China’s Standard Contract Measures for Personal Information Export – Additional Guidelines Released
China’s cybersecurity authority has officially adopted a set of measures that clarify the “standard contract” procedures for companies to transfer personal information overseas as required under the Personal Information Protection Law. These measures will greatly facilitate cross-border data transfer for foreign companies and multinationals handling small amounts of data. We explain the contract requirements for China data transfer.
UPDATE: On March 22, 2024, China’s cybersecurity regulator adopted new regulations to ease the compliance requirements for cross-border data transfer. The new regulations increase the thresholds of personal information volume that a company can handle before having to sign a standard contract with the overseas recipient of the personal information and stipulate scenarios in which a company may be exempted from undergoing a security review. The Standard Contract Measures for the Export of Personal Information discussed in this article were subsequently amended to align with the new regulations.
Measures stipulating the requirements for using the “standard contract” procedures to conduct cross-border transfer of personal information (PI) came into effect on June 1, 2023.
The Standard Contract Measures for the Export of Personal Information (“Standard Contract Measures”), which were initially released on February 22 by the Cyberspace Administration of China (CAC)clarify how companies can transfer PI outside of China by signing a “Standard Contract” with the overseas recipient of the data – a much simpler procedure than the other options as it does not require an external audit.
At the end of May 2023, the CAC released the Guidelines for the Filing of Standard Contracts for Exporting Personal Information Abroad (First Edition) (the “Standard Contract Guidelines”), a supplementary document that acts as a comprehensive guide for companies adopting the Standard Contract mechanism. These guidelines provide additional information for the implementation of the Standard Contract mechanism, including more clarity on legal definitions and further information on how to file materials with the local authorities.
Under China’s Personal Information Protection Law (PIPL), which came into effect on November 1, 2021, companies are required to undergo certain procedures in order to transfer certain types of data and certain volumes of PI outside of China. The Standard Contract is one of a few different PIPL-compliant mechanisms for CBDT.
The Standard Contract Measures and Standard Contract Guidelines are the final pieces in the puzzle, explaining in detail which companies are eligible for this mechanism, the requirements for additional procedures – such as self-assessments, and the requisite contents of the contract itself.
This article is part of our series on the different methods for legally exporting data out of China. Reference our ongoing coverage via the below articles:
- The Regulations to Promote and Standardize Cross-Border Data Flows, which ease regulations on exporting data out of China by increasing the thresholds of data that companies can handle before triggering a compliance procedure and stipulating certain exemptions.
- The Measures for Data Export Security Assessment, which cover requirements for companies to undergo a security assessment by the CAC, a requisite for companies to export large volumes of data or data that is highly sensitive or important.
- The Guidelines for Data Exit Security Assessment and Declaration, which cover how to apply for the CAC security assessment.
- The Technical Specifications for Certification of Cross-Border Processing of Personal Information, which provide guidance for multinationals and other entities with a presence in multiple countries to comply with China’s requirements for cross-border personal information processing.
- The Security Certification Specifications for Cross-Border Processing of Personal Information, which outline the basic principles and PI protection standards for companies and overseas recipients of PI in the cross-border processing of PI and provide a basis for certification agencies to carry out certification of PI processors’ cross-border processing activities.
Recap: What are the CBDT requirements in Article 38 of the PIPL?
The three sets of data export security measures released in late 2021 and 2022 concern themselves with clarifying Article 38 of the PIPL, which stipulates that companies must undergo certain compliance procedures in order to transfer data overseas.
Specifically, companies must meet one of the following criteria in order to transfer PI over a certain scale overseas:
- Undergo a security review organized by the CAC, except where exempted by relevant laws and regulations.
- Undergo PI protection certification by a professional institution in accordance with the regulations of the CAC.
- Sign a contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC.
- Meet other conditions set by the CAC or relevant laws and regulations.
Article 38 also states that companies must adopt necessary measures to guarantee that the overseas recipient of the PI also complies with the requirements and regulations for processing and protecting PI stipulated in the PIPL.
“PI” is defined very broadly in the PIPL and is described as “various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously”.
This means PI can include any data points or information that can be used to identify an individual, such as names, phone numbers, and IP addresses. Separately, the PIPL also defines “sensitive” PI, which is subject to stricter protection requirements. Sensitive PI includes (but is not limited to):
- Biometric data (such as fingerprints, iris and facial recognition information, and DNA)
- Data pertaining to religious beliefs or “specific identities”
- Medical history
- Financial accounts
- Location and whereabouts
- Any PI of minors under the age of 14
The definition of sensitive PI is further expounded upon in the Personal information security specification [GB/T 35273-2020].
However, it does not include data that has been anonymized or abstract data that doesn’t contain any specific PI on individuals, such as aggregated information. Meanwhile, the “processing” of PI is defined as “the collection, storage, use, processing, transmission, provision, publication, and erasure of PI”.
