On 1 June 2023, new measures explaining the requirements for using the standard contract (China Standard Contract) mechanism to legally export personal information from China as well as the form of the “standard contract” came into effect.
Under China’s Personal Information Protection Law (PIPL), effective since November 2021, companies are required to use one of three legal mechanisms to transmit certain personal information outside of China. These PIPL-compliant mechanisms include:
Cyberspace Administration of China security assessment (CAC Assessment);
China Standard Contract; and
Protection certification by licensed institutions (Protection Certification).
This alert relates to recent developments that clarify the requirements for using the China Standard Contract procedures to meet the PIPL requirements for exporting personal information from China.
In February 2023, the Cyberspace Administration of China (CAC) released the Standard Contract Measures for the Export of Personal Information from China (Measures), which explained how companies can legally export personal information from China by signing a “standard contract” with the overseas data recipient.
At the end of May 2023, the CAC released the Guidelines for Filing Standard Contracts on Exporting Personal Information Overseas (Guidelines), which provided additional information to assist eligible companies choosing to adopt the China Standard Contract mechanism to legally export personal information from China. These Guidelines further elaborate on legal definitions and provide additional guidance on local filing requirements.
These two new documents give us a more complete picture of what is required under the China Standard Contract legal mechanism, explaining in detail who qualifies to use it, what constitutes data export under Chinese laws, what additional procedures may be required (e.g., personal information protection impact assessments (PIPIA)), and what the essential terms are for the China Standard Contract.
Given the importance of this development, we have prepared a high-level overview of the Measures and Guidelines with focus on tips for overseas data recipients.
SIX KEY TAKEAWAYS
Below, we discuss some key takeaways from the China Standard Contract with a specific focus on the impact to the overseas data recipient.
Takeaway No. 1: One-Size-Fits-All or Not?
General Data Protection Regulation (GDPR) standard contractual clauses include four different modules of “controller-to-controller” (C2C), “controller-to-processor” (C2P), “processor-to-processor” (P2P), and “processor-to-controller” (P2C), so a personal information processor can use GDPR standard contractual clauses (SCCs) to enter into a data outbound transfer agreement with an overseas data recipient who is either a controller or a processor.
China Standard Contract, however, only has one template to be entered into by a “China data controller” with an “overseas data recipient”. Obviously, it can apply to modules of C2C and C2P. Where the data exporter in China is a personal information processor (i.e. P2P and P2C transfers), especially when there is no data controller in China in a specific data cross-border transfer, there are some ambiguities as to how to use the China Standard Contract, or companies may need to use the Protection Certification instead in some scenarios.
Takeaway No. 2: Not Only Contractual Clauses; It Is a Contract
Under the Measures, the legal document parties need to execute is not a commercial agreement or a cross-border data transfer agreement with China’s standard contractual clauses set forth in the appendix thereto. Parties need to sign the China Standard Contract itself.
Pursuant to the Measures, the parties are not allowed to make changes to the standard China Standard Contract terms. However, they can add supplementary terms in an appendix that do not conflict with the China Standard Contract’s standard terms.
This is a different practice from when parties use the GDPR SCCs. Parties can use their own form of the data transfer agreement provided that the applicable GDPR SCCs are incorporated by reference into such agreement.
As such, it is advisable to consider the documentation structure in a transaction where both a commercial contract and the China Standard Contract are involved.
It is also worth noting that if there is any inconsistency between the China Standard Contract and any other legal documents between the parties, the terms of the China Standard Contract will prevail.
Takeaway No. 3: Special Obligations Imposed on Overseas Data Recipients
Although it is the Chinese data exporter’s obligation to file the executed China Standard Contract with the CAC, the overseas data recipient is actually heavily involved and, to some extent, subject to the jurisdiction of the CAC. The China Standard Contract imposes some special obligations on the overseas data recipient, which include:
China Standard Contract specifies that the overseas data recipient must agree to be subject to supervision and management by the CAC, including but not limited to responding to inquiries by the CAC, cooperating with inspections by the CAC, following the actions taken or decisions made by the CAC, and providing written proof that necessary measures have been taken;
In the event of a data breach, the overseas data recipient must immediately inform both the data exporter and the CAC.1 Further, the overseas data recipient who is a data controller should notify affected data subjects if required by law. If the overseas data recipient is a data processor, under the terms of the China Standard Contract, the data exporter should bear the burden of notifying affected data subjects instead; and
It is also worth noting that, in the event that the overseas data recipient receives a request for provision of personal information under the China Standard Contract from a governmental authority or a judicial authority in the country or region where the overseas data recipient is located, it shall promptly notify the personal information exporter in China.
Given the foregoing obligations and requirements on the overseas data recipient, the overseas data recipient should seek legal advice and assistance in both its home country and China to ensure it properly responds to requests from China data exporters, the CAC, and data subjects.
Takeaway No. 4: Stricter Requirements on Onward Transfer
The China Standard Contract imposes stricter requirements on onward data transfer than GDPR. Under the China Standard Contract, the overseas data recipient is only allowed to make further transfer upon satisfaction of certain strict conditions, such as giving required notification to data subjects, adopting sufficient technical measures, signing the agreement with the onward transferee to ensure data protection, and assuming the legal responsibilities for the infringement of the personal information subject’s rights arising from the onward transfer of personal information to such onward transferee.
This could be quite challenging when the overseas data recipient needs to onward transfer personal information to a third party outside of China.
Takeaway No. 5: Liabilities to Personal Information Subject
Data subjects have contractual rights under the China Standard Contract as a third-party beneficiary and can make claims against the data exporter and the overseas data recipient in accordance with the terms of the China Standard Contract. These rights allow data subjects to demand the performance of the clauses relating to their rights under the China Standard Contract.
In this context, it is important for parties to clarify their relationship (C2P, C2C, joint controllers or not, etc.) in the outbound data transfers concerned and, accordingly, to clearly allocate obligations and liabilities between them by supplementing relevant terms of the China Standard Contract.
Takeaway No. 6: Use of Different Standard Contractual Clauses in a Two-Way Data Transfer
The China Standard Contract provides that the outbound data transfer agreement must be governed by Chinese law. In terms of dispute resolution, the parties to the China Standard Contract can choose to either litigate at a Chinese court or submit the disputes to a Chinese arbitration tribunal or an international arbitration tribunal that is seated in a Contracting State to the 1958 New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards.
In a two-way cross-border personal information transfer, such as an outbound transfer from China to a country in the EU and an outbound transfer from a country in the EU to China, parties might need to use two versions of the standard contract or contractual clauses – the China Standard Contract for outbound data transfer from China and the GDPR SCCs for outbound data transfer from the EU. Accordingly, the laws governing the relevant data transfer agreement will be determined by reference to the country in which the data exporter is established.
The Measures provide a grace period of six months ending 30 November 2023 to allow personal information exporters that have transferred personal information from China before 1 June 2023 to rectify their previous practices to ensure compliance with the Measures. This includes completing a PIPIA, preparing and executing the China Standard Contract, and filing the executed China Standard Contract and the PIPIA report with the CAC. A template of the PIPIA report was issued by the CAC together with the Guidelines on 30 May 2023.
Given the pending deadlines and diligence required to determine how to comply with the Measures, parties to an outbound transfer of personal information from China that are not subject to the CAC Assessment should immediately consider changes they may need to make to existing contractual arrangements (e.g., intra-group personal information sharing agreements, vendor/customers data processing agreements).
FIRST-EVER CHINA STANDARD CONTRACT FILING
Fifteen working days after the China Standard Contract became effective, Beijing CAC published a notice announcing that a Beijing-based company passed the first-ever China SCC filing on 25 June 2023 (Notice).
Based on the Notice, this cross-border personal data transfer involves a Beijing-based data exporter, an online data service provider, and a Hong Kong-based data recipient. The type of data exported by the Beijing-based data exporter is personal data related to credit references as disclosed by the Notice.
The first filing case shows that the China Standard Contract is a more cost- and time-efficient mechanism to transmit the personal information outside of China.