Insights on Measures on Standard Contracts for PI Export

Cyberspace Administration of China issued the Measures on Standard Contracts for Personal  Information Export (“Standard Contracts Measures”) on February 24, 2023, which will be effective on June 1, 2023. So far, the legal basis for the three approaches for personal information processors to provide personal information outside the People’s Republic of China stipulated in Article 38 of the Personal Information Protection Law has been completed. Compared with “security assessment” and “personal information protection certification”, concluding a “standard contract” is undoubtedly the most direct and convenient way among the three approaches.

1. Application Scenarios of Standard Contracts Measures

Under the Standard Contracts Measures, transferring personal information overseas through the establishment of a “standard contract” should meet the following four conditions: (1) the information processor should be a non-key information infrastructure operator; (2) the personal information involved in the processing should be less than 1 million person; (3) less than 100,000 individuals’ personal information has been provided to overseas since January 1 of the previous year; and (4) less than 10,000 individuals’ sensitive personal information has been provided to overseas since January 1 of the previous year . It is worth noting that, if the information processor meets the above conditions and the information processor and the overseas information recipient belong to a multinational company or an affiliated company within the same economic or business entity, the domestic information processor can realize personal information outbound transfer compliance through the “personal information protection certification” approach. However, if the information processor is a key information infrastructure operator or the personal information processed exceeds any of the above thresholds, even if it meets the premise of being an affiliated company under the “personal information protection certification” approach, it should still seek the “security assessment” under the “Security Assessment Measures for Outbound Data Transfers” in order to achieve personal information export compliance.

It can be seen that the authority intends to simplify the relevant regulatory requirements for the personal information export by concluding a standard contract when the quantity of personal information involved is controllable, so as to achieve the purpose of “less risk less control”. From the perspective of personal information processors, when the quantity of concerned personal information is limited, it is undoubtedly more convenient to conclude a “standard contract” without investing too much compliance costs. In practice, domestic personal information processors to entrust overseas third parties to carry out employee management matters such as employee equity incentives, domestic personal information processors to provide personal information overseas due to cross-border mergers and acquisitions, transactions or services, and CROs to provide overseas clinical trial data involving personal information, etc. are typical application scenarios for concluding a “standard contract” to meet the export compliance of personal information.

2. Compliance Actions under Standard Contracts Measures

Under the approach of concluding a standard contract, personal information export compliance mainly includes three core parts: contracting of its own, impact assessment and filing.

“Contracting of its own” means the onshore personal information processor conclude a written agreement with the overseas recipient, namely entering into a standard contract. A standard contract includes (1) the obligations of the personal information processor, (2) the obligations of the overseas recipient, (3) the impact of the personal information protection policies and regulations of the country or region where the overseas recipient is located on the performance of the contract, (4) the rights of the personal information subject, (5) legal remedies, (6) termination of contract, and (7) liability for breach of contract, etc., and detailed agreement on personal information processors providing personal information overseas, such as processing purpose, processing method, scale of exported personal information, type of export, providing personal information to third parties after export, transmission method, overseas storage location and period, etc. The Cyberspace Administration of China has attached a template for a standard contract for personal information export to the “Standard Contracts Measures” which covers all the above-mentioned requirements. Therefore, from a regulatory perspective, directly concluding a finalized template can minimize the risk of personal information export, and it can greatly reduce the censorship pressure of the cyberspace administration, so that the purpose of “less risk less control” can be effectively achieved. There is no need to worry that while signing and submitting this form of “standard contract” template, personal information processors and overseas recipients can still sign other agreements and legal documents related to the personal information export to further clarify and refine the relevant commercial terms and the rights and obligations of the parties, provided that these other agreements and legal documents do not conflict with the Standard Contract.

“Impact assessment” means that personal information processors should conduct an impact assessment of personal information protection before providing personal information overseas. The impact assessment focuses on the following aspects: (1) the legality, legitimacy, and necessity of the purpose, scope, and method of processing personal information by personal information processors and overseas recipients; (2) scale, scope, types, sensitivity of exported personal information and potential risks to the rights and interests of personal information subjects; (3) whether the overseas recipients have undertaken obligations, and whether the administrative and technical measures and capabilities for fulfilling the obligations can guarantee the security of personal information exported abroad; (4) The risk of personal information being tampered with, destroyed, leaked, lost, or illegally used after exporting, and whether the channels for protecting the rights and interests of personal information are smooth; (5) the impact of the personal information protection policies and regulations of the country or region where the overseas recipient is located on the performance of the standard contract; and (6) other matters that may affect the security of personal information being exported. Compared with the “self-assessment of data export risk” under the Security Assessment Measures for Outbound Data Transfers, the “impact assessment” does not pay attention to the risks brought by the export of personal information to national security, public interests or legitimate rights and interests of organizations. Considering that the concluded contract is based on the standard contract template formulated by the Cyberspace Administration, so it no longer emphasizes the responsibility and obligation of personal information security protection under the legal document, but instead emphasizes the legal applicability of “standard contract” in the country or region where the overseas recipient is located. These differences make the “impact assessment” for the “standard contracts” more reasonable and pertinent.

After completing the “contracting of its own” and “impact assessment ”, domestic personal information processors should file with the provincial Cyberspace Administration within 10 working days from the effective date of the standard contract. Generally speaking, the filing only involves the “standard contract” and assessment reports of “impact assessment”.

If the personal information processor has carried out personal information export activities before the “Standard Contract Measures” takes effect, it should complete the rectification and complete the above-mentioned compliance actions by the end of November 2023.

3. Obligations after Filing

Different from the two-year-valid data export security assessment results under the “Security Assessment Measures for Outbound Data Transfers”, there is no validity period limit for the “standard contract” filing. However, personal information processors should re-conduct the “impact assessment”, supplement or re-sign the “standard contract” and complete a new filing procedure under the following circumstances: (1) changes in the purpose, scope, category, sensitivity, method, and storage location of personal information provided overseas, or changes in the purpose and method of processing personal information by overseas recipients, or extension of the overseas storage period of personal information, (2) changes in personal information protection policies and regulations in the country or region where the overseas recipient is located may affect the rights and interests of personal information, or (3) other circumstances that may affect the rights and interests of personal information.

In addition, if the quantity of personal information exported by a personal information processor within any period of time reaches the threshold specified in the “Security Assessment Measures for Outbound Data Transfers”, the personal information processor should complete the security assessment of personal information export in accordance with the relevant procedures.