In February 2023, the Cyberspace Administration of China (CAC) released the final version of the Measures for the Standard Contract for the Cross-Border Transfer of Personal Information, along with the Standard Contractual Clauses (SCCs), a model contract for transfers of personal information out of China that do not require security assessment under China’s Personal Information Protection Law (PIPL).
Largely based on the draft made public for comment in June 2022, the Measures prescribe how to establish a legal agreement between parties involved in transferring personal data outside China as stipulated by the PIPL. According to the SCCs, the contract parties should be an onshore personal information controller, which is defined as an entity (organization or individual) that determines the purpose and method of processing personal information, and provides personal information out of China, and an offshore data recipient. No substantive alterations to the SCCs are allowed, but the contract parties can supplement the SCCs with additional clauses on matters not covered by the SCCs, given that there is no conflict between the SCCs and those separately agreed upon by the parties.
In addition to the SCCs, before any cross-border data transfer, personal information controllers are required to carry out a Personal Information Protection Impact Assessment, which is expected to address issues that might affect the security of the personal information to be transferred outbound, such as:
i) the legality, legitimacy, and necessity of the purpose, scope, and method of processing personal information by the personal information controller and the overseas recipient;
ii) the volume, scope, category, and sensitivity of personal information to be transferred outbound;
iii) the risks to the data subjects’ rights and interests; and
iv) the impact of personal information protection policies and regulations in the country of origin where the overseas recipient is located.
The personal information controllers need to file the assessment report and the SCCs with the provincial branches of the CAC for record within ten working days of the execution of the SCCs.
Not every cross-border personal data transfer case is eligible to adopt the SCCs to comply with the PIPL, as some of them have other requirements to meet. For example, if the cross-border transfer involves “important data”, which is defined as “any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety”, then a security assessment is mandatory before the transfer. It is also required if the transfer is carried out by controllers that have processed personal information of more than one million individuals. If the controllers have transferred personal information of over 100,000 individuals or “sensitive” personal information of more than 10,000 persons abroad since January 1 of the preceding year, they must undergo the security assessment as well.
In addition, the Measures exclude critical information infrastructure operators, which refer to companies of essential industries that can impact national security or public interest in case of a data breach or system malfunction, such as finance, energy, and telecom, from adopting the SCCs for transferring data out of China. Instead, they are required to pass the security assessment under the Cybersecurity Law.
Katherine Wang, partner at Ropes & Gray in Shanghai, said: “Many life sciences companies routinely process clinical study data and personal information of healthcare professionals in China. The clinical study data will typically be consolidated at a central server outside China. Clinical study data is de-identified personal information and is subject to China’s data privacy law and cross-border data transfer regulation. If the amount of clinical study data exceeds the statutory threshold, these life sciences companies will undergo a security review by the CAC. In addition to the life sciences sector, the other sector that will be heavily impacted by the data privacy law is the technology, media & telecom sector.”
The Measures will come into effect on June 1, 2023, with a six-month grace period, meaning companies will have until November 30, 2023 to take necessary measures to comply with the requirements for their cross-border transfer of personal information. Wang suggested: “Companies will need to assess if they are subject to the security review for cross-border data transfer, establish processes and policies for the protection of personal information, and appoint responsible personnel for cybersecurity and data privacy compliance.”
Comment