China Issues Guidance on Filing of the Standard Contract for Cross-Border Transfers of Personal Information
On May 30, 2023, the Cyberspace Administration of China ("CAC") issued the "Guidance on Filing the Standard Contract for the Cross-Border Transfer of Personal Information" ("Guidance"), which took effect on June 1, 2023.
The Guidance provides key details on the requirements and filing procedures for the Standard Contract ("SC") under the "Measures on the Standard Contract for the Cross-Border Transfer of Personal Information," which also took effect on June 1, 2023.
The SC may be used for cross-border transfers of personal information ("PI") from China if the PI handler is not required to undergo a security assessment due to the volume or nature of PI being transferred.
The PI handler must file the SC and required supporting documentation with the provincial level CAC within 10 working days from the effective date of the SC.
The Guidance contains templates of the required supporting documentation for the filing including:
- The PI protection impact assessment ("PIPIA") which requires a significant level of detail on all aspects of the cross-border processing activities; and
- A letter of commitment from the PI handler confirming, among other matters, that all PI handling is in compliance with Chinese law, the submitted materials are accurate and complete, and the PIPIA was completed within three months before the date of filing and there have been no material changes since its completion.
Although CAC approval is not required under the Measures, the Guidance states that CAC will review all filings and has discretion to reject them before accepting the filing. If the filing is rejected, CAC must provide reasons and may request supplemental materials. There is no appeal process if the filing is ultimately rejected. The CAC review will likely be focused on ensuring the completeness of submissions, but the Guidance opens the door for a more substantive review.
There is a grace period of six months until December 1, 2023, for companies to bring their cross-border transfers into compliance. Companies that fail to comply will be subject to penalties under the Personal Information Protection Law, which could include substantial fines and suspension of all PI transfers.
Companies that have not already done so should immediately review their existing China PI transfer arrangements in light of the Measures and the Guidance so as to avoid disruptions to their PI transfers.