Introduction
The Cyberspace Administration of China on 30 May 2023 released the Guidance for the Filing of the Standard
Contracts for the Outbound Transfer of Personal information.
The Guidance supplements the Measures for Standard Contract forthe Outbound Transfer of Personal information, and sets out the filing process that data
controllers (called “personal information processors” under the PIPL,
that is an organisation or individual that independently determines the
purposes and means of the processing) are required to undertake under the
Measures (and pursuant to the Personal information Protection Law ).
Importantly, the Guidance contains a long awaited template contract for data
transfer – the SCC.
The Measures came into effect on 1 June 2023. For companies that are required to
file a standard contract for data transfer, the Measures provide a grace period
of six months, during which they can continue any already-commenced outbound
transfer of personal information. After that, companies that have not completed
the standard contract’s filing or whose filing has not been approved may not
continue outward transfer of personal data.
Background to, and applicability of, the
Guidance
The PIPL sets out three routes that personal information can be exported, namely:
- entering into a data transfer agreement with
relevant overseas party, that adopts the PRC SCC; - attaining a personal information protection certification from a designated certification agent or
- passing a security assessment required for
critical information infrastructure operators and other organisations that
process personal information reaching one of the three thresholds specified by
the CAC.
The
Certification regime is generally aimed at intragroup personal information
transfer within large multinational companies, and involves a lengthy list of
requirements. Most data controllers do not reach the CAC-specified thresholds
and therefore cannot use the Security Assessment method. We expect that the SCC will be the most commonly
used data export route for data controllers, so the Guidance is highly welcomed
(being released two days before the Measures came into effect).
Both the
Measures and Guidance remind data controllers not to evade the Security
Assessment by dividing up the amount of personal information for exporting to
overseas recipients through SCC.
The
Guidance also clarifies that the Measures apply to:
- data controllers transmitting / storing personal
information collected in domestic operations outside of China; - personal information compiled and generated
within China and made available to overseas institutions, organisations or
individuals through inquiry, retrieval, download and export; and - other export of personal information as set out
by the CAC.
Data
controllers who have not submitted the filings may continue their personal
information transfer activities until 30 November 2023; from 1 December 2023,
those who fail to submit or whose submissions are pending approval will be
required to suspend exporting of personal information. One outstanding point to
be confirmed during this period is whether data controllers and their
affiliated entities are eligible for a combined filing.
Filing process
Formalities
Physical
copies of the executed SCC and electronic copies of the filing materials should
be filed to the CAC office of the province where the data controller is located
– noting that currently, there is no online channel for applications, and so
the specific requirements for submission may differ between CAC offices. For
example, the Beijing CAC office has released guidance specifying that filing
materials should be submitted via email before physical copies are submitted.
The different requirements may be particularly onerous for those controllers
whose initial submissions are unsuccessful (and therefore supplemental
applications (and additional filings) are required).
Materials to be filed
The
following material will need to be filed with the CAC by the relevant data
controller:
1. Originals of:
- the Power of Attorney document authorizing the agent
to handling the filing; - the letter of undertaking;
- the executed SCC (note that we are not clear
whether this means whether electronically executed SCCs would be accepted, and
the Guidance does not provide specific execution-related requirements); and - the Personal information Protection Impact
Assessment Report.
2. Photocopies (with the data controller’s official
seal) of:
- their Unified Social Credit Code;
- the identity document of the data controller’s legal
representatives; and - the identity document of the data controller’s
authorised person handling the filing.
Process and timing
Under
the Guidance the data controller’s process for filing a SCC will be divided into
four phases:
- complete a PIA Report no more than three months
before the submission of filing materials, with no material changes leading up
to or during the filing date; - submit filing materials within 10 working days
from the data that the SCC was signed; - await review from the relevant provincial CAC,
who will notify the data controller of the conclusion of such review within 15
working days of submission. We note that specific CAC offices may change such
timing, for example the Beijing CAC has
committed to reviewing within 10 working days of submission; and - if the filing is unsuccessful, the provincial
CAC will notify the data controller of the grounds of rejection. The data
controller should then submit supplemental materials within 10 working days of
such notice.
