On 30 June 2022, the Cyberspace Administration of China (“CAC”) released a draft of the long-awaited standard contract for personal information export and an accompanying regulation (“Standard Contract Regulation”) for public consultation.
In this article, we highlight the key provisions of the draft standard contract and relevant regulation and set out our observations on the proposed measures.
Article 38 of the Personal Information Protection Law (“PIPL”) (For our comments on the PIPL, please click here) provides for three routes for personal information processors (“PI Processors”) to export personal information (“PI”), namely:
The CAC released the Measures of Security Assessment for Data Export (“Security Assessment Measures”) in July 2022, which set out in more detail the Thresholds and the procedures of the Governmental Assessment. (For our comments on the Security Assessment Measures, please click here).
In June 2022, the National Information Security Standardization Technical Committee released the Technical Specification for Certification of Personal Information Cross-border Processing (“Certification Specification”), which is the first attempt to provide more guidance on implementing the Certification Regime (For our comments on the Certification Regime, please click here).
Whilst the Governmental Assessment is compulsory for certain PI processors, most other PI processors will not be able or willing to go through the process for various reasons. The Certification Regime appears to be designed for intra-group transfers between entities of the same group or organisation, but the Certification Specification has not provided enough authority or guidance for the regime to be operational. The requirements under Certification Specification may also render the Certification Regime less attractive to multinational companies and international organisations.
The Standard Contract is therefore expected to be the most commonly-used route for data export by the PI processors. The draft Standard Contact and the draft Standard Contract Regulation provide us with a preview on the proposed regime in China.
Under the PIPL, the PI Processor may consider using the Standard Contract as its route for exporting PI, only if the proposed export is not subject to the Governmental Assessment.
The Security Assessment Measures lay down detailed scenarios where the Governmental Assessment applies to data export, which include:
Therefore, the PI Processor will not be able to use the Standard Contract in the above scenarios, where personal information is exported. This is also confirmed by the Standard Contract Regulation.
The draft Standard Contract Regulation refers to the exporter as the “PI Processor”, which is in line with the PIPL. Apparently, neither the PIPL nor the draft Standard Contract Regulation contemplates that the restrictions on data export will apply to exporters who are entrusted by the PI Processor with processing PI (“Entrusted Parties”), the equivalent of a data processor under the GDPR. The Security Assessment Measures take a similar position where only an exporter that is a PI Processor is eligible for the Governmental Assessment. It is not clear whether it is the intention of the authorities or a loophole that the Entrusted Parties will be exempted from the data export regulatory regime.
Unlike the standard contractual clauses (“SCCs”) approved by the European Commission, the draft Standard Contract does not provide for different modules suitable for transfers between different types of exporters and importers according to their roles as a PI Processor or an Entrusted Party in the data processing activities. On the other hand, the draft Standard Contract does not differentiate the role of the data importer as a PI processor or an entrusted party. The data importer is defined as the organisation or individual located outside China who receives PI from a PI processor.
In summary, a data exporter that is a PI Processor may use the Standard Contract to export personal information to a data importer that is either a PI Processor or an Entrusted Party.
One question that will arise is who will be appropriate signatories to the Standard Contract, for example, when the PI Processor exports personal information via an Entrusted Party in China or when the data importer receives the PI via an Entrusted Party outside China. Should all the parties involved in the processing activities sign the Standard Contract or should the parties that transfer and receive the data do that? In the absence of clear guidance from the authorities, we expect to see different interpretations in practice.
Personal information protection impact assessment (“PIPIA”)
The PIPL requires a PI Processor to conduct a PIPIA for, amongst others, exporting PI and keep a record for that. The draft Standard Contract Regulation further provides for key aspects that a PIPIA for data export must cover, including:
So far, the authorities have not published any guidelines on how to conduct the PIPIA. The National Information Security Standardization Technical Committee has published two drafts of guidance on PI export security assessment but has yet to finalise the guidance. It also published recommended national standards on conducting personal information security impact assessment in 2020, but with the effectiveness of the PIPL in 2021 these standards will need to be updated if those were to be used for the purpose of the PIPIA.
Transfer Impact Assessment (“TIA”)
The concept of a TIA originates from the European Court of Justice in its Schrems II decision, where a data exporter is required to, with the assistance of the importer, (i) verify whether the law of the third country of destination ensures adequate protection (under the EU law) of PI being transferred pursuant to the SCCs; and (ii) provide additional safeguards to those offered by the clauses if the protection is not adequate.
European Data Protection Board in its guidance requires a data exporter to assess whether the laws and practices in the third country of destination may impinge on the effectiveness of the safeguards adopted by the data exporter and specifies the necessary components of the assessment.
