In this second and final part of their article, Connie Chen, Senior Counsel, and Maarten Roos, Managing Director, R&P China Lawyers, continue their discussion of the Mainland’s new personal information protection legislation and its significance in particular for small-scale data exporters based in China, including foreign-invested companies.

Highlights

  • the Standard Contract accords comprehensive rights to the personal information subject, including the right to bring a lawsuit to a competent court in China against either the personal information handler or the foreign recipient in the event of breach of contract
  • companies must prepare a protection impact assessment that provides a full analysis of the personal information to be exported, as well as how this will be handled in terms of compliance with all relevant laws
  • in the case of any dispute, the Standard Contract allows the parties to agree on either litigation or arbitration as a means of resolution

In the first part of this article, published in last month’s CGj, we overviewed the new Measures on the Standard Contract for Outboard Transfer of Personal Information and the related Filing Guidance, including who is subject to filing and the legal consequences of failing to do so. In part two, we explore issues such as the stipulated obligations for the personal information handler and the foreign recipient, the rights of the personal information subject and the methods of dispute resolution.

What notification and informing obligations does the Standard Contract stipulate for the foreign recipient in case of further transfer of the personal information?

The notification and informing obligations of the personal information handler under the Standard Contract are consistent with the provisions of Articles 17, 31 and 39 of the Personal Information Protection Law of the People’s Republic of China (PIPL). If the foreign recipient transfers personal information of individuals to third parties, then the Standard Contract requires the personal information handler to inform the individual of such other recipients, the storage period after export, the place of storage and other information as agreed in Appendix I. 

In addition, due to the adoption of the ‘third-party beneficiary’ mechanism (explained below), the personal information handler is also required to inform the personal information subject that he/she is a third-party beneficiary under the Standard Contract (for example, as part of a consent form).

Is the personal information subject a party to the Standard Contract and how do we understand the concept of ‘third-party beneficiary’?

The concept of ‘third-party beneficiary’ draws on the content the EU Standard Contractual Clauses for the Transfer of Personal Data to Third Countries, which endows the personal information subject corresponding rights under the Standard Contract. As a third-party beneficiary, the personal information subject is entitled to claim its personal information rights against one or both of the personal information handler and the foreign recipient.

What rights does the personal information subject have?

The third-party beneficiary is entitled to the right to know and to make decisions on the processing of his/her personal information, the right to restrict or refuse processing of this personal information by others, the right to consult or copy this personal information and the right to request the personal information handler to correct, supplement or delete the personal information or to explain the processing rules for this personal information. In addition, the third-party beneficiary is entitled to directly claim or demand performance of obligations in relation to personal information rights under the Standard Contract against one or both the personal information handler and the foreign recipient. In the event that the personal information handler or the foreign recipient fails to fulfil its contractual obligations, the third-party beneficiary may bring a lawsuit to a competent court in China in accordance with the Standard Contract and hold the above-mentioned parties liable for breach of contract.

“as a third-party beneficiary, the personal information subject is entitled to claim its personal information rights against one or both of the personal information handler and the foreign recipient”

 

What contractual obligations does the personal information handler have under the Standard Contract?

The personal information handler shall perform the following obligations: 

  • follow the principles of minimum necessity when carrying out export of personal information 
  • fully fulfil the obligation of notification
  • obtain separate consent from the personal information subject with respect to the personal information to be exported, consent of the minor’s parents or any other guardians and written consent
  • upon request by the personal information subject, provide the subject with a copy of the Standard Contract 
  • reasonably supervise the compliance of the foreign recipient 
  • provide the foreign recipient with copies of China’s laws and regulations and technical standards 
  • cooperate with the regulatory authority, accept inquiries and provide necessary information and audit results for fulfilling the Standard Contract 
  • carry out the personal information protection impact assessment (PIA) and keep this report on file, and 
  • assume a burden of proof for the compliant performance of obligations under the Standard Contract.

What are the foreign recipient’s contractual obligations under the Standard Contract?

The foreign recipient shall fulfil the following obligations: 

  • follow the principle of minimum necessity 
  • process the personal information strictly within the agreed scope 
  • in principle, not transfer the personal information to other foreign third parties unless the conditions elaborated below (see ‘Under what conditions can the foreign recipient transfer personal information to any other foreign third party?’) are satisfied 
  • take technical and managerial measures to ensure the security of personal information 
  • ensure that the relevant personnel perform their confidentiality obligations 
  • establish access control permissions of minimum authorisation
  • follow the principle of the shortest storage period 
  • fulfil the obligation to cooperate with the personal information handler 
  • establish an emergency response mechanism for security incidents 
  • upon the request of the personal information subject, provide such subject with a copy of the Standard Contract 
  • keep records of personal information processing activities 
  • agree to accept the supervision and management of the regulatory authority 
  • use automated decision-making under the condition of meeting the requirements thereof, and 
  • inform the personal information handler of the impact of its national laws and regulations and law enforcement activities on the performance of contractual obligations and the rights of the personal information subject in a timely manner.

