Global menu

Our global pages

Close

New Standard Contractual Clauses for the Cross-border Transfer of Personal Information out of Mainland China | 中国大陆个人信息出境的新标准合同规定

  • Hong Kong
  • Privacy, data protection and cybersecurity - ePrivacy
  • Technology, Media and Telecoms - General

20-07-2022

On 30 June 2022, in connection with the requirements for cross-border transfer of personal information under the Personal Information Protection Law in the PRC (“PIPL”), the Cyberspace Administration of China (“CAC”) published the Draft Rules on Standard Contracts Regarding Export of Personal Information (个人信息出境标准合同规定(征求意见稿)) (the “Draft Rules”). Public consultation on the Draft Rules has commenced and will conclude on 29 July 2022.

Under Article 38 of the PIPL, the adoption of standard contractual clauses (“Standard Contractual Clauses”) between the personal information processor (which is akin to a “data controller” under the GDPR), who transfers personal information to a location outside the PRC, and the offshore recipient, is one of four compliance methods under the PIPL which lawfully facilitate the offshore transfer of personal information from the PRC. The Draft Rules set out requirements relating to the use and applicability of the Standard Contractual Clauses, along with a template data processing agreement with the Standard Contractual Clauses for reference.

Who may use the Standard Contractual Clauses?

Importantly, an personal information processor may only rely on the Standard Contractual Clauses (as one of the four permitted methods) to facilitate cross-border transfer if it satisfies all of the following conditions:

  1. the personal information processor is not a “critical information infrastructure operator”;

  2. the personal information processor processes personal information of less than one million individuals;

  3. since January 1st of the previous year, the personal information processor has transferred personal information of less than 100,000 individuals on a cumulative basis to outside the PRC; and

  4. since January 1st of the previous year, the personal information processor has transferred sensitive personal information of less than 10,000 individuals on a cumulative basis to outside the PRC.

Personal information processors which do not satisfy the above conditions will be required to pass a CAC-led security assessment before they can transfer personal information to outside the PRC.

Standard Contractual Clauses – is it what we expected?

On the one hand, the Standard Contractual Clauses (in the form of the template data processing agreement) set out terms that are commonly seen in the form of standard contractual clauses (or equivalent) of other jurisdictions. For instance, the Standard Contractual Clauses set out:

  • the details of the personal information being processed, including but not limited to purpose of the transfer, scope, type, level of sensitivity, quantity, method, retention period and storage location;

  • the respective responsibilities and obligations of the personal information processor and the offshore recipient, as well as the technical and organisational measures taken to protect the personal information against security risks; and

  • the rights of the data subjects.

On the other hand however (and as somewhat expected), the Standard Contractual Clauses also contain provisions which specifically implement principles unique to the PIPL or PRC data privacy regime, such as:

  • Unlike the EU Standard Contractual Clauses which adopt four modules (namely, controller to controller, controller to processor, processor to sub-processor and processor to controller) based on the parties’ data processing roles, there is only one form of Standard Contractual Clauses to be entered into by and between the personal information processor and an offshore recipient (who may act either as the personal information processor or entrusted party (which is akin to “processor” under the GDPR)).

  • the personal information processor is expressly required to carry out a data protection impact assessment (“DPIA”) prior to the transfer of personal information, which should be retained for at least 3 years;

  • the offshore recipient is expressly required to keep objective records of the personal information processing activities carried out, and retain such records for at least 3 years; and

  • where the offshore recipient will use personal information in connection with automated decision making, it warrants not to apply unreasonable differential treatment to individuals, such as adopting processes and means which may result in different pricing terms applying to different individuals.

How should the Standard Contractual Clauses be used?

Under the Draft Rules, the Standard Contractual Clauses shall be used in the following manner:

  1. before personal information is transferred to outside the PRC, the personal information processor must enter into the Standard Contractual Clauses with the offshore data recipient;

  2. prior to transferring personal information to outside the PRC, the personal information processor must also conduct a DPIA; and

  3. within 10 working days of the Standard Contractual Clauses coming into effect, a record-filing must be made to the local provincial branch of the CAC. The Standard Contractual Clauses and the DPIA must be submitted.

Following the completion of Steps 1 and 2, personal information may be transferred to outside the PRC.

However, it is important to note that new Standard Contractual Clauses may need to be signed and filed with the CAC (hence, the above steps are then repeated) if one of the following events occur:

  • there is a change of data processing activities (e.g. purpose of transfer, scope, type, level of sensitivity, method, retention period, storage location, etc.) or extension of retention period of personal information;

  • there is a change of the data privacy laws and regulations of the inbound jurisdiction to which the personal information is transferred, which may impact the rights and interests of individuals; or

  • there are present other circumstances which may affect the rights and interests of individuals.

In the event of (i) the personal information processor’s failure to complete record-filing as required, or provision of false materials for record-filing; (ii) the personal information processor’s failure to perform the responsibilities and obligations as agreed in the Standard Contractual Clauses, resulting in an infringement to the rights and interests of the data subjects and causing damage; or (iii) occurrence of other circumstances which affect the rights and interests of the data subjects, the CAC may order the relevant personal information processor to rectify the breach within a specified deadline, failing which the personal information processor may be ordered to suspend the cross-border transfer of personal information, or even be found to have committed a criminal offence.

