regulation takes effect from the 1 June and provides for a six-month rectification period.
In this article, we highlight the key provisions of the Standard Contract and the Regulation and set out our observations on the proposed measures. If you would like a copy of the English translation of the Standard Contract, please contact James Gong at james.gong@twobirds.com.
Article 38 of the Personal Information Protection Law (“PIPL”) (for our comments on the PIPL, please click here) provides three routes for personal information processors (“PI Processors”)[1] to export personal information (“PI”), namely:
The Governmental Assessment becomes the first route that has been made available by the CAC, when it published the guidance for submission at the end of August 2022. Data Processors are given a six-month grace period to complete their submissions, which expired on 28 February 2023. (For our comments on the Governmental Assessment, please click here).
In 2022, the National Information Security Standardization Technical Committee (“TC260”) also released and updated a guidance document for the Certification Regime; (for our comments on the Certification Regime, please click here and here).
The CAC released the draft Standard Contract together with the regulation in July 2022. Since then, there has been speculation as to when the CAC will put the last piece to complete data export regulatory framework.
Looking at the three routes, most PI Processors do not reach the Thresholds and therefore are not eligible for the Governmental Assessment. The Certification Regime appears to be designed for intragroup PI transfer within large multinational companies or international organisations and has yet to open any channels for applications. As a result, the Standard Contract is expected to be the most used route for PI Processors.
Under the PIPL, the PI Processor may consider using the Standard Contract as its route for exporting PI, only if the proposed export is not subject to the Governmental Assessment.
Measures of Security Assessment for Data Export (“Security Assessment Measures”) identify the following circumstances where the Governmental Assessment applies to data export, which include:
The Regulation confirms this position and further prohibits the PI Processors from circumventing the requirements of the Governmental Security Assessment for example, by splitting the volume of data export by one PI Processor amongst several PI Processors. The CAC fears that certain companies may try to avoid reaching the Thresholds by reducing the volume of personal information exported by a single entity. However, the Regulation does not specify how to identify an intended circumvention, Enforcement of such requirement may give rise to practical issues, for example, whether a reasonable optimisation of the IT infrastructure within a group company constitutes an intended circumvention.
The Regulation refers to the exporter as the “PI Processor” in China, which is in line with the PIPL. Apparently, neither the PIPL nor the Regulation contemplates that exporters who are entrusted by the PI Processor with processing PI (“Entrusted Party”) will qualify as an exporter able to sign the Standard Contract. The Security Assessment Measures take a similar position that only a PI Processor is eligible to apply for the Governmental Assessment, although in practice the CAC in certain circumstances will allow an Entrusted Party to apply. It is not clear whether the CAC intends the Entrusted Parties to be exempted from the Regulation.
On the other hand, a data importer is defined as an organisation or individual located outside China, who receives PI from a PI processor. The Standard Contract seems to indicate that the data importer can be either a PI processor or an Entrusted Party.
In summary, the Standard Contract can be used by a PI Processor to export personal information to a data importer that is either a PI Processor or an Entrusted Party. In comparison, the standard contractual clauses (“SCCs”) under the GDPR which provide for four modules to cater to the different roles of the exporters and importers as a controller or a processor in the data processing activities.
What is not clear is which party will be the appropriate signatory to the Standard Contract when there are more than two parties involved in the data export activities. For instance, when an PI Processor exports personal information via an Entrusted Party in China or when a PI Processor receives personal information via an Entrusted Party outside China, the parties may disagree as to who should sign the Standard Contract.
PIPIA
The PIPL requires a PI Processor to conduct a PIPIA for, amongst others, exporting PI and keep a record for that. The Regulation further provides for key aspects that a PIPIA for data export must cover, including:
So far, the authorities have not published any guidelines on how to conduct the PIPIA. The TC260 published recommended national standards on conducting a personal information security impact assessment in 2020, but with the effectiveness of the PIPL in 2021 these standards will need to be updated if they are to apply to the PIPIA.
TIA
The concept of a TIA originates from the European Court of Justice in its Schrems II decision, where a data exporter is required to, with the assistance of the importer, (i) verify whether the law of the third country of destination ensures adequate protection (under the EU law) for PI being transferred pursuant to the SCCs; and (ii) provide additional safeguards to those offered by the clauses if the protection is not adequate.
