New provisions released by China’s cybersecurity authority clarify how companies can transfer personal information overseas by using a streamlined “standard contract” procedure. Under the PIPL, companies are restricted from exporting personal information outside of China without prior approval or signing a contract with the overseas recipient. The new provisions will greatly facilitate cross-border data transfer for foreign companies and multinationals handling small amounts of data. We explain the contract requirements for China data transfer.
On June 30, China’s top cybersecurity department, the Cyberspace Administration of China (CAC), released a draft set of provisions stipulating the requirements for using a “standard contract” to conduct cross-border data transfer (CBDT).
The new provisions, titled the Standard Contract Provisions on the Export of Personal Information (Draft for Comment) (“Standard Contract Provisions”) clarify how companies can transfer personal information (PI) outside of China by signing a “Standard Contract” with the overseas recipient of the data – a much simpler procedure that does not require an external audit.
Under China’s Personal Information Protection Law (PIPL), which came into effect on November 1, 2021, companies are required to undergo certain procedures or receive approval from the CAC in order to transfer certain types of data and quantities of PI outside of China. The Standard Contract is one of a few different mechanisms offered in the PIPL to receive approval for CBDT.
The Standard Contract Provisions is the third in a series of measures to clarify these different approval mechanisms. On October 29, 2021, the CAC released a draft version of the Measures for Data Export Security Assessment (the ‘assessment measures’), which outlines requirements for companies to undergo a security assessment by the CAC, a requisite for companies to export large volumes of data or data that is highly sensitive or important.
Meanwhile, in April 2022, the Technical Specifications for Certification of Cross-Border Processing of Personal Information detailed requirements for companies to undergo a security assessment by a third-party agency.
The Standard Contract Provisions are therefore the final piece in the puzzle, explaining in detail which companies are eligible for this mechanism, requirements for additional procedures – such as self-assessments, and the requisite contents of the contract itself.
The three sets of data export security measures released in late 2021 and 2022 concern themselves with clarifying Article 38 of the PIPL, which stipulates that companies must undergo a series of requirements in order to transfer data overseas.
Specifically, companies must meet one of the following criteria in order to transfer PI over a certain scale overseas:
Article 38 also states that companies must adopt necessary measures to guarantee that the overseas recipient of the PI also complies with the requirements and regulations for processing and protecting PI stipulated in the PIPL.
“PI” is defined very broadly in the PIPL and is described as “various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously”.
This means PI can include any data points or information that can be used to identify an individual, such as names, phone numbers, and IP addresses. Separately, the PIPL also defines “sensitive” PI, which is subject to stricter protection requirements. Sensitive PI includes (but is not limited to):
The definition of sensitive PI is further expounded upon in the Personal information security specification [GB/T 35273-2020].
However, it does not include data that has been anonymized or abstract data that doesn’t contain any specific PI on individuals, such as aggregated information. Meanwhile, the “processing” of PI is defined as “the collection, storage, use, processing, transmission, provision, publication, and erasure of PI”.
Note that if overseas employees remotely access and process the PI of Chinese users stored in China, then it is also considered cross-border processing and is subject to the same requirements as if the company was transferring the PI to overseas facilities.
The Security Assessment Measures and Technical Specifications released in October 2021 and April 2022 clarify requirements for the first two clauses of Article 38 (clauses (1) and (2)), respectively. The new Standard Contract Provisions, meanwhile, concern the third clause (Clause (3)), thus almost completing the implementation guidelines for CBDT requirements stipulated in the PIPL.
The Standard Contract is arguably the simplest route to receiving approval to conduct CBDT, as it does not require an audit by either the CAC or an accredited third-party agency. However, companies going this route will be required to carry out a Personal Information Protection Impact Assessment (PIPIA), as we will see below.
Due to the simplified procedure, the Standard Contract only applies to relatively small data operators and companies that don’t handle data that is deemed to be of concern to national security and interests.
Companies that meet all of the following criteria are eligible to use the Standard Contract:
Before transferring PI overseas, companies must undergo a PIPIA. According to the Standard Contract Provisions, the PIPIA must assess the following matters:
The contents of the Standard Contract must essentially cover all of the aspects assessed in the PIPIA. Specifically, it must include the following items:
Within 10 days of the contract taking effect, the PI processor must file the Standard Contract and the PIPIA report with the local provincial-level cybersecurity office. The PI processor can begin CBDT activities after the contract takes effect.
The PI processor must re-sign and re-file the Standard Contract if there are any changes to the PI information stipulated in the contract during its validity period. This includes:
The PI processor may be ordered to stop engaging in CBDT activity if the provincial-level cybersecurity office or a high-level office finds that the activity no long meets relevant security requirements. In this circumstance, the PI processor will be notified of the termination of CBDT activity in writing and must cease all PI exporting activity at once.
In certain circumstances, the PI processors may be ordered by the local cybersecurity office or a high-level office to make corrections within a certain time limit, in accordance with the requirements of the PIPL. The circumstances include:
If a PI processor refuses to make the required amendments or infringes upon the rights and interests of the PI subjects, they can be ordered to cease PI export activities and may face legal repercussions. PI processors will also be liable for criminal responsibility if the activity constitutes a crime.
The Standard Contract Provisions provide a much clearer picture for the companies on how to handle CBDT activities, which has been one of the major concerns for foreign companies and MNCs.
However, there are limitations to the provision which may continue to cause some confusion, most of which stems from the definitions of various terms introduced in other legislation and regulations.
For instance, the definition of a CIIO is still somewhat unclear. CIIOs are subject to significantly stricter data and cybersecurity requirements and a higher level of government oversight.
In the Regulations on the Security and Protection of Critical Information Infrastructure released in August 2021, the scope of CIIOs includes industries such as energy, transport, water, and national defense, among others. But the regulations also stipulate that they could include “any other important network facilities or information systems that may seriously harm national security, the national economy and people’s livelihoods, or public interest in the event of incapacitation, damage, or data leaks.”
For companies in some sectors, the definition is clear-cut. For others, less so, as the “any other” category could be interpreted to include major online service companies, such as Tencent’s WeChat or ride-hailing platform Didi. However, in many of these cases, these companies would not be eligible for the Standard Contract as their scope of operations likely exceeds the PI quantity limits stipulated in the Standard Contract Provisions.
Regardless of the potential outlying cases, the Standard Contract Provisions more than anything signal to companies that they must make serious considerations when evaluating compliance risks and actions to mitigate these risks.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at firstname.lastname@example.org.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
Previous Article « Investing in Shenzhen: Industry, Economics, and Policy
Next Article EU Chamber Business Confidence Survey for Foreign Companies in China: Key Observations »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Doing Business in China 2022 is designed to introduce the fundamentals of investing in China. Compiled by the ...
With the scope and penalties of China’s social credit system being further clarified in 2021, legal and regu...
As a legitimate tool for reasonable tax planning and cost saving, tax incentives play an important role. Compa...
Over the last few months, China has been quickly expanding the pilot program on electronic special value-added...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.