China Issues Guidelines For Filing The Standard Contract For Cross-Border Transfers Of Personal Information
On May 30, 2023, the Cyberspace Administration of China (CAC) issued the Guidelines for Filing the Standard Contract for Cross-Border Transfer of Personal Information (SC). On June 1, 2023, SC became an effective mechanism for transferring personal data outside of China, which is similar to the Standard Contractual Clauses’ effectiveness under the EU’s General Data Protection Regulation (GDPR). Uniquely, when using the SC as a transfer mechanism, it must be filed with the CAC, which presents a new wrinkle for entities to comply. Thankfully, the recently published SC Guidelines provide useful guidance for filing. Read on to find out more:
What is the PIPL?
China’s Personal Information Protection Law (PIPL) is a data privacy law that was put into effect on November 1, 2021. PIPL presents many similar requirements when compared to GDPR, though PIPL has an increased focus on data processing in a national security context when compared to GDPR, which presents unique compliance requirements.
PIPL has extended the territorial scope to encompass personal information processing entities, provided that the purpose of the processing is: (1) to provide products or services to individuals in China, (2) to analyze or assess the behavior of individuals in China or (3) for any circumstances as provided by laws or regulations.
What Constitutes a Cross-Border Transfer Under the SC?
PIPL broadly defines personal information (PI) as any information (such as video, voice, or image data) relating to any identified or identifiable natural person, notwithstanding whether it is in an electronic form or any other form, exclusive of any anonymized information. A PI handler is considered an organization or individual that independently determines the purposes and means of processing PI.
A cross-border transfer of PI occurs when a PI handler, or processing entity, outside of Chinese territory accesses, retrieves, downloads, or exports personal information collected and generated through operations within China.
When can the SC Be Used?
There are three legal mechanisms for PI handlers to transfer PI outside of China:
- Undergo a mandatory CAC administered security assessment;
- Obtain a personal information protection certification from the CAC recognized professional institution; or
- Enter into an SC with overseas recipients.
If a PI handler is not required to undergo a security assessment due to the volume or nature of PI being transferred, a PI handler may use the SC for cross-border transfers of PI.
What are the SC Guidelines?
China released guidelines to provide details on the requirements and filing procedures for the SC. The SC requires certain documents to be provided, including the Standard Contract, a Letter of Commitment, and a Personal Information Protection Impact Assessment (PIPIA).
A PI handler may use the SC as a mechanism for the cross-border transfer or PI if it meets any of the following:
- It is not a critical infrastructure information operator;
- It is processing PI of less than one million individuals;
- It has transferred PI of less than 100,000 individuals from January 1 of the preceding year; or
- It has transferred sensitive PI of less than 10,000 individuals from January 1 of the preceding year.
The guidelines set out that a PI handler shall file the executed SC together with an Impact Assessment Report for Personal Information, both in writing and electronic form, with the local CAC within ten (10) business days from the effectiveness of the SC. The local CAC shall complete the review of the application documents within fifteen (15) business days and notify the result of the filing, which shall be either “pass” or “fail”.
How Can PI Handlers Take Steps to Ensure Compliance with the PIPL and the New Guidelines?
A PI handler needs to carefully evaluate whether the SC is the applicable mechanism for the cross-border transfer of PI outside mainland China or whether a mandatory security assessment administered by the authority will apply.
In the event that the SC mechanism is the appropriate mechanism, a PI handler is still required to conduct a self-assessment on PIPIA and file the executed Standard Contract and such self-assessment report with the provincial regulatory authority. Companies, or PI handlers, that fail to comply will be subject to penalties under the PIPL, which can include substantial fines and suspension of all PI transfers.
There is a grace period of six (6) months until December 1, 2023, for companies to bring their cross-border transfers into compliance.
Contact a member of McGrath North’s Privacy and Cybersecurity team to ensure that your compliance framework is up to date with the CAC and the new guidelines regarding cross-border transfers of personal information.
Related Attorneys
