(Not So) Standard Contracts? Draft Standard Contracts Finally Released in China
More than nine months after the Personal Information Protection Law (PIPL) came into force in the PRC, the Cyberspace Administration of China (CAC) issued the long-awaited Draft Provisions on Standard Contracts for the Export of Personal Information (Draft Provisions) on 30 June 2022.
The Draft Provisions supplement Article 38(3) of the PIPL, which provides that data controllers may use a standard contract in order to transfer personal information outside of the PRC (SCC Mechanism). A draft standard contract has been annexed to the Draft Provisions (Draft Standard Contract). The deadline for comments and feedback on the Draft Provisions is 29 July 2022.
Application
The Draft Provisions specify the triggers and conditions for when data controllers may rely on the SCC Mechanism1, which are as follows:
- Operators of Non-Critical Information Infrastructure (NCIIO);
- Data controllers processing the personal information of less than one million data subjects;
- Data controllers who have exported:
- the personal information of not more than 100,000 data subjects; or
- the sensitive personal information of not more than 10,000 data subjects,
since January 1 of the previous year.
Where the personal information exceeds the stipulated thresholds in the Draft Provisions, or the data controller is a Critical Information Infrastructure Operator (CIIO), the Measures for Security Assessment for Cross-Border Data Transfers (Security Assessment Measures), finalised on 7 July 2022, will apply.
Data controllers should note that the relevant date for determining whether a data controller falls within "threshold 3" (see above) is January 1 of the previous year. Data controllers should therefore pay heed to the volume of personal information they export, particularly in the latter part of the year (e.g., December) as this determines whether they are likely to be caught within this threshold, which essentially applies to the export of data for a period of up to two years.
The Framework for the SCC Mechanism
The Draft Provisions provide the framework for the SCC Mechanism, which includes:
- Conducting an impact assessment of the data export (Article 5);
- Key constituents of the standard contract (Article 6);
- Filing requirements (Article 7); and
- Situations where a new standard contract is required (Article 8).
Impact Assessment of Data Export Risks
The Draft Provisions require data controllers to carry out an impact assessment of data export risks prior to exporting any personal information (Impact Assessment).2
The Impact Assessment is to focus on the following:
- The legality, legitimacy, and necessity of the purpose, scope, and methods of data processing by the data controller and foreign recipients;
- The scale, scope, type, and sensitivity of exported data, and the risks that data export may bring to national security, the public interest, or the lawful rights and interests of individuals or organisations;
- The responsibilities and obligations undertaken by the foreign recipient, as well as whether the management, technical measures and capabilities to perform the responsibilities and obligations can ensure the security of exported data;
- The risk that data will be tampered with, destroyed, leaked, lost, transferred, or illegally acquired or used during or after export, and whether channels have been established to safeguard data subjects’ rights and interests in their personal information rights;
- The impact of the policies, laws, and regulations of the foreign recipient's jurisdiction on the performance of a standard contract;
- Other matters that may affect the security of data exported.
This Impact Assessment is substantially similar to the self-assessment conditions prescribed in the recently finalised Security Assessment Measures, and fulfils the requirement under Article 55 of the PIPL for data controllers to conduct a personal information protection impact assessment prior to the export of personal information. The assessment appears to resemble the adequacy assessments required under the European Union’s General Data Protection Regulation (GDPR), which may involve engaging local counsel in foreign jurisdictions to provide an opinion on how the laws in the destination jurisdictions will impact the foreign recipient’s performance of its contractual obligations.
The Standard Contract
The Draft Provisions require the standard contract to contain provisions addressing the following:
- Basic information on the data controllers and foreign recipient, including, but not limited to, their name, address, contact persons, and contact information;
- The purpose, scope, type, degree of sensitivity, volume, methods, storage period, and storage location for personal information and its exportation;
- The responsibilities and obligations of data controllers and foreign recipients for protecting personal information, as well as technical and management measures employed to prevent risks that might be brought by the exportation of the personal information, etc.;
- The impact of the policies, laws, and regulations of the foreign recipient's jurisdiction on compliance with the provisions of the standard contract;
- The rights of the data subjects as well as the procedures and methods for safeguarding the rights of data subjects;
- Remedies, contract rescission, liability for breach of contract, dispute resolution, etc.3
However, some articles of the Draft Standard Contract appear to go beyond the requirements set out in the Draft Provisions (and the PIPL), and include obligations for:
- Both data controllers and foreign recipients to provide data subjects with a copy of the standard contract upon request4;
- Foreign recipients to:
- provide audit reports to evidence its deletion or anonymisation of personal information5;
- immediately report data breaches to the regulatory authorities in the PRC6;
- allow the data controller to access data files and documents, or to audit the processing activities covered by the standard contact7;
- make objective records of the personal information processing activities carried out, and keep records for at least three years8; and
- Data subjects to be granted third party beneficiary rights that allow them to demand performance of various clauses of the standard contract9.
