China’s Data Export Framework Completed with Release of Standard Contract

In this article, we highlight the key provisions of the Standard Contract and the Regulation and set out our observations on the proposed measures. If you would like a copy of the English translation of the Standard Contract, please contact James Gong at james.gong@twobirds.com.

Background

Article 38 of the Personal Information Protection Law (“PIPL”) (for our comments on the PIPL, please click here) provides three routes for personal information processors (“PI Processors”)^[1] to export personal information (“PI”), namely:

1. passing a governmental security assessment (“Governmental Assessment”) that is required for critical information infrastructure (“CII”) operators as well as organisations that process personal information reaching one of the three threshold amounts (“Thresholds”) specified by the CAC;
2. attaining a PI protection certification (“Certification Regime”) by an institution accredited by the CAC; or
3. entering into a Standard Contract with the overseas recipient.

The Governmental Assessment becomes the first route that has been made available by the CAC, when it published the guidance for submission at the end of August 2022. Data Processors are given a six-month grace period to complete their submissions, which expired on 28 February 2023. (For our comments on the Governmental Assessment, please click here).

In 2022, the National Information Security Standardization Technical Committee (“TC260”) also released and updated a guidance document for the Certification Regime; (for our comments on the Certification Regime, please click here and here).

The CAC released the draft Standard Contract together with the regulation in July 2022. Since then, there has been speculation as to when the CAC will put the last piece to complete data export regulatory framework.

Looking at the three routes, most PI Processors do not reach the Thresholds and therefore are not eligible for the Governmental Assessment. The Certification Regime appears to be designed for intragroup PI transfer within large multinational companies or international organisations and has yet to open any channels for applications. As a result, the Standard Contract is expected to be the most used route for PI Processors.

Key Provisions and Observations

I. When to use the Standard Contract? 

Under the PIPL, the PI Processor may consider using the Standard Contract as its route for exporting PI, only if the proposed export is not subject to the Governmental Assessment. 

Measures of Security Assessment for Data Export (“Security Assessment Measures”) identify the following circumstances where the Governmental Assessment applies to data export, which include: 

1. export of important data;
2. export of personal information by CII operators;
3. export of personal information by a data processor that processes personal information of 1,000,000 individuals or more;
4. export by a data processor that from 1 January of last calendar year in aggregate exports (i) personal information of 100,000 individuals or more; or (ii) sensitive personal information of 10,000 individuals or more; and
5. such other circumstances as specified by the CAC.

The Regulation confirms this position and further prohibits the PI Processors from circumventing the requirements of the Governmental Security Assessment for example, by splitting the volume of data export by one PI Processor amongst several PI Processors. The CAC fears that certain companies may try to avoid reaching the Thresholds by reducing the volume of personal information exported by a single entity. However, the Regulation does not specify how to identify an intended circumvention, Enforcement of such requirement may give rise to practical issues, for example, whether a reasonable optimisation of the IT infrastructure within a group company constitutes an intended circumvention.

II. Who should sign the Standard Contract? 

The Regulation refers to the exporter as the “PI Processor” in China, which is in line with the PIPL. Apparently, neither the PIPL nor the Regulation contemplates that exporters who are entrusted by the PI Processor with processing PI (“Entrusted Party”) will qualify as an exporter able to sign the Standard Contract. The Security Assessment Measures take a similar position that only a PI Processor is eligible to apply for the Governmental Assessment, although in practice the CAC in certain circumstances will allow an Entrusted Party to apply. It is not clear whether the CAC intends the Entrusted Parties to be exempted from the Regulation.

On the other hand, a data importer is defined as an organisation or individual located outside China, who receives PI from a PI processor. The Standard Contract seems to indicate that the data importer can be either a PI processor or an Entrusted Party.

In summary, the Standard Contract can be used by a PI Processor to export personal information to a data importer that is either a PI Processor or an Entrusted Party. In comparison, the standard contractual clauses (“SCCs”) under the GDPR which provide for four modules to cater to the different roles of the exporters and importers as a controller or a processor in the data processing activities.

What is not clear is which party will be the appropriate signatory to the Standard Contract when there are more than two parties involved in the data export activities. For instance, when an PI Processor exports personal information via an Entrusted Party in China or when a PI Processor receives personal information via an Entrusted Party outside China, the parties may disagree as to who should sign the Standard Contract.

