On June 30, 2022, the Cyberspace Administration of China (the “CAC”) issued a draft Provision on the Standard Contract for Cross-border Transfer of Personal Information (“Draft Provisions”) and a draft of the Standard Contract for Cross-border Transfer of Personal Information (“Standard Contract”) for public comments. Per Article 38 of the Personal Information Protection Law (“PIPL”), if the data handler is not required to conduct a government security assessment, it may choose either to conduct certification by a qualified third institution or to execute the Standard Contract for cross-border transfer of personal information. Certification might be more commonly used for cross-border transfer within a group, whereas the Standard Contract may be more popular under other scenarios of cross-border transfers.
Scope of Application of Standard Contract
Data handlers must satisfy all of the following conditions to be eligible for execution of the Standard Contract for cross-border transfer:
- They are not considered critical information infrastructure (“CII”) operators;
- They do not process less than one million individuals’ personal information;
- They cumulatively transferred personal information of less than 100,000 individuals from January 1 of the previous year; and
- They cumulatively transferred “sensitive” personal information of less than 10,000 individuals from January 1 of the previous year.
Even though the Standard Contract is only a draft, the above conditions or thresholds are highly unlikely to be changed substantially in the final version of the Standard Contract. Such conditions or thresholds echo the Measures on Security Assessment on Cross-border Transfer (the “Measures”), which regulate mandatory government assessment for cross-border transfers.
PIPIA
Personal information protection impact assessments (“PIPIA”) are required before cross-border transfers. This is consistent with relevant requirements under PIPL. Specifically, the Draft Provisions provide more detailed requirements of the PIPIA for cross-border transfers of personal information, including:
- legality, legitimacy and necessity of purpose, scope and method of processing personal information by the data handler and the data recipient;
- quantity, scope, type and sensitivity of personal information to be transferred outside of China, and potential risks to rights and interests in personal information caused by the cross-border transfer;
- responsibilities and obligations that the data recipient assumes, and whether its management, technical measures and capabilities to fulfill such responsibilities and obligations are sufficient to ensure the security of the transferred personal information;
- risks of disclosing, destroying, tampering with or misusing personal information, and whether there is a convenient channel for individuals to assert their rights and interests in the personal information;
- impact of personal information protection policies and regulations in the country or region of the data recipient on fulfillment of the Standard Contract; and
- other matters that may affect the security of personal information to be transferred outside of China.
Supervision by the CAC
Within 10 business days of the effective date of the Standard Contract, data handlers are required to conduct filing for cross-border transfer with the cyberspace authority at the provincial level (“Competent Authority”). Data handlers must submit both the Standard Contract and the PIPIA report to the Competent Authority. The CAC will eventually open an online platform for submission of filing materials, but it is not available yet.
The data handler is obligated to respond to inquiries by the Competent Authority regarding processing activities of the data recipient unless it is agreed that the data recipient shall respond to such inquiries. Even where such agreements are in place, the data handler is still liable to respond inquiries from the Competent Authority if the data recipient fails to do so. The data handler also bears burden of proof.
The data recipient is also subject to supervision by the Competent Authority. This obligation includes but is not limited to responding to the inquiries of the Competent Authority, cooperating in examination by the Competent Authority, obeying the order or decision made by the Competent Authority and providing written evidence of compliance to the Competent Authority.
Contractual Obligations
The data handler’s contractual obligations include the following: (1) processing lawfully in compliance with PIPL; (2) informing data subjects that they are third-party beneficiaries under the Standard Contact; (3) providing the relevant laws and technical standards to the data recipient upon request; (4) responding to the relevant inquiries of the Competent Authority regarding the processing activities of the data recipient; (5) conducting relevant PIPIAs; (6) providing a copy/summary of the Standard Contract to the data subjects; (7) bearing the burden of proof; and (8) providing the relevant documents, including audit reports, for proof of compliance by the data recipient.
The data recipient’s obligations include: (1) processing personal information in compliance with the Standard Contract; (2) providing a copy/summary of the Standard Contract to data subjects; (3) minimizing the scope of transfer of personal information outside of China; (4) minimum necessary storage time; (5) providing audit reports to the data handler after deletion or anonymization of personal information in cases of sub-processing by an entrusted third party; (6) implementing relevant technical and management measures and access controls to safeguard security of processing; (7) obligations related to data breaches; (8) restrictions on onward transfer; (9) restrictions on sub-processing by an entrusted third party; (10) restrictions on automated decision making; (11) providing relevant documents to the data handler for evidence of compliance with the Standard Contract; (12) three-year retention period requirement and provision of relevant documents to the data handler or the Competent Authority; and (13) acceptance of supervision by the Competent Authority.
Onward Transfer
The Standard Contract restricts the data recipient from providing personal information under the Standard Contract to any third party outside of China (“Onward Transfer”). An Onward Transfer is only allowed when all of the following conditions are met:
- the Onward Transfer is necessary for business;
- the data recipient has informed the data subjects of the relevant information and obtained separate consent unless relevant laws do not require separate consent;
- there is a written agreement between the data recipient and such third-party recipient to ensure the protection level is not lower than provided for under the PIPL, and the data recipient is jointly liable for any damage caused by the Onward Transfer; and
- the data recipient is obligated to provide the onward transfer agreement to the data handler.
Evaluation of Local Laws
The purpose of evaluating the local laws of the data recipient is to achieve equivalent protection with PIPL. Such an evaluation would focus on the following issues:
- Personal information protection laws of the country or region of the data recipient would not prevent the data recipient from fulfilling obligations under the Standard Contract.
- Analyzation of the impact of local laws of the data recipient on cross-border transfer must be analyzed, taking into account the following matters:
- the specific circumstances of cross-border transfer including the type, volume, scope and sensitivity of personal information to be transferred, scale and frequency of transfer, transfer period and retention period by the data recipient, processing purpose, the data recipient’s relevant experience of cross-border transfer and processing by the data recipient under similar scenarios, whether the data recipient has any data incidents in the past and disposed of such incident appropriately, if any, and whether the data recipient received any request for the provision of personal information from public authorities of its country/region and its corresponding response;
- the status of the existing laws and regulations and generally applicable standards for the protection of personal information in such country or region;
- regional or global organizations to which the country or region has joined in the field of personal information protection and the binding international commitments it has entered into; and
- the mechanism for implementation of personal information protection in such country or region, such as whether there is any personal information protection supervision and enforcement body and relevant judicial body.
Data Subject’s Rights
In addition to data subjects’ rights under PIPL, data subjects may also make relevant requests to the data recipient directly. As third-party beneficiary of the Standard Contract, data subjects may request copy of the Standard Contract.
If data subjects make excessive or unreasonable requests, particularly those of a repetitive nature, the data recipient may charge a reasonable fee or refuse to act as requested, taking into account of the implementation and operation costs of such request.
Miscellaneous
The Standard Contract shall be governed by Chinese law and the parties may choose either court or arbitration as dispute resolution. The arbitral institution must be a member of the New York Convention.
The parties may have additional agreements in Annex II, but they cannot prejudice or conflict with the Standard Contract. In the event of any conflict between the Standard Contract and any other existing agreement by and between the data handler and the data recipient, the terms of the Standard Contract shall prevail.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code