The inclusion of these provisions in the Draft Standard Contract imposes additional responsibilities on both data controllers and foreign recipients, and will increase the difficulty of compliance with the PIPL. Questions surrounding the enforcement of compliance with these provisions are also raised; given the imposition of broad-reaching requirements on foreign data recipients, how does the CAC intend to police this and what sort of further obligations will this impose on foreign data recipients?
Furthermore, unlike the GDPR SCCs, or Hong Kong’s Privacy Commissioner for Personal Data’s Recommended Model Contract Clauses, the Draft Provisions and Draft Standard Contract do not distinguish between Controller-to-Controller and Controller-to-Processor cross-border transfers of personal data, which may make certain requirements a hard pill to swallow for foreign recipient data controllers (e.g., audit requirements).
Filing Requirements
The Draft Provisions require data controllers to file executed standard contracts within 10 working days of the standard contract taking effect. Data controllers are required to submit copies of both the agreed standard contract and the Impact Assessment10.
Validity of Standard Contracts
The Draft Provisions do not provide a specific validity period for standard contracts. However, data exporters are required to sign a new standard contract and re-submit it where there are:
- Changes to purpose, scope, type, sensitivity, quantity, method, retention period, storage location of exported personal information, and the purposes and methods for which foreign recipients process data, or extend the period of overseas retention of personal information;
- Changes to the policies, laws or regulations on the protection of personal information in the foreign recipient's jurisdiction that might impact rights and interests in personal information; or
- Other circumstances that may impact rights and interests in personal information.11
It is presently unclear how data controllers are expected to reconcile continuing data transfers and the requirement for data controllers to sign a new standard contract when there is a change in the quantity of exported personal information, and whether the CAC will accept the provision of a range of personal information quantities where the data controllers are carrying out cross-border transfers on an ongoing basis.
Rights of Individuals and Local CAC Offices
The local CAC offices are empowered to direct data controllers to terminate cross-border transfers upon discovery of cross-border transfers not complying with the relevant security management requirements12.
Where:
- Data controllers:
- Fail to perform filing procedures;
- Submit false materials for filing;
- Fail to perform the responsibilities and obligations stipulated in the standard contract, infringing on the rights and interests of data subjects, causing harm; or
- Other circumstances affecting the rights and interests of personal information arise,
the local CAC office may order corrections, stop cross-border data transfers and/or penalise data controllers in accordance with the PIPL13. Interestingly, while the Draft Provisions provide that a failure to file the standard contract is a violation of the PIPL, Article 38 of the PIPL does not require a filing of the standard contract, so more clarity from the CAC is required to reconcile this point.
Conclusion
The long-awaited issuance of the Draft Provisions provides some light at the tunnel of uncertainty surrounding the PIPL. Together with the finalised Security Assessment Measures and the National Information Security Standardisation Technical Committee’s Draft Technical Specifications for Certification of Personal Information Cross-Border Processing Activities, they provide much needed clarity on the PRC’s rules on cross-border transfers of data.
Nevertheless, as highlighted above, there are still numerous question marks that remain, and businesses, with a presence in the PRC and those that deal with companies in the PRC, ought to pay close attention to developments in this sphere given the rapid pace of change.
1 Article 4 of the Draft Provisions.
2 Article 5 of the Draft Provisions.
3 Article 6 of the Draft Provisions.
4 Article 2(8) and 3(2) of the Draft Standard Contract.
5 Article 3(4) of the Draft Standard Contract.
6 Article 3(6)(2) of the Draft Standard Contract.
7 Article 3(10) of the Draft Standard Contract.
8 Article 3(11) of the Draft Standard Contract.
9 Article 2(3) read with Article 5(6) of the Draft Standard Contract.
10 Article 7 of the Draft Provisions.
11 Article 8 of the Draft Provisions.
12 Article 11 of the Draft Provisions.
13 Article 12 of the Draft Provisions.