III. Personal Information Protection Impact Assessment (“PIPIA”) and Transfer Impact Assessment (“TIA”) 

PIPIA

The PIPL requires a PI Processor to conduct a PIPIA for, amongst others, exporting PI and keep a record for that. The Regulation further provides for key aspects that a PIPIA for data export must cover, including:

1. the legality, legitimacy and necessity of the purpose, scope and means of the processing by the data exporters and the data importers;
2. the scale, scope, types and sensitivity of the PI to be exported and the risks to the PI rights and interests of individuals;
3. the obligations of the importers and whether their organisational and technical measures and capability can ensure security of the PI to be exported;
4. risks of the PI being altered without authorisation, destructed, leaked, lost, or illegally used and the effectiveness of the channels for individuals to exercise their rights to PI;
5. the impact of the PI protection policies, laws and regulations of the country or region where the data importers are located upon the performance of the Standard Contract; and
6. other matters that may impact security of PI export.

So far, the authorities have not published any guidelines on how to conduct the PIPIA. The TC260 published recommended national standards on conducting a personal information security impact assessment in 2020, but with the effectiveness of the PIPL in 2021 these standards will need to be updated if they are to apply to the PIPIA. 

TIA

The concept of a TIA originates from the European Court of Justice in its Schrems II decision, where a data exporter is required to, with the assistance of the importer, (i) verify whether the law of the third country of destination ensures adequate protection (under the EU law) for PI being transferred pursuant to the SCCs; and (ii) provide additional safeguards to those offered by the clauses if the protection is not adequate. 

Under the Regulation, the PIPIA will also include an assessment of the impact of the PI protection policies, laws and regulations of the country or region where the data importer is located upon the performance of the Standard Contract. 

Clause 4 of the Standard Contract requires the data exporters and importers to warrant that:

1. they are not aware of any PI protection policies, laws or regulations of the country where the data importers are located which will prevent the data importers from performing the Standard Contract, including any requirement to provide PI to or grant authorisation of access to PI to the public authorities; and
2. they have taken into account the following when giving the warranty in item i above, including:

1. details of the export and track record of the importers in data export activities, such as whether the importers have received any requests from public authorities to provide PI and if so, how the importers responded to the requests;
2. the key factors of the PI protection policies, laws and regulations of the country or region where the data importers are located, including
   • the PI protection laws, regulations and applicable standards;
   • the regional or global PI protection organisations such country or region has joined and the undertakings it has given; and
   • the mechanism for implementing PI protection, e.g., whether there are PI protection supervisory authorities and relevant judicial bodies; and
3. the security management system and technical security capability of the data importers.

The data importers must represent that they have used their best efforts to provide the necessary information to the data exporters. Both the data exporters and importers must record the assessment process and results in writing, which gives rise to a formal contractual obligation to conduct a TIA. 

The requirements for a TIA under the GDPR and the Regulation are similar, except that in China the TIA is part of the PIPIA for data export. The exporters are expected to file the signed Standard Contract and the PIPIA report with the provincial level CAC within ten business days of the Standard Contract taking effect.

IV. Third-party beneficiary

The Standard Contract requires data exporters to undertake to notify the individuals who have been made third-party beneficiaries, who are entitled to enjoy the associated legal rights unless they expressly refuse within 30 days of being notified. The data exporters will now need to make sure that they have included in the privacy notice information on third-party beneficiaries and contact details, via which the individuals can express their objection.  

In addition, as third-party beneficiaries, individuals are given the right to enforce the obligations of the data exporters and importers under the Standard Contract. In particular,

1. Individuals have rights under the PIPL and other relevant laws, such as the right to information, right to restrict or refuse processing, etc; 
2. Individuals may request the data exporters (with the assistance of the importers) or data importers to take actions to respect the exercise of the rights in item i above;
3. Data importers must respect and realize the rights exercised by the individuals within a reasonable time period and notify the individuals of the relevant information in a conspicuous and clear manner; and
4. Individuals have the right to request either the exporters or the importers to perform any obligations relevant to their PI rights under the Standard Contract. 

To enforce their rights in a dispute with the data exporters or the importers, individuals may elect to (i) file a complaint with the supervisory authority, or (ii) lodge a lawsuit against the parties to the Standard Contract in accordance with Chinese laws. Individuals can claim damages from the party that has infringed the rights of the individuals based on a breach of the Standard Contract.  

Where the individuals choose to bring a lawsuit against the parties to the Standard Contract, the court of competent jurisdiction will be determined by Chinese civil procedure laws. Enforcement of a Chinese court judgement may be difficult outside China. and that the exporters are jointly and severally liable for losses caused to the individuals by the data importers under the Standard Contract. As such, individuals may be more likely to bring civil actions against the data exporters.