China Releases the Standard Contract for Cross-Border Transfer of Personal Information

Alert
February 28, 2023
3 minutes

On February 22, 2023, the Cyberspace Administration of China (“CAC”) promulgated the final version of the Measures for the Standard Contract for Cross-Border Transfer of Personal Information (the “Measures”), along with the final version of the standard contractual clauses for cross-border transfer of personal information stipulated under the Personal Information Protection Law (the “PIPL SCCs”). The Measures and the PIPL SCCs will become effective on June 1, 2023. Similar to the EU General Data Protection Regulation (“GDPR”) SCCs, the PIPL SCCs can be used for outbound transfer of personal information that does not need to undergo a security assessment under China’s PIPL.

Noteworthy Differences from the Draft SCCs

The final version of the PIPL SCCs remains largely consistent with the draft made public for comment in June 2022,1 though there are several noteworthy differences.

First, the final version of the PIPL SCCs clarifies that these SCCs should be concluded between an overseas data recipient and a personal information controller (also known as personal information handler) who transfers personal information to such overseas data recipient. This means that the PIPL SCCs are designed to cater to two different cross-border data transfer scenarios: (i) personal information controller to personal information controller; and (ii) personal information controller to personal information processor (also known as contracted processor). Where an overseas personal information controller delegates a Chinese entity to transfer personal information to an overseas data recipient on its behalf, the overseas personal information controller is recommended to enter into PIPL SCCs with the overseas data recipient.

The final version of the PIPL SCCs eases the separate consent requirement for cross-border transfer of personal information. Specifically, the final version of the PIPL SCCs state that a separate consent is only required where the legal basis for processing personal information is based on the consent of the individual data subject. Where the cross-border data transfer is based on other legal bases, such as for the performance of statutory duties or obligations, there would be no obligation under the PIPL SCCs for the personal information controller to obtain a separate consent from data subjects. In comparison, the draft PIPL SCCs expected a personal information controller to obtain a separate consent from data subjects for the cross-border data transfer at issue unless there was a clear waiver of such consent under applicable law.

Last but not least, the final version of the PIPL SCCs makes it clear that no substantive changes are allowed to modify the PIPL SCCs. Personal information controllers and overseas recipients can agree on matters not covered by the PIPL SCCs, provided that there is no conflict between the PIPL SCCs and those separately agreed upon by the parties.

Filing Obligation and Personal Information Protection Impact Assessment

Pursuant to the Measures, a personal information controller is expected to file the PIPL SCCs and a personal information protection impact assessment (“PIPIA”) report with provincial branches of the CAC for record within 10 working days of the execution of the PIPL SCCs.

The PIPIA report is expected to address issues that might affect security of the personal information to be transferred outbound, such as (i) the legality, legitimacy, and necessity of the purpose, scope, and method of processing personal information by the personal information controller and the overseas recipient; (ii) the volume, scope, category, and sensitivity of personal information to be transferred outbound; (iii) the risks to the data subjects’ rights and interests; and (iv) the impact of personal information protection policies and regulations in the country of origin in which the overseas recipient is located.

Grace Period

The Measures provide a six-month grace period for companies to take necessary measures to comply with the requirements for their cross-border transfer of personal information. Since the Measure will take effect on June 1, 2023, the grace period will end on November 30, 2023.

We advise that companies prepare or modify their data processing agreement in light of the Measures and the PIPL SCCs. In addition, companies will need to draft or update their PIPIA report before the grace period ends and file them in time with the Chinese authorities to legitimize ongoing or future cross-border transfer of personal information that is subject to PIPL.

  1. See Ropes & Gray Alert dated July 21, 2022 for more details.