Under the Regulation, the PIPIA will also include an assessment of the impact of the PI protection policies, laws and regulations of the country or region where the data importer is located upon the performance of the Standard Contract.
Clause 4 of the Standard Contract requires the data exporters and importers to warrant that:
The data importers must represent that they have used their best efforts to provide the necessary information to the data exporters. Both the data exporters and importers must record the assessment process and results in writing, which gives rise to a formal contractual obligation to conduct a TIA.
The requirements for a TIA under the GDPR and the Regulation are similar, except that in China the TIA is part of the PIPIA for data export. The exporters are expected to file the signed Standard Contract and the PIPIA report with the provincial level CAC within ten business days of the Standard Contract taking effect.
The Standard Contract requires data exporters to undertake to notify the individuals who have been made third-party beneficiaries, who are entitled to enjoy the associated legal rights unless they expressly refuse within 30 days of being notified. The data exporters will now need to make sure that they have included in the privacy notice information on third-party beneficiaries and contact details, via which the individuals can express their objection.
In addition, as third-party beneficiaries, individuals are given the right to enforce the obligations of the data exporters and importers under the Standard Contract. In particular,
To enforce their rights in a dispute with the data exporters or the importers, individuals may elect to (i) file a complaint with the supervisory authority, or (ii) lodge a lawsuit against the parties to the Standard Contract in accordance with Chinese laws. Individuals can claim damages from the party that has infringed the rights of the individuals based on a breach of the Standard Contract.
Where the individuals choose to bring a lawsuit against the parties to the Standard Contract, the court of competent jurisdiction will be determined by Chinese civil procedure laws. Enforcement of a Chinese court judgement may be difficult outside China. and that the exporters are jointly and severally liable for losses caused to the individuals by the data importers under the Standard Contract. As such, individuals may be more likely to bring civil actions against the data exporters.
Data importers are unable to provide the PI to a third party located outside China unless the data importers have:
The PIPL uses the word “provide” to indicate sharing of PI by a PI Processor with another PI Processor. If “provide” has the same meaning in the Standard Contract, both the data importer and the third party receiving the PI in an onward transfer should be PI Processors.
The Standard Contract requires the data importer that is an Entrusted Party of the data exporter to obtain consent of the data exporter before sub-entrusting a third party for processing.
It appears that the Standard Contract imposes different obligations on data importers who are separate PI Processors and those who are the Entrusted Parties of the data exporter.
Reporting obligations of data importers
In the event of a data breach, data importers are obliged to not only notify the data exporters but also the supervisory authority of China in accordance with Chinese laws. Individuals must also be notified where required by applicable laws and regulations.
The Standard Contract has extended the reporting obligations under Chinese law to the data importers irrespective of whether the data importers are subject to any extraterritorial effect of the laws.
Arbitration as dispute resolution
The Standard Contract allows the parties to settle their dispute by arbitration, with the ability to choose by agreement which arbitration institution and venues. The parties may choose an arbitration institution of a country that is a party to the Convention on the Recognition and Enforcement of Foreign Arbitral Awards, providing a possibility for the dispute to be heard by a foreign arbitration institution.
Data exporters’ right to information
Data importers are obliged under the Standard Contract to provide necessary information to the data exporters to prove the data importers’ compliance with the Standard Contract, including allowing the data exporters to access relevant documents or ability to audit the relevant data processing activities. In practice, the parties may would like to further define the scope of the data exporters’ right to information to avoid any potential dispute.
Separate consent
The Standard Contract requires both the exporters and the importers to obtain a sperate consent, only when the legal basis of the processing is consent. This new provision in the Standard Contract seems to support the view that a PI Processor should be exempted from the obligation of obtaining separate consent if its processing is not based upon consent, which is good news for PI Processors. The Standard Contract itself lacks the legal authority of a regulation, but still it provides the PI Processors with a stronger legal argument when it opts not to obtain a separate consent for processing that is based on legal grounds other than consent.
The Standard Contract and the Regulation completes the Chinese regulatory framework for PI Export. Whilst the Standard Contract in China bears many similarities with the SCCs under the GDPR, the data importers and exporters are required to sign the Standard Contract in the form as released by the CAC without any changes, and additional terms must not contradict with the Standard Contract.
PI Processors in China are recommended to take the following actions to ensure compliance with the Standard Contract and Regulation: