Date: 27 February 2023
Cyberspace Administration of China promulgated Measures on the Standard Contract for Cross-border Transfers of Personal Information to Safeguard the Safe Movement of Personal Information
The Office of the Privacy Commissioner for Personal Data (PCPD) notes that the Cyberspace Administration of China promulgated the Measures on the Standard Contract for Cross-border Transfers of Personal Information (the Measures) on 24 February 2023. The Measures will come into operation on 1 June 2023.
The PCPD reminds local enterprises and organisations which conduct businesses on the Mainland, especially enterprises and organisations which transfer personal information out of the Mainland on a smaller scale, such as small- and medium-sized enterprises, that if the conditions prescribed in the Measures are met, they may need to enter into a standard contract and file the contract with the local cyberspace administration authorities at the provincial level before effecting the transfer of personal information.
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, said, “Where cross-border transfers of personal information carried out before the effective date of the Measures do not conform with the provisions of the Measures, the relevant enterprises or organisations must take steps to rectify the situation within six months since the Measures take effect, namely, before 30 November 2023. It is advisable that early steps be taken by the relevant enterprises or organisations to understand the provisions of the Measures and assess its impacts on their cross-border transfers of personal information. They should also take timely follow-up actions and seek professional advice if necessary, so as to comply with the relevant requirements of the Measures.”
Specifically, according to the Measures, personal information processors (including enterprises or organisations) which satisfy all of the following conditions may rely on the execution of standard contracts to transfer personal information out of the Mainland and shall first carry out personal information protection impact assessment:
-
where the personal information processor is not an operator of critical information infrastructure;
-
where the personal information processor which transfers personal information out of the Mainland processes personal information of not more than one million persons (in aggregate);
-
where the personal information processor which transfers out personal information has cumulatively made outbound transfers of personal information of not more than 100,000 persons (in aggregate) since 1 January of the preceding year; and
-
where the personal information processor which transfers out personal information has cumulatively made outbound transfers of sensitive personal information of not more than 10,000 persons since 1 January of the preceding year.
The relevant personal information processor shall enter into a standard contract strictly in accordance with the template standard contract appended to the Measures, and shall file the contract with the local cyberspace administration authority at the provincial level within 10 working days of the effective date of the contract.
It is noteworthy that personal information processors which are required to duly undergo security assessments for transferring personal information outside the jurisdiction shall not deploy tactics such as quantity splitting so that they may transfer personal information outside the jurisdiction by entering into standard contracts.
The personal information protection impact assessment shall assess, among others, the following key matters:
-
the legality, propriety and necessity of the purpose, scope and manner of processing of the personal information by the personal information processor and the recipient outside the jurisdiction;
-
the scale, scope, category and sensitivity of the outbound personal information, and the risks that cross-border transfer of personal information might pose to the rights and interests of individuals regarding personal information;
-
whether the obligations undertaken by the recipient outside the jurisdiction and the management, technical measures and capabilities of such recipient to perform such obligations can ensure the security of the outbound data;
-
the risks of the outbound personal information suffering from alteration, destruction, leakage, loss or illegal use, etc., during and after the cross-border transfers, and whether the channels provided to uphold the rights and interests of individuals regarding personal information are clear, etc.;
-
the impact of personal information protection policies and regulations of the location of the recipient outside the jurisdiction on the performance of the standard contract; and
-
other matters that may affect the security of the cross-border transfers of personal information.
Please click here for the full text of the Measures and the template standard contract (Chinese only).
Background Information
The Personal Information Protection Law of the Mainland provides that personal information processors which need to transfer personal information outside the jurisdiction shall carry out their own personal information protection impact assessments, obtain separate consent from the individuals concerned, and meet the specified requirements, including passing the security assessment organised by the national cyberspace authorities, obtaining personal information protection certification from the relevant specialised institution, and entering into a contract prescribed by the state cyberspace authorities with the overseas recipients to stipulate the rights and obligations of both parties. The Measures set out conditions under which personal information processors may enter into standard contracts before transferring personal information out of the Mainland and provide a template standard contract.
The Measures were drafted with reference to relevant laws of the Mainland including the Personal Information Protection Law, for the purposes of regulating cross-border transfers of personal information, protecting the rights and interests of individuals regarding personal information, and safeguarding the safe and free flow of personal information out of the Mainland.
-End-