To read the Draft Rules, please see here (in Chinese language only). To read our previous e-Briefing on obtaining security accreditation for cross-border transfer, which is another compliance method under the PIPL for transfer of personal information outside the PRC, please see here.

For more information on requirements for the cross-border transfers of personal information, please contact us.

 

 


 

2022年6月30日,根据《中华人民共和国个人信息保护法》(“《个人信息保护法》”)对个人信息跨境转移的要求,中华人民共和国国家互联网信息办公室(“网信部门”)公布了《个人信息出境标准合同规定(征求意见稿)》(“规定草案”)。关于规定草案的公众意见咨询已经开始,意见反馈截止时间为2022年7月29日

根据《个人信息保护法》第38条,拟向中国境外提供个人信息的中国个人信息处理者(类似欧盟《通用数据保护条例》(GDPR)下的数据控制者)与境外接收方之间按照国家网信部门制定的标准合同订立合同(“标准合同)是允许个人信息合法地转移到中国境外的四种合规方法之一。规定草案规定了与标准合同条款的使用和适用性有关的要求,并附有一份标准合同条款的个人信息处理协议模板以供参考。

谁是标准合同的适用主体及人群?

重要的是,只有同时符合全部下列情形的个人信息处理者才可以通过签订标准合同的方式(即四种允许信息合法出境的方式之一)向境外提供个人信息:

  1. 非关键信息基础设施运营者;

  2. 处理个人信息不满100万人;

  3. 自上一年1月1日起累计向境外提供未达到10万人个人信息的;以及

  4. 自上一年1月1日起累计向境外提供未达到1万人敏感个人信息的。

未能满足上述条件的个人信息处理者在向中国境外提供个人信息之前,需要通过由网信部门主导的安全评估。

标准合同条款——是我们所期望的吗?

一方面,标准合同条款(以个人信息处理协议模板的形式)规定了在其他司法管辖区标准合同条款(或其他类似形式)中常见的条款。例如,标准合同条款规定了以下信息:

  • 个人信息的具体细节,包括但不限于出境的目的、范围、类型、敏感程度、数量、保存期限、存储地点;

  • 个人信息的处理者和境外接收方各自的责任和义务,以及为保护个人信息免受安全风险而采取的技术和管理措施;以及

  • 个人信息主体的权利,以及保障个人信息主体权利的途径和方式。

然而,另一方面,正如所料,标准合同条款也包含了具体实施《个人信息保护法》及中国数据隐私制度特有原则的条款,如以下内容:

  • 与欧盟标准合同条款当中根据各方的数据处理角色划分了四种个人数据跨境传输的场景不同(即控制者向控制者传输、控制者向处理者传输、处理者向次级处理者传输,以及处理者向控制者传输),中国的个人信息处理者和境外接收方(可作为个人信息处理者或受托方(类似于欧盟《通用数据保护条例》中的 “处理者”))之间只需签订一种形式的标准合同条款;

  • 个人信息处理者被明确要求应在向境外提供个人信息前展开个人信息保护影响评估,并保存该评估报告至少3年;

  • 境外接收方被明确要求应对开展的个人信息处理活动进行客观记录,并保存记录至少3年; 及

  • 如果境外接收方将利用个人信息进行自动化决策,其需要陈述、保证及承诺不会对个人在交易价格等交易条件上实行不合理的差别待遇(例如采用可能导致对不同个人适用不同定价条款的流程和方式)。

标准合同条款需如何使用?

根据规定草案,标准合同条款应以下列方式用于跨境转让:

  1. 在个人信息被转移到中国境外之前,个人信息处理者必须与境外接收方签订标准合同;

  2. 在将个人信息转移到中国境外之前,个人信息处理者必须进行个人信息保护影响评估;以及

  3. 个人信息处理者应当在标准合同生效之日起10个工作日内,向所在地省级网信部门备案。备案应当提交标准合同以及个人信息保护影响评估报告。

在完成以上步骤1及2后,个人信息方可被转移到中国境外。然而,请注意,如果在标准合同有效期内出现下列情况之一的,个人信息处理者应当重新签订标准合同并备案(因此需要重复上述步骤):

  • 个人信息处理活动的变化(例如:向境外提供个人信息的目的、范围、类型、敏感程度、数量、方式、保存期限、存储地点等)或者延长个人信息境外保存期限的;

  • 境外接收方所在国家或者地区的个人信息保护政策法规发生变化等可能影响个人信息权益的;或

  • 可能影响个人信息权益的其他情况。

如果 (一)个人信息处理者未履行备案程序或者提交虚假材料进行备案;(二)个人信息处理者未履行标准合同约定的责任义务,侵害个人信息权益造成损害的;或(三)出现影响个人信息权益的其他情形,网信部门可以责令相关个人信息处理者在限期内改正违规行为。如个人信息处理者拒不改正的,网信部门可以责令其停止个人信息的出境活动,个人信息处理者甚至可能构成刑事犯罪。

如需阅读规定草案,请按此处。如需阅读我们之前有关跨境转移安全认证(即《个人信息保护法》规定的另一种合法跨境转移个人信息的途径)的电子简报,请按此处

如欲了解更多关于个人信息跨境转移的要求,请联系我们。