China Finalizes Measures on the Standard Contract for Cross-Border Transfers of Personal Information
On February 24, 2023, the Cyberspace Administration of China ("CAC") issued the long-awaited Measures on the Standard Contract for Outbound Cross-Border Transfer of Personal Information ("Measures").
Under the Personal Information Protection Law ("PIPL"), before transferring personal information ("PI") out of China, PI handlers currently must satisfy one of the following procedural requirements:
- Pass a security assessment ("Security Assessment") by the CAC;
- Obtain a PI protection certification from a CAC authorized institution; or
- Enter into a Standard Contract ("SC") with the data recipient.
The Measures require:
- The parties to use the template SC attached to the Measures. The parties may add provisions as long as they do not conflict with the SC;
- The PI handler to file the SC with the provincial level CAC within 10 business days after the SC becomes effective, together with the related PI risk assessment; and
- Recipients outside of China to notify the PI handler immediately if they receive a request from a foreign government to provide PI transferred under the SC.
Although CAC approval is not required, the CAC has the right to review and require corrections if they consider the PI transfer to be non-compliant.
The SC may only be used if the PI Handler is not required to undergo a Security Assessment due to the volume or nature of data being transferred. The Measures expressly provide that PI handlers may not divide or otherwise structure PI transfers to avoid the requirement for a Security Assessment.
The Measures will become effective on June 1, 2023. There is a further grace period of six months until December 1, 2023, for companies to bring their cross-border transfers into compliance, including those transfers that occurred before June 1, 2023. Companies that fail to comply will be subject to penalties under the PIPL, which could range from correction orders or suspension of PI transfers to financial penalties up to RMB 50 million or up to 5% of the PI handlers' revenue of the previous year.
The Measures will impact almost every organization transferring PI from China. Companies that have not already done so should immediately review their existing PI transfer arrangements in light of the Measures.