Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
News & Insights
The Cyberspace Administration of China (CAC) recently issued the Measures on the Standard Contract for the Outbound Transfer of Personal Information (Measures) with a template standard contract (Standard Contract). The Measures will take effect on 1 June 2023 but will allow a 6-month grace period. Consequently, from 1 December 2023 at the latest, an entity or person outside the People’s Republic of China (PRC) may need to sign the Standard Contract to get personal information from its subsidiaries, associated companies or partners in China, or access personal information stored within China.
First of all, the PRC personal information processors shall meet all of the conditions below to provide the personal information abroad by using the Standard Contract.
(a) it is not a critical information infrastructure operator (CIIO);
(b) it processes the personal information of less than 1 million individuals;
(c) it has cumulatively transferred abroad the personal information of less than 100,000 individuals since January 1 of the previous year; and
(d) it has cumulatively transferred abroad the sensitive personal information of less than 10,000 individuals since January 1 of the previous year.
As a mandatory security assessment is required when the personal information concerned exceeds any of the thresholds in items (2), (3) or (4) above, the PRC PI Processors shall not use quantity splitting or similar methods to escape the security assessment.
We set out below the major points that may be of concern to the offshore recipients under the Measures and the Standard Contract.
1. PRC personal information processors and overseas recipients are not allowed to amend the Standard Contract however they can agree on additional terms that do not conflict with the Standard Contract. For instance, the Standard Contract shall be governed by the laws of the People’s Republic of China as per its Article 9, and thus the parties do not have a choice on the governing law. Any of the additional terms will be included in an appendix to the Standard Contract.
2. The outbound transfer of personal information shall occur only after the effective date of relevant Standard Contract. The Standard Contract shall be filed by the PRC personal information processor with the CAC for record within 10 working days from the date when it takes effect. The absence of filing, however, will not affect the validity of the Standard Contract.
3. The commencement date and expiry date of the personal information retention term by the offshore recipient shall be specified in the Appendix I of Standard Contract.
4. The offshore recipient shall promptly notify the PRC personal information processor if it receives a request for the provision of the transferred personal information from a governmental authority or judicial authority in the country or region where the offshore recipient is located.
5. The offshore recipient shall satisfy all conditions below to provide the transferred personal information to a third party outside China:
(i) there is a necessity from the business perspective;
(ii) the personal information subject shall be properly informed;
(iii) explicit consent of the personal information subject shall be obtained;
(iv) a written agreement shall be entered into with the third party to ensure that the processing of personal information by the third party meets the standards for the protection of personal information required by the PRC laws, and the offshore recipient will be liable for any infringement of the personal information subject’s rights caused by the provision of transferred personal information to the third party;
(v) a copy of the written agreement with the third party shall be provided to the personal information subject upon his/her request.
6. Either party may terminate the Standard Contract if the offshore recipient violates the laws and regulations of the country or region it is located for performing the Standard Contract.
7. The parties to the Standard Contract shall assume joint and several liability in accordance with the law, and the personal information subjects shall have the right to claim against either party or both parties for violations.
8. If the personal information subject exercises the rights as a third-party beneficiary with respect to a dispute under the Standard Contract, the personal information subject may file a lawsuit with a competent court in accordance with the PRC Civil Procedure Law.
9. Any person may report to the CAC if it finds any outbound transfer of personal information in violation of the Measures.
Having said the above, in the case that a person outside China directly collects the personal information from data subjects in China, the Standard Contract will not be required as no PRC personal information processors are involved.
You may refer to our previous alert for the background on the outbound transfer mechanisms in China. It is strongly recommended that business operators with PRC presences consider the necessity of cross-border transfer of personal information, the feasibility of data anonymization, and the schedule for signing the Standard Contract(s) no later than 1 December 2023. If you are interested in the English translation of template Standard Contract and/or have any concern on the cross-border transfer of personal information, please contact us.
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.
For media enquiries please contact us at email@example.com.
Tel: +852 2825 9211