Is your business transferring personal data out of China? The Standard Contract Measures for Cross-border Transfers now in force

View PDF

Did you know?

The Measures on the Standard Contract for Cross-border Transfers of Personal Information (the Measures) promulgated by the Cyberspace Administration of China (CAC) came into operation on 1 June 2023.

Why does this matter to you?

China’s rules on the cross-border transfer of personal information may impact on businesses operating in China. Multinational organisations will often have a business need to share employee or customer data with their global headquarters or other parts of the business outside of China. Many corporations may share IT infrastructure with their Chinese subsidiaries or have remote access to data stored in China. Such activities could be subject to China’s cross-border data transfer requirements.

The signing of a standard contract with an overseas recipient is one of the three mechanisms for transferring personal information out of China. The others are mandatory security assessment by the CAC (for critical information infrastructure operators and transfers of important/sensitive personal data at the prescribed levels) and certification by an accredited institution (such as for intra-group transfers, and data processors outside the Mainland who are subject to the extra-territorial application of China’s Personal Information Protection Law). The accreditation route is only available if the transfer does not fall within the mandatory assessment requirements, and not all entities and organisation can adopt this option, e.g. representative offices set up by foreign entities are not eligible. The standard contract route may be preferred option for businesses that transfer personal data out of the Mainland on a smaller scale, such as small and medium-sized enterprises. It may be used where the following criteria are met:

• the data processor is not a critical information operator;
• it processes the personal data of less than 1 million individuals;
• since 1 January of the previous year, the personal data of less than 100,000 individuals (in aggregate) has been transferred; and
• since 1 January of the previous year, sensitive personal data of not more than 10,000 individuals (in aggregate) has been transferred.

However, the Measures also require the business to conduct a personal information protection impact assessment (PIA) prior to entering into the standard contract. This should assess key matters including the legality and necessity of the data transfer, the scale, scope, and sensitivity of the outbound personal data, the risks to the rights and interests of individuals concerned, as well as security issues. It is important that data systems are compatible with Chinese law in order to pass the PIA.

The Measures specifically prohibits dividing the data into smaller quantities in order to meet the standard contract criteria in an attempt to circumvent the mandatory security assessment regime. 

The standard contract, impact assessment report and other supporting documents should be filed with the local cyberspace administration authority within 10 working days of the effective date of the contract.

Organisations have until 30 November 2023 to rectify any non-compliant arrangements occurring before 1 June 2023, and should take steps now to assess the impact of their cross-border data transfer, and seek advice on the best option for them to ensure compliance.

Please see here for our earlier alert on “Challenges under China’s complex privacy compliance framework”.

Key Contacts

Dora Si

Partner | Intellectual Property

Email or call +852 2826 5394