Protection of personal information and specifically,
in the context of transferring the same out from China is one of the hottest
issues in the field of data law. This is almost relevant to all foreign
companies conducting business in China, as it may be inevitable that personal
information collected by Chinese subsidiaries may have to be passed to the
foreign headquarters.
Following the implementation of the Personal
Information Protection Law (“PIPL”) in 2021, which outlines the framework of
requirements for outbound transfer of personal information from China, the Cyberspace Administration
of China (“CAC”) has finally published the Measures for the Standard Contract
for the Outbound Transfer of Personal Information (the “Measures”) along with
the finalized version of the Standard Contract for the Outbound Transfer of
Personal Information (the “Standard Contract”), and will take effect starting
from June 2023.
In particular, the Standard Contract which sets out the standard contractual clauses to be entered between the data processor transferring personal information out of China and the overseas recipient receiving such personal information outside China, sheds light on the specific obligations of the parties. In this article, we will go through the must-know compliance requirements for outbound data transfer under the existing legal framework.
Among the other more general requirements under the PIPL, it
is specifically set out in Article 38 of the PIPL that at least one of the
following conditions shall be met before personal
information may be transferred out from China:-
It is further specified under Article 4 of the
Measures for the Security Assessment of Outbound Data Transfer, which came into
effect in September 2022 that security assessment organized by the CAC (under
No. 1 above) must be conducted in the following circumstances:-
However, how one may pass the security assessment organized by the CAC remains uncertain, and the implementation details for obtaining the personal information protection certification (under No. 2 above) are yet to be published. As such, unless the above circumstance(s) for security assessment is/are triggered, the Standard Contract (under No. 3) is generally considered the most practical way to fulfil the requirements on outbound transfer under Article 38 of the PIPL.
It is expressly specified in the Measures that the Standard
Contract shall be adopted in its entirety and without deviation. For example,
by entering into the Standard Contract, the data processor and the overseas
recipient agree to submit to supervision of their data processing activities by
the relevant authorities in China. Further, the data subject, as a third party
beneficiary under the Standard Contract, may enforce his/her rights under the
Standard Contract against the data processor and/or the overseas recipient by
litigation in China.
On the other hand, the obligations of the data processor
under the Standard Contract are generally in line with the requirements under
the PIPL, and the same include:-
Further, it should be noted that even in case the main data
processing activities are outsourced to the overseas recipient, the data
processor transferring such personal information abroad is still responsible to
supervise the activities of the overseas recipient. It is further stipulated
under the Standard Contract that the data processor undertakes:-
As for the overseas recipient, with the extra-territorial
effect of the PIPL, the requirements on a data processor under the PIPL apply to
it, and it is expressly obliged under the Standard Contract, among others:-
The Measures and the Standard Contract will become effective
on 1st June 2023, and after such effective date, in applicable cases
as discussed above, the Standard Contract must be entered into between the data
processor and the overseas recipient before any personal information is
transferred out from China.
It is to be further stressed that in addition to the adoption
of the Standard Contract (which was previously considered to be a private
agreement between the data processor in China and the data recipient overseas),
the Measures specifically requires that the data processor collecting data in
China and transferring the same out of China shall make a recordation with the
CAC within 10 working days from the effective date of the Standard Contract.
Not only should the Standard Contract be recorded, the data processor shall
also conduct the personal information protection impact assessment (the
“PIPIA”), and the corresponding report shall be recorded together with the
Standard Contract. Therefore, besides ensuring the adoption and execution of
the finalized version of the Standard Contract with the overseas recipients, data
processors shall also ensure that their PIPIA reports are ready to be submitted
for recordation purpose, by the requisite deadline.
On the other hand, a grace period is provided for transfers
occurring before 1st June 2023, that there is a six-month period
(i.e. until 1st December 2023) to rectify existing practice for
compliance with the Measures and adoption of the Standard Contract. Data
processors who wish to rely on the Standard Contract shall therefore immediately
review their data transfer activities and agreements entered into with overseas
recipients, and to bring the same into compliance within the grace period.
It is expected that further rules and guidelines on the
implementation of the PIPL and related regulations, including the details for the
recordation with the CAC will be published. We will closely monitor the same
and keep you posted on any further developments.
© Vivien Chan & Co., Newsletter issue 03, March 2023
All Rights Reserved
About Us
Vivien Chan & Co. is a full-service law practice with offices in Hong Kong (1985) and Beijing (1993). We are consistently recognized as a premier law firm for and in Greater China. With over 35 years of doing business in Greater China, our Hong Kong and China teams have an in-depth understanding and knowledge of the legal culture and market dynamics.
Our long established licensed law offices in Greater China have allowed us to develop deep local roots and an integrated global perspective necessary to help domestic businesses and multinational companies alike seamlessly manage even the most complex local and cross border transactions.
We have advised on some of the most significant acquisitions, arbitrations, real estate projects and intellectual property enforcement to date. This is particularly evident from our leading position in areas such as intellectual property, tax, employment, mergers & acquisitions and dispute resolution. Our ability to collaborate across practices and borders with ease allows us to bring the right team to every transaction, regardless of location.