Under clause 14 of the new SCCs approved by the European Commission in 2021, the data exporters and importers are required to warrant that (i) the laws and practices of the third country of destination do not prevent the data importer from fulfilling its obligations under the SCCs; and (ii) they have taken specific factors into consideration and agree to document the assessment for inspection by the authorities. The importers must also represent that it has made its best efforts to provide the data exporter with the relevant information. As a result, the TIA has become a standard process for export of PI from the European Economic Area (“EEA”) to a country outside the EEA that is deemed to not have provided adequate level of protection.
Under the draft Standard Contract Regulation, the PIPIA will also include assessment of the impact of the PI protection policies, laws and regulations of the country or region where the data importer is located upon the performance of the Standard Contract.
Clause 4 of the draft Standard Contract requires the data exporters and importers to warrant that:
a. details of the export, including, amongst others, whether the importers have received request from public authorities to provide PI and how the importers responded to the requests;
b. the key factors of the PI protection policies, laws and regulations of the country or region where the data importers are located, including
i. the PI protection laws, regulations and applicable standards;
ii. the regional or global PI protection organisations such country or region has joined and the undertakings it has given; and
iii. the mechanism for implementing PI protection, e.g. whether there are PI protection supervisory authority and relevant judicial bodies; and
c. the security management system and technical security capability of the data importers.
The data importers must represent that they have used their best efforts to provide necessary information to the data exporters. Both the data exporters and importers must record the assessment process and results in writing, which gives rise to a formal contractual obligation to conduct a TIA.
The requirements for TIA under the GDPR and the draft Standard Contract Regulation are quite similar, except that in China the TIA will likely be made part of the PIPIA for data export. The exporters are expected to file the signed Standard Contract and the PIPIA report with the provincial level CAC within ten business days of the Standard Contract taking effect.
The data exporters must undertake in the Standard Contract to notify the individuals that they have been made third-party beneficiaries unless they expressly refuse within 30 days of being notified. The data exporters will now need to make sure that they have included in the privacy notice content on third-party beneficiaries and contact details, via which the individuals express their objection.
In addition, as third-party beneficiaries, individuals are given the rights to enforce the obligations of the data exporters and importers under the Standard Contract. In particular,
To enforce their rights in a dispute with the data exporters or the importers, individuals may elect to (i) file a complaint with the supervisory authority or (ii) lodge a lawsuit against the parties to the Standard Contract in accordance with the Chinese laws. Individuals are entitled to damages from the party that infringes the rights of the individuals as a result of a breach of the Standard Contract.
Where the individuals decide to bring a lawsuit against the parties to the Standard Contract, the court of competent jurisdiction will be determined by the Chinese civil procedure laws. It is worth noting that the enforcement of a Chinese court judgement may be difficult outside China and that the exporters are liable for losses caused to the individuals by the data importers under the draft Standard Contract. As such, the individuals are more likely to bring civil actions against the data exporters.
Data importers are obliged not to provide the PI to a third party located outside China unless the data importers have:
The use of the word “provide” seems to indicate that both the data importer and the third party receiving the PI are PI processors. This interpretation is in line with the way that PIPL uses the word “provide” to indicate sharing by a PI processor with a separate one.
The Standard Contract goes on to require the data importer that is an Entrusted Party of the data exporter to obtain consent of the data exporter before sub-entrusting a third party for processing.
It appears that the Standard Contract imposes different requirements on data importers that are separate PI Processors and those that are the Entrusted Parties of the data exporter.
Reporting obligations of data importers
In the event of a data breach, the data importers are obliged to not only notify the data exporters but also the supervisory authority of China in accordance with the Chinese laws. Individuals must also be notified where required by applicable laws and regulations.
The provisions have extended the reporting obligations under the Chinese law to the data importers irrespective of whether the data importers are subject to any extraterritorial effect of the laws.
Arbitration as dispute resolution
The draft Standard Contract allows the parties to settle their dispute via arbitration, and the parties can also agree upon the arbitration institutions and venues. Notably, the parties may choose an arbitration institution of a country that is a party of the Convention on the Recognition and Enforcement of Foreign Arbitral Awards, which allows for the possibility of having their case heard by a foreign arbitration institution.
Data exporters’ right to information
Data importers are obliged under the draft Standard Contract to provide necessary information to the data exporters to prove the data importers’ compliance with the contract, including allowing the data exporters to access relevant documents or audit the relevant data processing activities. In practice, the parties may would like to further define the scope of the data exporters’ right to information to avoid any potential dispute.
The release of the draft Standard Contract and the relevant regulation marks a step closer toward establishing China mechanism for exporting PI via Standard Contract. Whilst the draft Standard Contract of China bears many similarities with the SCCs under the GDPR, the data importers and exporters should pay attention to the worth-noting differences and consider its compatibility with the current cross-border transfer tools.
 A personal information processor is defined as an organisation or individual that independently determines the purposes and means of the processing, akin to the concept of data controller under the General Data Protection Regulation (“GDPR”) of the European Union.