China’s new Standard Contractual Clauses – finally released! | 中国版标准合同 — 终于正式落地了！

Organisations that process personal data of individuals within the PRC now have some further clarity on how to facilitate lawful cross-border data transfers from the PRC.

The Cyberspace Administration of China (“CAC”) recently published the Rules on Standard Contracts Regarding Export of Personal Information (个人信息出境标准合同办法) (“SCC Rules”), and also attached the final template “standard contractual clauses” (“SCCs”, see attached, in Chinese only).

The SCCs will become effective from 1 June 2023, and organisations are required to achieve full compliance with these rules by 1 December 2023.

We have set out below our initial observations following the CAC’s announcement:

1. The previously announced thresholds that enable an organisation to rely on the SCCs still apply. To recap, an organisation may rely on the SCCs to facilitate cross border transfers if all of the following conditions are met:

1. the controller is not a “critical information infrastructure operator”;

2. the controller processes personal data of less than 1 million individuals;

3. since 1 January of the previous year, the controller has transferred personal data of less than 100,000 individuals on a cumulative basis to outside Mainland China; and

4. since 1 January of the previous year, the controller has transferred sensitive personal data of less than 10,000 individuals on a cumulative basis to outside Mainland China.

Controllers which do not satisfy the above conditions will be required to pass a CAC-led security assessment (the grace period of rectification lapsed earlier this week on 1 March 2023) before they can transfer personal information to outside Mainland China. In particular, the SCC Rules emphasize that controllers must not split the quantity of the data subjects in cross-border transfers for the purpose of circumventing the obligation to pass the aforesaid CAC-led security assessment.

2. Unlike the EU which adopts four modules (i.e. C2C, C2P, P2C, P2P) of SCCs, there is only one form of SCCs to be used in the PRC. Organisations should now revisit their data processing arrangements with their third party vendors or partners for the purpose of incorporating the SCCs into their agreements (as applicable).

3. The SCCs and the relevant privacy impact assessment (“PIA”) report must also be filed with the CAC within 10 working days after the SCCs comes into effect. This documentation should be filed with the local provincial branch of the CAC.  

4. The PIA undertaken in relation to cross-border data transfers requires assessment of the “scale” of transfer. The SCC Rules now clarify that organisations should undertake the PIA which should assess, among other things, the “scale”, scope and types of personal data, sensitivity of data and potential risks to the individuals in respect of the cross-border transfer. This removes the previous requirement in relation to an assessment regarding the “quantity” of personal data to be transferred outside the PRC.

5. Organisations may be required to amend the existing SCCs/sign a new SCC and carry out a new PIA in certain circumstances. This includes: (a) any change to the data processing activities (e.g. purpose of transfer, scope, types of data, storage location etc.); (b) change in privacy laws in the importing / destination jurisdiction; or (c) other circumstances which may affect the rights and interests of individuals. This requirement will invariably add an additional layer of administrative burden from a contract management perspective.

处理中华人民共和国境内自然人个人信息的组织现在对于如何在中国合法地开展个人信息出境活动将有更为清晰的认识。 

中华人民共和国国家互联网信息办公室（“网信部门”）最近发布了《个人信息出境标准合同办法》（“标准合同办法”），并附上标准合同的最终范本（“标准合同”，请参阅附件）。

标准合同将于2023年6月1日起施行，相关个人信息处理者必须在2023年12月1日之前完成不符合项的整改。

我们对标准合同办法的要点初步整理如下：

1.  此前公布的允许通过签署标准合同实现个人信息出境的标准/门槛仍然适用。概括而言，若个人信息处理者同时满足下述所有条件，则可以通过签订标准合同的方式向境外提供个人信息：

1. 个人信息处理者并非关键信息基础设施运营者； 

2. 个人信息处理者处理个人信息不满100万人； 

3. 自上一年1月1日起，个人信息处理者累计向境外提供个人信息不满10万人；以及 

4. 自上一年1月1日起，个人信息处理者累计向境外提供敏感个人信息不满1万人。

上述任一条件未能满足，个人信息处理者在向中国境外提供个人信息之前，需要通过由网信部门主导的安全评估（适用于安全评估的整改期限已于本周早些时候2023年3月1日届满）。标准合同办法特别强调，个人信息处理者在信息出境时不得拆分信息主体的数量，以规避通过上述由网信部门主导的安全评估的责任。

2. 与欧盟颁布分别适用四种场景（即控制者向控制者传输、控制者向处理者传输、处理者向控制者传输，以及处理者向次级处理者传输）的标准合同不同，中国版标准合同仅有一个版本。个人信息处理者现应重新审视其与第三方供应商或合作伙伴的信息处理安排，以视情况将标准合同纳入其协议。

3. 个人信息处理者必须在标准合同生效后的10个工作日内向网信部门提交标准合同及相关的个人信息保护影响评估报告。此备案应向所在地省级网信部门提交。

4. 就出境信息而开展的个人信息保护影响评估需评估出境的规模。标准合同办法现明确规定，个人信息处理者应开展个人信息保护影响评估，其中应评估个人信息的“规模”、范围及种类，信息的敏感程度以及信息出境可能对个人带来的风险等。这较之前的征求意见稿移除了关于个人信息出境的“数量”的评估要求。

5. 在特定情况下，组织可能需要补充现有的标准合同/重新订立标准合同并重新开展个人信息保护影响评估。其中包括：(a) 信息处理活动发生任何变化（例如出境的目的、范围、信息类型、保存地点等）；(b) 境外接收方所在国家或者地区的个人信息保护政策和法规发生变化；(c) 可能影响个人信息权益的其他情形。从合同管理的角度而言，此要求将必定加重行政负担。