Rajah & Tann Regional Round-Up
your snapshot of key legal developments in Asia
 Issue 2 - Apr/May/Jun 2022
 

China Publishes Draft Regulation on Standard Contract for Exporting Personal Information

On 30 June 2022, the Cyberspace Administration of China ("CAC") released for public comments the draft Regulations on Standard Contract for the Export of Personal Information ("Draft Regulation"), which incorporates a template for the Standard Contract for the Export of Personal Information ("Standard Contract"). The public consultation closes on 29 July 2022.


The Draft Regulation supplements Clause 38 of the Personal Information Protection Law ("PIPL") which requires a personal information processor ("PI Processor") to meet one of the three conditions before exporting personal information outside China which, includes the "signing [of] the standard contract formulated by the CAC with the overseas recipient".


Only a PI Processor who satisfies all of the following conditions may use the method of signing Standard Contract to export personal information:


  1. He is not a critical information infrastructure operator.
  2. He processes personal information of less than one million people.
  3. He has exported personal information of fewer than 100,000 people since 1 January of the previous year.
  4. He has exported sensitive personal information of fewer than 10,000 people since 1 January of the previous year.

If the above provision is read together with Clause 4 of the Data Export Security Assessment Measures issued by CAC on 7 July 2022, it can be construed that if a PI Processor does not satisfy any one of the above conditions, he shall go through the CAC security assessment procedures. 


The Draft Regulation mandates PI Processors to conduct a Personal Information Protection Impact Assessment ("PIPIA") before exporting the personal information, consistent with the requirements set out in Clauses 55 and 56 of the PIPL. In addition, PI Processors are required to assess the personal information protection policy and legislation of the country of the overseas recipients, and their impact on the enforceability of the Standard Contract. The PI Processors must file the signed Standard Contract and its corresponding PIPIA report with the local department of CAC within 10 working days from the effective date of the Standard Contract.


The Draft Regulation, together with the PIPL and its recent implementing rules, shows China's determination to enhance the protection of personal information. Notably, the newly-introduced filing requirement may significantly increase the burden on PI Processors, especially for multinational companies with globally-centralised systems.



Please note that whilst the information in this Update is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice.

 

Rajah & Tann Singapore LLP
Shanghai Representative Office
Unit 1905-1906, Shui On Plaza,
333 Huai Hai Middle Road,
Shanghai 200021 PRC
http://cn.rajahtann.com

Contacts:

Chia Kim Huat
Partner
D +65 62320464
kim.huat.chia@rajahtann.com

Linda Qiao
Head, Shanghai Office
D +86 21 6120 8818
F +86 21 6120 8820
linda.qiao@rajahtann.com

Rajah & Tann Asia is a network of legal practices based in Asia.

Member firms are independently constituted and regulated in accordance with relevant local legal requirements. Services provided by a member firm are governed by the terms of engagement between the member firm and the client.

This update is solely intended to provide general information and does not provide any advice or create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on this update.