On February 24, 2023, the Cyberspace Administration of China (“CAC”) officially promulgated the Standard Contract Measures for the Export of Personal Information (the “SCC Measures”)1, which will come into effect on June 1, 2023. CAC eight months earlier in June 2022 had circulated the draft Measures for public comment. The SCC Measures have now been finalized and officially promulgated.
Promulgation of the SCC Measures indicates that the regulatory regime for all three channels to conduct the outbound transfer (export) of personal information (“PI”) provided under the Personal Information Protection Law (“PIPL”) is largely complete and the CAC has the legal basis to take corresponding enforcement action for violations.
(i) a CAC-led security assessment if the data to be exported constitutes Important Data (i.e., data that has a potential bearing on national security, economic security or the public interest), involves data of Critical Information Infrastructure Operators (“CIIOs”) (referring to entities in such important industrial sectors as public communications and information services, energy, public transportation, water, financial services, public services, E-government services, national defense and other important network facilities or information systems the compromise of which may seriously harm national security or economy or the people’s livelihood) or the quantity of PI to be exported crosses the relevant quantitative threshold;
The CAC-led security assessment is regulated under the Outbound Data Transfer Security Assessment Measures (“Security Assessment Measures”) effective September 1, 2022.2In a nutshell, a CAC-led security assessment applies where the outbound data transfer activities involves any of the following: (i) outbound transfer of Important Data by a data processor; (ii) outbound transfer of data by a CIIO; (iii) outbound transfer of data by a PI processor who processes PI of 1 million or more persons; and (iv) outbound transfer of data by a PI processor which has in aggregate transferred overseas PI of 100,000 or more persons or Sensitive PI of 10,000 or more persons since January 1 of the previous year.
(ii) execution with the overseas data recipient of government-approved standard contract clauses (“SCC”); and
(iii) Personal Information Protection Certification (“PIPC”) by a government-approved entity.
The PIPC is regulated under the TC260-PG-20222A - The Practical Guide to Cybersecurity Standards – Specifications on Security Certification for Cross-Border Personal Information Processing Activities (V2.0-202212) promulgated by the National Information Security Standardization Technical Committee (“TC260”) on December 16, 2022 (“Certification Specifications V2.0”).3 The China Cybersecurity Review Technology and Certification Center (“CCRC”), a state-owned certification institution directly under the supervision of the State Administration for Market Regulation, was recently designated one of the first certification institutions approved to conduct PIPC.4
The Security Assessment Measures granted a 6-month grace period through March 1, 2023 for companies to conduct a self-assessment on data export compliance and, if the reporting threshold is met, submit a formal application to CAC for an outbound data security assessment. We understand that CAC has so far received several dozen formal applications from companies engaged in the social media, e-commerce, internet platform, automotive, healthcare and aviation industries in particular.
If the reporting threshold under the Security Assessment Measures is not met, companies may choose to use either (ii) the SCC or (iii) PIPC to conduct outbound PI transfer activities.
According to the CAC, the purpose of the SCC Measures is to implement the provisions of the PIPL, protect the rights and interests of PI subjects, and regulate the export of PI.
The SCC Measures allow PI processors engaging in outbound transfer of PI to enter into standard contracts with overseas recipients. PI processors in China which intend to conduct outbound PI transfer activities through standard contracts need to enter into standard contracts with overseas data recipients using the template SCC attached to the SCC Measures and file the same with their provincial-level CAC within 10 days after the standard contract takes effect.
To be eligible for the use of SCC, a PI processor which engages in outbound PI transfer activities must not be a CIIO and must process PI of less than 1 million people and have provided overseas, on a cumulative basis, PI of less than 100,000 people or Sensitive PI of less than 10,000 people since January 1 of the previous year. PI processors using standard contracts may not circumvent the CAC-led security assessment requirement by manipulating the volume of PI exported by such methods as subdividing the volume.
The SCC Measures also require that PI processors conduct a PI protection impact self-assessment before transferring the PI overseas and a PI self-assessment report needs to be filed with the provincial-level CAC together with the standard contracts.
PI processors are obligated to re-assess the impact of PI protection, supplement or enter into new standard contracts, and repeat the CAC filing if there is a major change to the key information subject to the standard contract including, for example, a change to the purpose, scope, type of data to be exported, sensitivity level, data storage location, uses of the data by overseas recipients, or change in the laws and regulations of the data recipient’s home country that is likely to impact protection of the PI.
The SCC Measures include a template SCC as attachment. The template SCC provides that Chinese law must be the governing law of the contract and the foreign data recipient must accept Chinese law jurisdiction.
As with the Security Assessment Measures, the SCC Measures also grant a 6-month grace period (from June 1, 2023 through December 1, 2023) during which PI processors in China are expected to bring their outbound data transfer activities into conformity with the requirements of the SCC Measures.