“Standard Contract” Guidelines to Facilitate Implementation

The Regulations on Standard Contract for Cross-border Personal Information Transfer (“Regulations”) issued by Cyberspace Administration of China (“CAC”) on February 22, 2023 has become effective since June 1, 2023. For facilitating the implementation of the Regulations, especially the filing of signed standard contract and personal information protection impact assessment report as required, CAC released guidelines (“Guidelines”) on May 30, 2023 with immediate effect.

1. Conditions to Use Standard Contract

The Guidelines highlight the conditions for using standard contract. A personal information processor may cross-border transfer personal information through executing a standard contract only when all the following conditions are met:

(1) It is not a critical information infrastructure operator;

(2) It processes not more than one million individuals’ personal information;

(3) It has accumulatively transferred abroad personal information of not more than 100,000 individuals since January 1 of the preceding year; and

(4) It has accumulatively transferred abroad sensitive personal information of not more than 10,000 individuals since January 1 of the preceding year.

The Guidelines clarifies that the following fall into the cross-border personal information transfer:

(1) personal information processor transmits or stores overseas any personal information collected and generated during business operation within the territory of the Chinese Mainland;

(2) overseas entity, organization or individual may access, acquire, download, export any personal information collected, generated and stored by personal information processor within the territory of the Chinese Mainland;

(3) other types of cross-border personal information transfer as determined by CAC.

2. Prior Impact Assessment

Processors should conduct a personal information protection impact assessment prior to cross-border transfer of personal information, focusing on the following:

(1) whether the purpose, scope and means of personal information processing of the processor and the overseas recipient are lawful, fair and necessary;

(2) the volume, scope, categories and sensitivity of personal information to be transferred abroad, and risks to legitimate rights and interests of individuals;

(3) obligations that the overseas recipient undertakes to perform; whether managerial and technical measures and capability for performing such obligations can ensure the security of personal information to be transferred abroad;

(4) risks of personal information falsification, damage, leakage, loss, abuse after cross-border transfer; whether individuals may easily defend their rights and interests with respect to their personal information;

(5) the impact on the performance of standard contract by the personal information protection policies and laws in the country/region of the overseas recipient; and

(6) other matters that may affect the security of personal information transferred abroad.

3. Filing with CAC

Personal information processors should file the standard contract together with the personal information protection impact assessment report with provincial-level cyberspace administration within 10 working days from the date when the standard contract takes effect.

The Regulations require personal information processors to reconduct an impact assessment, resign a standard contract and make a new filing in the event of any of the following circumstances during the term of the standard contract:

(1) changes to the purpose, scope, categories, sensitivity, means, storage place of the cross-border personal information transfer; changes to use and means of processing of personal information by overseas recipient; or extension of overseas storage period of personal information;

(2) changes to personal information protection policies and laws in the country or region where overseas recipient is located, which may affect the rights and interests in the personal information;

(3) other circumstances that might affect the rights and interests in the personal information.

4. Template of Personal Information Impact Assessment Report

The Guidelines provides a template of personal information impact assessment report issued by CAC. The template provides the must-have contents of an impact assessment report. Therefore, in practice, prior impact assessment and its report should strictly follow the template. However, the template is quite general, which leaves great discretion to officials in cyberspace administration when reviewing the reports during the filing application. It is not clear at this moment how substantial the review will be.