The Measures and the Guidance both do not
specify the level of scrutiny to which the CAC will review submissions. From our experience and given the purpose of
the PIPL regime, it appears that specific CAC offices may differ in their level
of scrutiny, but are likely to particularly focus on reviewing the PIA Report
as part of assessing the risk and operation of the relevant data transfer. We
also recommend that data controllers be prepared for the submission of
supplemental materials in response to questions from the relevant CAC office,
which in turn may extend the timeline for any review. Consultations with
specific relevant CAC offices may be helpful for data controllers in relation
to the above.
PIA Report
The PIA
Report template attached to the Guidance is similar to the self-assessment
report used for the PIPL’s governmental security assessment regime for critical
information infrastructure operators. There are also additional requirements for
such Reports, such as specifying further details on the personal information being
exported, any sensitive personal information involved, and any automated data
processing involved. Key sections of
this template include:
- The introduction to the PIA Report – including
commencement and completion dates, parties’ involvements and assessment
methodology. - Overview of personal information export activities – including
corporate information for both the data controller and overseas recipient, the
technology infrastructure involved, personal information protection
capabilities, and description of the scope and mode of personal information transfer. - Impact assessment – including item-based risk identification and
evaluation, conclusion and justification on the adopted personal information transfer
regime.
The
Guidance also re-states situations when data controllers should undertake to
submit a fresh PIA Report and amend or supplement a previously-executed SCC.
For example, where there are:
- changes in the purpose, scope, type,
sensitivity, quantity, provision manner, retention period, storage location of
the personal information transferred and the purpose and manner of processing
by the overseas recipient, or extension of the retention period of the personal
information transferred; - changes in the personal information protection
policies and regulations of the country or region where the overseas recipient
is located which may affect the rights and interests of the data subjects; or - any other circumstances that might affect the
rights and interests of the data subjects.
In
addition to the above situations, data controllers should file a signed restated
or supplemental SCC with the CAC within the specified timeframe. The SCC should
be up-to-date and fulfil the filing obligations as per the PIPL from
time to time.
One important point to note – we have seen many
organisations proactively complete PIA Reports using the relevant requirements
under the GDPR as a guideline. While this is helpful, such exercises may need to
further consider the requirements specified by the Guidance.
Consequences of non-compliance
Data
controllers who are not compliant with the filing requirements under the
Measures will be subject to penalties stipulated under the PIPL and other
relevant laws and regulations. Under the PIPL, warnings, correction orders,
suspension of personal information export activities, and forfeiture of illicit
gains may be ordered in case of a violation; in particular, a fine of not more
than RMB 1 million may be imposed for data controllers who refuse to rectify
the breach. For serious breaches, the penalty may include a maximum fine of RMB
50 million or five percent of the data controller’s annual turnover from the previous
year.
Conclusion and thoughts
The
Guidance provides welcome guidelines regarding both the SCC itself and the
filing process required for the SCC, including in relation to the PIA Report.
At a
more general level, we anticipate the
CAC will take enforcement actions against those who do not comply with the
cross-border transfer provisions of the PIPL, as there are significant
sensitivities regarding international data transfers (both within and outside
of mainland China). We would therefore highly recommend that exporters of personal
information from mainland China actively seek to comply with the PIPL, whether
via the SCC or other available mechanisms.
For
those who are considering using the SCC, we would specifically recommend the
following:
1. Conduct a deep dive into your organization and
identify what personal information is being exported, and which specific
entities are exporting (and receiving) the relevant personal information.
2. Ensure that for any cross-border data transfers,
you have:
- conducted PIA Reports;
- entered into the appropriate SCC and other
agreements as required; and - for those agreements already in place, update
them to reflect both the above requirements and what the operation of your
organisation.
3. File executed SCCs with the relevant CAC,
pursuant to the above requirements – including ensuring that you are prepared
for any supplemental submissions.
It will
also be interesting to see how the PIPL cross-border data transfer mechanisms
will be implemented within the Greater Bay Area, given the recent execution of
a personal data transfer-related MOU between the CAC and the Innovation,
Technology and Industry Bureau in Hong Kong.
Hoi
Tak Leung, Counsel, Ashurst Hong Kong is admitted in New South Wales and Hong
Kong and his practice involves TMT-related advisory work – including in
relation to fintech, cybersecurity, data privacy and emerging technologies.
With
thanks to Jessica Chan (Trainee Lawyer) and Hannah Chiu (Intern) for their
assistance with this article.