The Security Assessment Measures and Technical Specifications released in October 2021 and April 2022 clarify requirements for the first two clauses of Article 38 (clauses (1) and (2)), respectively. The new Standard Contract Measures, meanwhile, concern the third clause (Clause (3)), thus almost completing the implementation guidelines for CBDT requirements stipulated in the PIPL.
What is considered “PI export activity”?
In an important development, the Standard Contract Guidelines define “PI export activity”, something which has been absent from previous documents. It is defined as:
- When PI processors transmit and store PI that has been collected and generated during domestic operations overseas;
- When PI collected and generated by PI processors is stored within China, but overseas institutions, organizations, or individuals can inquire, retrieve, download, and export the PI;
- Other acts of exporting PI abroad as specified by the CAC.
This definition confirms the assumption that “PI export” does not only include the direct transfer and storage of PI to overseas locations but also remote access to PI stored in China by a person or entity located outside of China.
Although this definition provides more clarity for companies in assessing what constitutes PI export, it is nonetheless left somewhat open-ended as it includes an “other” clause that can be left up to interpretation by the authorities.
Which data operators are eligible to sign a “Standard Contract”?
The Standard Contract is arguably the simplest route to receiving approval to conduct CBDT, as it does not require an audit by either the CAC or an accredited third-party agency. However, companies going this route will be required to carry out a Personal Information Protection Impact Assessment (PIPIA), as we will see below.
Due to the simplified procedure, the Standard Contract only applies to relatively small data operators and companies that don’t handle data that is deemed to be of concern to national security and interests.
Companies that meet all of the following criteria are eligible to use the Standard Contract:
- They are not a critical information infrastructure operator (CIIO).
- Since January 1 of the current year, they have transferred the PI of between 100,000 people and one million people out of China (excluding sensitive PI).
- Since January 1 of the current year, they have transferred the “sensitive” PI of less than 10,000 people out of China.
The final version of the measures has also added a clause stating that PI processors cannot use means such as splitting up the PI that ought to undergo a security review into smaller batches in order to be eligible for the Standard Contract procedure. Under the PIPL, PI operators that exceed the above thresholds for data volume or handle sensitive PI are required to submit to a security review by the CAC before they can transfer it overseas.
Exemptions from signing a Standard Contract
The new regulations adopted on March 22, 2024, outline several scenarios in which companies can be exempted from undergoing any of the additional compliance procedures to transfer data out of China, including signing a standard contract.
In the following circumstances, companies do not need to sign a Standard Contract (or undergo any other compliance procedures):
- A company collects and generates data through activities such as international trade, cross-border transportation, academic cooperation, transnational manufacturing, and marketing, and it wishes to provide this data overseas, provided the data does not contain any PI or important data.
- If the PI collected and generated by a company outside of China is transferred to China for processing and then retransferred abroad, provided no domestic PI or important data is introduced during the processing.
In addition, companies may be exempted if they meet the following conditions:
- It is necessary to export PI to enter into and perform a contract to which an individual is a party, such as cross-border e-commerce, postal services, remittances, and payments, opening accounts, air ticket and hotel booking, visa processing, and examination services;
- It is necessary to export the PI of employees must be exported in order to implement human resources management in accordance with the labor rules and regulations and the collective contract signed with employees;
- It is necessary to export PI overseas in order to protect the life, health, and property of natural persons in an emergency; and
- If a company other than a CIIO has provided PI of less than 100,000 people (excluding sensitive PI) overseas since January 1 of the current year.
What must be evaluated in a PIPIA?
Before transferring PI overseas using the Standard Contract method, companies must conduct a PIPIA. According to the Standard Contract Measures, the PIPIA must assess the following matters:
- The legality, legitimacy, and necessity of the purpose, scope, and processing method of the data processor [in China] and the overseas recipient.
- The scale, scope, type, and sensitivity level of the outbound PI being, and the potential risks that the export of the PI can pose to the rights and interests of the PI subjects.
- The responsibilities and obligations that are undertaken by the overseas recipient, and whether the management and technical measures and capabilities for fulfilling these responsibilities and obligations can ensure the security of outbound PI.
- The risk of the PI being tampered with, destroyed, leaked, lost, or illegally used after being exported, and whether the channels for safeguarding the rights and interests of the PI subjects are unobstructed.
- The impact that the PI protection policies and regulations in the country or region where the overseas recipient is located may have on the fulfillment of the Standard Contract.
- Other matters that may affect the security of the outbound PI.
What must be stipulated in the Standard Contract?
The Standard Contract that is signed with the overseas recipient must strictly adhere to the template that has been provided along with the Standard Contract Measures. However, the CAC may sometimes adjust this template slightly according to the actual situation. The full template can be found along with the Standard Contract Measures on the CAC website.
The PI processors can agree on other terms with overseas recipients, but these cannot conflict with the requirements of the Standard Contract template. The export of PI can only be carried out after the Standard Contract takes effect.
The information that is required to be included in the Standard Contract per the CAC template includes (but is not limited to):
- Basic information of the PI processor [in China] and the overseas recipient, including but not limited to the company names, addresses, contact persons’ names, and contact information.
