On 24 February 2023, the Cyberspace Administration of China ("CAC") released the Measures for the Standard Contract for Cross-border Transfers of Personal Information (个人信息出境标准合同办法) ("Measures") and the corresponding Standard Contract for Cross-border Transfers of Personal Information (个人信息出境标准合同) ("Standard Contract"), which will come into force on 1 June 2023. The Measures provide a six-month grace period from its effective date (i.e. before 1 December 2023) for entities/any relevant parties to rectify any non-compliance with the Measures.
Only a Personal Information Processor ("PIP") who satisfies all of the following conditions may use the method of signing a Standard Contract to export personal information:
- It is not a critical information infrastructure operator.
- It processes the personal information of less than one million people.
- It has exported the personal information of fewer than 100,000 people since 1 January of the previous year.
- It has exported sensitive personal information of fewer than 10,000 people since 1 January of the previous year.
According to the Measures, before transferring the personal information abroad, the PIP must first perform a personal information protection impact assessment, focusing on the legality, risk of the transfer, and the overseas recipient's undertakings and capabilities, etc. The PIP and its recipient shall strictly follow the version of the Standard Contract appended to the Measures but may agree on other terms. The PIP then must file the impact assessment report and executed Standard Contract with the cyberspace administration of the province or equivalent where it is located.
Compared with the last version of the Standard Contract issued by CAC last year for public comments, there are no substantial changes to the obligations of the parties under the final version of the Standard Contract. Instead, it mainly refines and optimises the content of obligations and the method of coordination between the parties. The PIP is responsible for informing and obtaining consent from the personal information subject, ensuring the overseas recipient's compliance, and responding to regulators' inquiries, etc. The overseas recipient must process personal information as agreed, minimise the impact on individuals, safeguard data security, and inform the PIP and regulators of any raised risks. However, in terms of the personal information subject’s rights, it is noteworthy that the final version further specifies that the personal information subject, as a third-party beneficiary, may initiate legal proceedings in respect of the dispute under this contract to the people's court with jurisdiction in China.
