In the first of this two-part article, Connie Chen, Senior Counsel, and Maarten Roos, Managing Director, R&P China Lawyers, discuss the Mainland’s latest legislation in relation to personal information protection, and give clear guidance on its implications and how to remain compliant with the relevant national laws and regulations. 

The Measures on the Standard Contract for Outbound Transfer of Personal Information (the Measures) promulgated by the Cyberspace Administration of China (CAC) came into force on 1 June 2023. One day before, on 30 May 2023, the CAC issued the Filing Guidance for the Standard Contract for Personal Information Outbound Transfer (First Edition) (the Filing Guidance) with implementation guidance to the Measures. 

This Q&A deals with some of the more common questions raised by small-scale data exporters based in China, including many foreign-invested companies in the business-to-business (B2B) segment, on the steps that they need to take to remain compliant with PRC laws. 

We will be using ‘outbound transfer’ and ‘export’, as well as ‘data’ and ‘information’, interchangeably in the following.

Is the filing of the Standard Contract mandatory and what are the legal consequences for failing to do so?

Yes, the filing of a Standard Contract is mandatory under PRC laws. Article 7 of the Measures clearly stipulates that ‘the personal information handler shall, within 10 working days after the Standard Contract enters into effect, apply for filing with the local provincial cyberspace administration’. 

Article 12 of the Measures stipulates that ‘any violation of the Measures shall be punished in accordance with the Personal Information Protection Law of the People’s Republic of China (PIPL), and other laws and regulations; where a crime is constituted, criminal responsibilities shall be investigated in accordance with the law’. 

The legal consequences stipulated in the PIPL include ordering to make corrections, giving a warning, confiscating illegal gains, ordering the suspension or termination of applications that illegally handle personal information and, where the circumstances are serious, a fine of up to 5% of the previous year’s turnover may be imposed on the company, while those directly in charge and other directly responsible persons may be fined up to RMB1 million (approximately US$140,000). So, both the company and individuals could be subject to heavy penalties.

Which personal information handlers are subject to filing of the Standard Contract for export of personal information?

Certain companies that export personal information overseas must complete a security assessment as per the Outbound Data Security Assessment Measures (Assessment Measures) and this must be filed with the CAC for approval. This applies when a data handler meets any of the following criteria:

• is a critical information infrastructure operator (CIIO)
• handles personal information of more than one million individuals
• has exported personal information of more than 100,000 individuals cumulatively since 1 January of the previous year, and
• has exported sensitive personal information of more than 10,000 individuals cumulatively since 1 January of the previous year.

For all other exporters of personal information, that is, those companies that process and export personal information on a small-scale, they can either complete a heavy certification process with a CAC-appointed body, or they will be governed by the Measures. Most Chinese subsidiaries of international companies will undoubtedly opt to file the Standard Contract. 

The contracting parties to the Standard Contract can only be a domestic personal information handler and a foreign recipient. Thus, a foreign entity that directly collects and processes personal information in Mainland China does not fall under the Measures. However, it may still fall under the Assessment Measures if it meets any of the above conditions.

If a personal information handler entrusts a third party to process personal information, how do we determine whether the Standard Contract shall be entered into and who are the contracting parties thereto?

The Standard Contract stipulates that the party to export personal information shall only be the personal information handler (the data controller), that is, the organisation or individual who independently decides the purpose and method of personal information processing and exports personal information. See Table 1: Some key scenarios.

What filing feedback could the CAC give upon review?

The filing results will be either Pass or Fail. Specifically, the relevant provincial cyberspace administration will issue a filing number to the personal information handler if the filing passes, otherwise the personal information handler will receive a notice of unsuccessful filing and the reasons for this. Where the personal information handler is required to supplement materials, it shall do so for resubmission within 10 working days.

Is the filing of the Standard Contract subject to substantive review?

The relevant provincial cyberspace administration shall, within 15 working days upon receipt of the materials, complete examination of the materials and notify the personal information handler of the filing results. Although this procedure is a ‘filing’, which would normally be subject to formal review only, there are only two possible results (Pass and Fail), and so it is very likely that the cyberspace administration will conduct a substantive review of the submitted filing materials.

Can any terms of the Standard Contract be modified?

In principle they cannot be modified. In February 2023, the CAC – when responding to reporters in a press conference – explained that the text of the Standard Contract cannot be modified. The contracting parties to the Standard Contract can agree to additional terms that do not conflict with the Standard Contract, which should be stipulated in Appendix II.

How do we understand the precedence of the Standard Contract and whether the terms regarding processing of personal information previously agreed automatically become invalid?

The Standard Contract shall prevail over any other legal documents signed by the parties thereto. However, the signing of the Standard Contract does not necessarily lead to the automatic invalidation of contracts previously signed; that is, subject to the specific terms and contents, terms that were previously agreed and which are not in conflict with the Standard Contract shall remain valid. The Standard Contract shall prevail in the case of conflict.

What should be the contract term for the Standard Contract?

The Measures do not set requirements on the validity period of the Standard Contract. While the filing procedure is not a condition to its effectiveness, our current understanding is that the term of the Standard Contract may be agreed by the parties at their discretion. 

Our advice is to determine the contract term comprehensively with reference to the information type, the purpose of personal information export and the situation of the foreign recipient (such as the level of security measures provided thereby).

Under what circumstances shall the personal information handler and the foreign recipient reconduct a personal information protection impact assessment (PIA), supplement or re-sign the Standard Contract and conduct filing formalities?

Article 8 of the Measures establishes that under any of the following circumstances, the personal information handler shall reconduct the personal information PIA, supplement or re-sign the Standard Contract and reperform relevant filing formalities:

• where the purpose, scope, type, sensitivity, method, storage location of personal information to be exported or the foreign recipient’s purpose and method to process the personal information have changed, or the retention period of personal information has been extended
• where the rights and interests of personal information subjects may be affected by changes in the policies and regulations on personal information protection of the country or region where the foreign recipient is located, and
• any other circumstances that may affect the rights and interests of personal information subjects.

If a business has multiple branches or subsidiaries that are involved in personal information processing in Mainland China, how do we determine which entity shall sign the Standard Contract and submit it for filing?

The Measures are not clear on this point. However, on 2 June 2023, Beijing CAC issued the Relevant Instructions for the Filing Guidelines of Beijing for the Standard Contract for Personal Information Outbound Transfer, specifically pointing out that the filing entity shall be a legal entity, which is consistent with the contracting party of the Standard Contract. If several independent legal enterprises belong to the same group company, then this group company can file on behalf of its subsidiaries and branches. We expect that other provinces/cities will follow the same practice as Beijing. 

Connie Chen, Senior Counsel, and Maarten Roos, Managing Director 
R&P China Lawyers 

© Copyright R&P China Lawyers, June 2023 The authors can be contacted at: chenyan@rplawyers.com and roos@rplawyers.com.