- The length of the contract and mutual PI processing activity.
- Information on the technical and management measures that the overseas recipient will employ to fulfill the obligations of the contract to protect PI and minimize security risks, such as encryption, anonymization, de-identification, access control, and other technical and management measures.
- Agreed methods for arbitration and dispute resolution in the event of a dispute.
The Standard Contract template contains nine articles in total and includes clauses on matters such as the obligations of the PI processor and the overseas recipient, the impact that PI protection policies and regulations in the country or region where the overseas recipient is located may have on the fulfillment of the contract, and the rights and interests of the PI subjects.
Filing procedures for the Standard Contract
Within 10 days of the contract taking effect, the PI processor must file requisite materials with the local provincial-level cybersecurity office. The PI processor can begin CBDT activities after the contract takes effect. All the materials must be delivered in both physical and electronic form.
The materials that need to be submitted are listed in the table below.
Documents Required for Filing the Standard Contract |
||
Document | Requirement | |
1 | Photocopy of the unified social credit code certificate (the certificate of the 18-digit number assigned to all companies in China) | Photocopy with company chop |
2 | Photocopy of the legal representative’s ID card | Photocopy with company chop |
3 | Photocopy of the ID card of the person in charge | Photocopy with company chop |
4 | Power of Attorney | Original copy |
5 | Letter of commitment | Original copy |
6 | Standard Contract | Original copy |
7 | PIPIA | Original copy |
Note: Templates for documents 4 to 7 above are provided in the Standard Contract Guidelines, which can be downloaded here. |
The provincial cybersecurity authorities will review the materials and notify the company of the result of the review within 15 days of their submission. If the review is successful, the authorities will issue the PI processor with a filing number. If it is unsuccessful, the PI processor will be sent a notice stating that it didn’t pass the review, including the reasons for this.
The company will be notified of whether it has passed or failed the review process in writing, and whether it may be required to provide supplementary materials. If the PI processor is required to supplement or make up for any missing materials, then it must resubmit them within 10 working days of receiving the notice.
In certain circumstances, the PI processor may have to redo the PIPIA, re-sign and re-file the Standard Contract, and complete other relevant filing procedures before the contract has expired. These circumstances are:
- There is a change to the purpose, scope, category, degree of sensitivity, processing method, or storage location of the PI provided overseas, a change to the purpose and method of processing the PI by the overseas recipients, or the period for overseas storage of the PI is extended.
- There are changes in the overseas PI protection policies and regulations that could affect the rights and interests of the PI subjects.
- Other circumstances that may affect the rights and interests of the PI subjects.
Resubmitted materials will be reviewed by the local authorities within 15 days of receiving them.
Violations of the Standard Contract Measures will be punishable in accordance with the PIPL and other relevant regulations.
Potential limitations to the Standard Contract Measures
The Standard Contract Measures provide a much clearer picture for China-based companies on how to handle CBDT activities, which has been one of the major concerns for foreign investors and MNCs. The contract template is also especially helpful as it clears any doubt surrounding the information that each party must provide and the obligations that they are liable to.
Current limitations to the Standard Contract Measures mostly stem from the lack of clear definitions of various terms introduced in other legislation and regulations.
For instance, the definition of a CIIO is still somewhat unclear. CIIOs are subject to significantly stricter data and cybersecurity requirements and a higher level of government oversight.
In the Regulations on the Security and Protection of Critical Information Infrastructure released in August 2021, the scope of CIIOs includes industries such as energy, transport, water, and national defense, among others. But the regulations also stipulate that they could include “any other important network facilities or information systems that may seriously harm national security, the national economy and people’s livelihoods, or public interest in the event of incapacitation, damage, or data leaks.”
For companies in some sectors, the definition is clear-cut. For others, less so, as the “any other” category could be interpreted to include major online services companies, such as Tencent’s WeChat or ride-hailing platform Didi. However, in many of these cases, these companies would not be eligible for the Standard Contract as their scope of operations likely exceeds the PI quantity limits stipulated in the Standard Contract Measures.
Regardless of the potential outliers, the Standard Contract Measures more than anything signal to companies that they must make serious considerations when evaluating compliance risks and actions to mitigate these risks.
Businesses that are planning on engaging in the overseas transfer of PI are advised to begin assessing the scope of PI that they are handling to understand whether they are eligible to use the Standard Contract method to transfer PI overseas before the measures come into effect. In addition, it is important for companies to review their current PI protection and risk assessment mechanisms to ensure that all processes are compliant with the PIPL and the Standard Contract Measures, as well as any other relevant regulations.
This article was originally published on July 4, 2022, and last updated on April 8, 2024, to reflect the latest updates.
About Us
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
- Previous Article A Guide to China’s New Company Law for Foreign Investors – New Publication Out Now
- Next Article Cross-Border Data Transfer – New Measures Clarify Security Review Requirements