Rajah & Tann Regional Round-Up
your snapshot of key legal developments in Asia
Issue 1 - Jan/Feb/Mar 2023
 

China Publishes Final Version of Standard Contract for Cross-border Personal Information Transfers

On 24 February 2023, the Cyberspace Administration of China ("CAC") released the Measures for the Standard Contract for Cross-border Transfers of Personal Information (个人信息出境标准合同办法) ("Measures") and the corresponding Standard Contract for Cross-border Transfers of Personal Information (个人信息出境标准合同) ("Standard Contract"), which will come into force on 1 June 2023. The Measures provide a six-month grace period from its effective date (i.e. before 1 December 2023) for entities/any relevant parties to rectify any non-compliance with the Measures.


Only a Personal Information Processor ("PIP") who satisfies all of the following conditions may use the method of signing a Standard Contract to export personal information:


  1. It is not a critical information infrastructure operator.
  2. It processes the personal information of less than one million people.
  3. It has exported the personal information of fewer than 100,000 people since 1 January of the previous year.
  4. It has exported sensitive personal information of fewer than 10,000 people since 1 January of the previous year.

According to the Measures, before transferring the personal information abroad, the PIP must first perform a personal information protection impact assessment, focusing on the legality, risk of the transfer, and the overseas recipient's undertakings and capabilities, etc. The PIP and its recipient shall strictly follow the version of the Standard Contract appended to the Measures but may agree on other terms. The PIP then must file the impact assessment report and executed Standard Contract with the cyberspace administration of the province or equivalent where it is located. 


Compared with the last version of the Standard Contract issued by CAC last year for public comments, there are no substantial changes to the obligations of the parties under the final version of the Standard Contract. Instead, it mainly refines and optimises the content of obligations and the method of coordination between the parties. The PIP is responsible for informing and obtaining consent from the personal information subject, ensuring the overseas recipient's compliance, and responding to regulators' inquiries, etc. The overseas recipient must process personal information as agreed, minimise the impact on individuals, safeguard data security, and inform the PIP and regulators of any raised risks. However, in terms of the personal information subject’s rights, it is noteworthy that the final version further specifies that the personal information subject, as a third-party beneficiary, may initiate legal proceedings in respect of the dispute under this contract to the people's court with jurisdiction in China.



Please note that whilst the information in this Update is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice.

 

Rajah & Tann Singapore LLP
Shanghai Representative Office

Unit 1905-1906, Shui On Plaza,
333 Huai Hai Middle Road,
Shanghai 200021 PRC
http://cn.rajahtann.com


Contacts:

Chia Kim Huat
Partner
D +65 62320464
kim.huat.chia@rajahtann.com

Linda Qiao
Head, Shanghai Office
D +86 21 6120 8818
F +86 21 6120 8820
linda.qiao@rajahtann.com

Rajah & Tann Asia is a network of legal practices based in Asia.

Member firms are independently constituted and regulated in accordance with relevant local legal requirements. Services provided by a member firm are governed by the terms of engagement between the member firm and the client.

This update is solely intended to provide general information and does not provide any advice or create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on this update.