The Cyberspace Administration of China (CAC), the country’s internet watchdog, began collecting feedback on the draft provisions with respect to the release of its Standard Contract for Outbound Cross-border Transfer of Personal Information (Standard Contract), which includes guidelines for the use of the Standard Contract for data processors, on June 30, 2022. An unofficial English translation of the contract is also available. The deadline for the submission of public comments is July 29, 2022.

The Standard Contract is linked to Article 38 (3) of the Personal Information Protection Law of the People’s Republic of China; under the article, the conclusion of a personal data transfer contract is one of three options for a data processor that intends to pass personal information to a recipient outside the territory of mainland China. 

Of particular note, not every data processor is qualified to use the Standard Contract option. A personal information processor can only utilize the Standard Contract if it meets all of the following conditions: (1) it is a noncritical information infrastructure operato, (2) it handles the personal information of fewer than one million individuals, (3) it has provided the personal information of fewer than 100,000 individuals in aggregate to overseas recipients since January 1 of the previous year, and (4) it has provided the sensitive personal information of fewer than 10,000 individuals in aggregate to any overseas recipients since January 1 of the previous year.

The Standard Contract is required to include the following clauses: (1) obligations of the personal information processor and the overseas recipient; (2) channels and methods for protecting the rights of the personal information holder; (3) purpose, scope, type, sensitivity, quantity, method, retention period, and storage location of the personal information to be transferred; and (4) impact of the personal information protection policies and regulations of the country or region where the overseas recipient is located on the compliance with the terms and conditions of the Standard Contract.

The outbound cross-border transfer of personal information is allowed to proceed after the Standard Contract takes effect. However, the personal information processor is further required to submit the executed Standard Contract and a separate Personal Information Protection Impact Assessment Report (Assessment Report) for filing with the processor’s provincial CAC within 10 working days from the effective date of the Standard Contract. The Assessment Report is required to reflect upon the security practices for the transfer of personal information to an overseas recipient, such as the risk that the outbound cross-border transfer may pose to the rights and interests in personal information and the impact of personal information protection policies and regulations in the country or region of the overseas recipient, on the performance of the Standard Contract.

The CAC is empowered to order remedial measures or to suspend cross-border data transfers for operators that fail to submit the required filings, submit false information to the authorities, or are in breach of the terms and conditions in the Standard Contract, causing any harm to the data rights holder. The CAC is also authorized to refer a matter for criminal prosecution in egregious cases in accordance with the law.

Moreover, personal information processors are subject to monitoring by any organization or individual who may report their violations to the CAC.

© 2022 Perkins Coie LLP