On February 24th 2023, the State Internet Information Office published the Measures for Standard Contract for Outbound Cross-border Transfer of Personal Information (Hereinafter referred to as “Measures for Standard Contract”), which will be effective from June 1st , 2023. The Measures for Standard Contract follows the official release of the Measures for Security Assessment of Outbound Data Transfers in July of last year and is another important regulation for data outbound transfers. In order to help enterprises better understand the latest regulatory provisions on standard contracts for the outbound cross-border transfer of personal information, this article will briefly introduce the application and highlights of the Measures for Standard Contracts.
Article 38 of the Personal Information Protection Law of People's Republic of China provides for three main compliance paths for the provision of personal information outside of China, namely "passing the security assessment organized by the State Internet Information Department", "having personal information protection certified by professional institutions in accordance with the regulations of the State Internet Information Department "and "concluding a contract with the overseas recipient in accordance with the standard contract established by the State Internet Information Service" (hereinafter referred to as the "standard contract compliance route"). Compared to the first two methods, signing the standard contract is generally considered to be a more convenient route for personal information transfer mechanisms at present.
2. Scenarios for the application of standard contracts
Standard contracts are only applicable to the cross-border transfer of personal information and should be subject to a security assessment if the outbound transfer of important data is involved. According to Article 4 of the Measures for Standard Contract, in general, if a processor of personal information provides personal information abroad by entering into a standard contract, the following circumstances shall also be met: (1) The processor is not a critical information infrastructure operator; (2) Handling personal information of less than one million individuals; (3) Having provided personal information of less than 100,000 individuals in aggregate to overseas recipients since January 1st of the previous year; and (4) Having provided sensitive personal information of less than 10,000 individuals in aggregate to any overseas recipients since January 1st of the previous year.
3. General steps for signing a standard contract
According to the Measures for Standard Contract, where a personal information processor adopts a standard contract compliance route, it shall do so in accordance with the following steps.
(1) Impact assessment: Prior to providing personal information outside of the country, the personal information processor shall conduct an impact assessment on the protection of personal information, which shall include the scale, scope, type and sensitivity of the outbound personal information.
(2) Signing a contract: The personal information processor and the overseas recipient shall supplement and communicate on the terms of the contract and sign it on the basis of mutual agreement.
(3) Regulatory filing: Within 10 working days from the effective date of the standard contract, the personal information processor shall file the contract with the provincial internet information department where it is located. The signed standard contract as well as the personal information protection impact assessment report shall be submitted for filing.
(4) Post-fact follow-up: When there is a situation where personal information is transferred abroad and the country/region of the overseas recipient's personal information protection policies and regulations change, the personal information processor shall re-conduct the personal information protection impact assessment, supplement or re-conclude the standard contract and perform the corresponding filing procedures.
With the advent of the big data era and the booming digital economy, the outbound cross-border transfer of personal information is unavoidable. The introduction of the Measures for Standard Contract further regulates the outbound activities of personal information and provides detailed regulatory requirements. Enterprises should take into account their own business needs, clarify scenarios for the cross-border flow of personal information and comply with the requirements of the regulatory authorities for the cross-border transfer of personal information.
If you are interested in the standard contract for the outbound transfer of personal information, you’re welcome to contact us: email@example.com.