China: final form of standard contract for cross-border transfers of personal data released

The Cyber Security Administration of China (CAC) has now published the final version of the standard contract (the Standard Contract).

The Standard Contract and the related Measures on the Standard Contract for Outbound Cross-border Transfer of Personal Information (the Standard Contract Measures) were released on 24 February 2023 and will take effect as of 1 June 2023.

Entry into a data transfer agreement (a DTA) in conformity with Standard Contract is one of three permissible routes for outbound transfers of personal data by most organisations, and is likely to be the preferred route for low volumes of data transfers, assuming that it is not necessary for the organisation to complete a security assessment with the CAC.

Pre-requisites for reliance on the Standard Contract

• If any one of the four conditions set out below is met then the CAC’s approval would be needed for the data transfer after completing a security assessment; namely if the data exporter:
  • is an operator of critical information infrastructure
  • holds/ processes the personal data in China of more than one million individuals
  • has transferred out of China the personal data of more than 100,000 individuals since 1 January of the previous year
  • has transferred out of China the sensitive personal data of more than 10,000 individuals since 1 January of the previous year.
• The Standard Contract Measures prohibit a data exporter from splitting up overseas transfers of personal data or adopting “other means” in order to circumvent the volume thresholds. However, this does not address the central uncertainty in how the volume thresholds are to be applied across a corporate group. Absent definitive guidance on this point, the most coherent position we have heard after consulting with various provincial branches of the CAC is that the thresholds should be applied to each data controller - in which case the count of personal data “held/ processed” by that controller should take account of data that is stored (or transferred) by an affiliate only if that data is in fact controlled by the same controller. Such a scenario might arise if, for example, one affiliate in a corporate group in China manages a data centre/ third party data centre provider and stores the records of the employees of another entity in the group.
• The data exporter will need to conduct a data transfer impact assessment (the DTIA) in respect of any cross-border transfer of personal data. The Standard Contract Measures provide that a DTIA should make an assessment of the risks involved in the outbound data transfer, including assessing:
  • whether the data transfer is legal, legitimate and necessary considering the purpose, scope and ‘method’ of processing, the amount, extent and sensitivity of the data, and the potential risks posed to the rights/ interests of the individual data subjects involved
  • the sufficiency of the overseas recipient’s technical and organisational data security posture, and other contractual obligations owed to the data transferor, to ensure the security of personal data to be transferred
  • the risks of unauthorised access to or use of the data after it is transferred overseas
  • the channels for individuals to exercise their data subject rights
  • the regulatory environment in the recipient jurisdiction on the performance of the DTA (or equivalent).
• The DTIA will need to be filed with the provincial-level CAC within 10 working days (a record filing) after its effectiveness, together with a copy of the DTA (if relying on the Standard Contract).
• A separate, specific consent needs to be obtained for any transfers of personal data out of China.

Key terms in the Standard Contract 

• The purpose, scope, type, sensitivity, quantity, method, retention period, storage location, and other descriptions of the personal data to be transferred are to be set out in an appendix.
• The data exporter’s main obligations include:
  • To notify data subjects that they are a third-party beneficiary of rights under the Standard Contract. In practice, this can be communicated as part of the organisation’s usual privacy notices rather than requiring a separate notification per se.
  • To obtain a further separate, specific consent if any of the transferred data is to be transferred onwards to a new location outside of China.
  • To provide a copy of the agreement with any onward transferee/ data processor to data subjects on request. The agreement has to ensure that the third party transferee handles the data in compliance with no lesser standards than those required by Chinese law and obtains the data exporter’s approval to its own appointment of a data processor.
  • To maintain records of data transfers for at least three years.
• The data importer’s main obligations include:
  • To adopt the technical and organisational security measures provided for in the DTA, including by implementing access controls.
  • To obtain approval from the original data exporter for the appointment of sub-processors.
  • To delete the transferred data after expiry of the applicable retention period prescribed in the DTA, or to place the data into cold storage if it is not feasible to purge the data from its systems.
  • To take immediate remedial measures in response to a data security incident, notify the data exporter, report the incident to the CAC and notify affected data subjects if required by Chinese law.    
  • To cooperate with compliance audits of its data processing activities involving the transferred data.
  • To maintain records of processing activities for at least three years, as well as a record of all remediation actions taken in response to a data security incident.
  • To submit to the supervision of the CAC, including by responding to enquiries, cooperating in inspections, and complying with orders or measures required by the CAC, etc.
  • To notify the data exporter of any change in local laws that are incompatible with its performance of the DTA.
  • To immediately notify the data exporter of any data access requests by any governmental or law enforcement body.
  • To comply with any exercise of individual data subject rights (rights of access, rectification, erasure, to object to automated decision-making and to request transfer of data to another service provider (although the CAC’s rules for the portability requirement have yet to be published). The data importer also has to identify a contact person for such enquiries, by providing a separate notice or publishing an announcement on its website, etc.

Third-party beneficiary rights for data subjects

• The Standard Contract gives individuals whose personal data is transferred under the DTA contractual enforcement rights as a third party beneficiary. 
• Claims can be brought against either the data exporter or importer, and each is liable to the extent of any damage it causes to the rights and interests of the data subject. If the exporter and importer are jointly liable, data subjects may claim against either one or both of them.

Rectification period

• The Standard Contract Measures provide for a six-month rectification period (expiring 30 November 2023) for any uncompliant data transfers that were conducted before that date. No further explanation is given.
• We interpret this requirement to mean that DTAs conforming to the model clauses should be applied retroactively in respect of any outbound data transfers that took place at any time after the PIPL took effect on 1 November 2021, since the underlying controls over outbound data transfers have been formally in effect since this date (including the key requirement for DTA).