How do the personal information handler and the foreign recipient assume their liabilities to the personal information subject?

The personal information handler and the foreign recipient shall be jointly and severally liable to the personal information subject for any material or non-material damage caused thereto due to a breach of the Standard Contract. This means that foreign recipients of personal information from China have an interest to make sure that the Chinese personal information handler has obtained proper consent.

What shall be assessed in the personal information PIA referred to in the Standard Contract?

As part of the filing, every company must prepare a personal information PIA. In accordance with the Filing Guidance, this should include: 

  • basic information about personal information to be exported, including the type, quantity and sensitivity of personal information, the purpose and method of processing, and the processing scope of the foreign recipient
  • the legality, legitimacy and necessity of export of personal information
  • risks of export, including to personal information rights and interests under normal circumstances, data security accidents, impact on personal rights and interests, and the channels for safeguarding rights 
  • information of the foreign recipient, including managerial measures, technical measures and protection level of personal information taken by the foreign recipient and data security, and protection obligations undertaken by the foreign recipient through the Standard Contract and other legal documents, and 
  • whether the legislation and regulation regarding personal information protection of the place where the foreign recipient is located will affect the foreign recipient’s performance of the Standard Contract.

The specific implementation framework of the personal information PIA shall be based on Annex V, Personal Information Protection Impact Assessment Report (Template) of the Filing Guidance. We expect this template to be an important basis for determining whether an enterprise will be able to pass the filing examination of the Standard Contract.

“as part of the filing, every company must prepare a personal information protection impact assessment”

 

Under what conditions can the foreign recipient transfer personal information to any other foreign third party?

Upon satisfaction of all the following conditions, the foreign recipient is permitted to transfer the personal information on to other foreign third parties:

  • the transfer is necessary for business
  • informed the personal information subject of the identity and contact information of the third party, the purpose and method of processing, the type of personal information, and the method and procedures for the personal information subject to exercise its rights, and separate consent has been obtained (except as otherwise provided by laws and regulations) 
  • if any sensitive personal information is involved, has informed the personal information subject of the necessity of such transmission and its impact on the personal information subject. If it is difficult to inform the personal information subject or to obtain separate consent, the foreign recipient shall inform the personal information handler in a timely manner and ask for its help to inform the personal information subject or to obtain separate consent
  • a written agreement has been entered into by the foreign entity and the third party, so as to ensure that the protection level of personal information adopted by the third party is not lower than the protection standard stipulated by relevant laws and regulations in China
  • the foreign recipient will be jointly and severally liable for the damage that may be caused to the personal information subject due to such transfer, and 
  • provide the personal information handler with a copy of the agreement entered into by the foreign recipient and the third party.

What are the conditions and legal consequences of a Standard Contract’s termination?

Article 7 summarises the conditions for and legal consequences of a termination of the Standard Contract:

  • if the foreign recipient breaches its obligations thereunder, the personal information handler may suspend the transmission of personal information to the foreign recipient. If the suspension time exceeds one month, either party to the Standard Contract may terminate the Contract
  • if the foreign recipient’s compliance with the Standard Contract will violate the laws of the country or region where it is located, either party thereto may terminate the Contract 
  • if the foreign recipient seriously or continuously breaches its obligations under the Standard Contract, the personal information handler may terminate the Contract, and 
  • if, in accordance with the final decision made by the competent court or regulatory authority of the foreign recipient, the foreign recipient or personal information handler has breached its obligations under the Standard Contract, either party may terminate the Contract.

Upon termination, the foreign recipient shall return or delete the personal information it received under the Standard Contract, and shall provide a written statement to the personal information handler.

What methods of dispute resolution are stipulated in the Standard Contract?

The Standard Contract allows the parties to agree on either litigation or arbitration. Litigation shall be before the competent court in China: the personal information handler may only bring a lawsuit to the people’s court of the place where the Contract is performed, and the foreign recipient may bring a lawsuit to the competent court of the place where the personal information handler is located or where the Contract is performed. Regarding arbitration, the Standard Contract allows the parties to submit their disputes to China International Economic and Trade Arbitration Commission, China Maritime Arbitration Commission, Beijing Arbitration Commission (Beijing International Arbitration Center) or any other arbitration institutions located in jurisdictions that are members of the Convention on the Recognition and Enforcement of Foreign Arbitral Awards. This to ensure that that arbitral awards can be enforced in China. 

Connie Chen, Senior Counsel, and Maarten Roos, Managing Director 
R&P China Lawyers 

© Copyright R&P China Lawyers, June 2023 The authors can be contacted at: chenyan@rplawyers.com and roos@rplawyers.com.

“the Standard Contract allows the parties to agree on either litigation or arbitration”