On 30 June 2022, the Cyberspace Administration of China (“State Internet Information Department” or “CAC“)  issued the Draft Provisions on Standard Contracts for the Export of Personal Information (“Draft Provisions“) for public consultation. The deadline for feedback is 29 July 2022.

The Draft Provisions contain a draft Standard Contract for the Export of Personal Information (“Standard Contract“).  The Standard Contract consists of nine articles and two appendices.

This article provides an in-depth analysis of the articles in the Draft Provisions and their potential impact on multinational companies.

Provisions on Standard Contract on the Export of Personal Information (Draft for Public Consultation)

Article 1: These Provisions are formulated on the basis of the “Personal Information Protection Law of the People’s Republic of China” so as to standardise personal information export activities, protect personal information rights  and interests, and promote the safe and free flow of personal information across borders.

Article 2: Where personal information processors conclude contracts with overseas recipients to provide personal    information outside the territory of the People’s Republic of China in accordance with subparagraph (3) of the first   paragraph of Article 38 of the “Personal Information Protection Law of the People’s Republic of China”, they shall   follow these Provisions to sign a standard contract for the export of personal information (hereinafter referred to as “Standard Contracts“). Other contracts concluded between the personal information processor and the overseas  recipient related to the outbound activities of the personal information shall not conflict with the standard contract.

Analysis of Articles 1 and 2:

1. Articles 1 and 2 explain the purpose and legal basis for formulating the Draft.

2. Article 2 provides: “Other contracts concluded between a personal information processor and an overseas recipient related to the outbound activities of personal information must not conflict with the Standard Contract. ”

3. This means that, in addition to signing the Standard Contract with an overseas recipient, a Chinese enterprise that chooses to use a Standard Contract also needs to:

a) check other contracts it has signed with the overseas recipient related to the export of personal information to ensure that they do not conflict with the Standard Contract, and supplement or modify such other contracts according to the actual situation; and

b) clearly state in other contracts that in the event of a conflict with the terms of the Standard Contract, the Standard Contract prevails.

Article 3: Those carrying out personal information export activities on the basis of standard contracts shall adhere to a combination of independent contracting with file management to prevent security risks to the export of personal  information and ensure the orderly and free flow of personal information in accordance with the law.

Analysis of Article 3:

1. According to the expression “independent contracting” in Article 3, signing a Standard Contract is not a mandatory legal obligation. However, enterprises should note that for all data export paths permitted under Article 38 of the Personal Information Protection Law (“PIPL”), Chinese enterprises and overseas recipients must either sign (i) Standard Contracts, (ii) other similar contracts or (iii) legally binding and enforceable documents. See our analysis of Articles 4 and 5 below for details.

2. For the “file management” requirement, see our analysis of Article 7 below.

Article 4: Where personal information processors meet all the following criteria, they may provide personal information overseas by signing a standard contract:

(1) Non-critical information infrastructure operators;

(2) Handling less than 1 million persons’ personal information;

(3) Cumulative provision of personal information of less than 100,000 people overseas since 1 January of the previous year;

(4) Cumulative provision of sensitive personal information of less than 10,000 people outside the country since 1 January of the previous year.

Analysis of Article 4:

  1. Under Article 4, a processor of personal information who meets the relevant requirements “may”, as opposed

to “must“, sign a Standard Contract to legalise the export of personal information. This is because Article 38 of the PIPL stipulates several different legal paths for personal information to leave China. They include:

(1) Critical information infrastructure operators and personal information processors handling personal  information that reach the number of personal information processors provided for by the state network information departments for outbound conduct shall pass a security assessment organised by the state   network information departments;

(2) Conduct personal information protection certification through professional bodies in accordance with the provisions of the state network information departments;

(3) Conclude a contract with an overseas recipient in accordance with a standard contract formulated by the State Internet Information Department, stipulating the rights and obligations of both parties;

(4) Other requirements provided for by laws, administrative regulations, or the State Network Information Department.

  1. According to the above provisions, Chinese enterprises that are not “criticalinformation infrastructure              operators and personal information processors who process personal information to the amount prescribed by the State Internet Information Department” may (i) sign the Standard Contract or (ii) obtain personal                 information protection certification through a professional body to transfer personal information overseas.
  2.  Therefore, for Chinese enterprises that choose path (ii), signing a Standard Contract is not required. However, it shouldbe noted that although a Chinese enterprise that chooses path (ii) does not need to sign a Standard   Contract, it will still need to sign a “legally binding and enforceable document” with the overseas recipient in      accordance with the Technical Specification for the Certification of Cross-border Processing Activities of  Personal Information, which was officially issued by the National Information Security Standardization Technical Committee (also known as TC260) on 24 June 2022. Such a document should at least specify the following:
  3. a)Personaldata processors and overseas recipients carrying out cross-border personal information processing activities;
  4. b)Thepurpose of cross-border processing of personal information and the types and scope of personal information;
  5. c)Measuresto protect the rights and interests of Personal Information Subjects;
  6. d)Theoverseas recipient undertakes to comply with the unified rules for the cross-border handling of        personal information, and ensures that the level of personal information protection is not lower than the  standards stipulated by the relevant laws and administrative regulations of the People’s Republic of China on the protection of personal information;
  7. e)Theoverseas recipient undertakes to accept the supervision of the certification body:
  8. f)Theoverseas recipient undertakes to accept the jurisdiction of the laws and administrative regulations of the Peoples Republic of China on the protection of personal information;
  9. g)Clearlydefine the organisations that bear legal responsibility within the territory of the People’s Republic of China:
  10. h)Otherobligations stipulated by laws and administrative regulations that shall be 
  11. Article 4 clearly restricts the application of Standard Contracts and prohibits their use in circumstances where:
  12. a)     Criticalinformationinfrastructure operators export personal information;
  13. b)     Personalinformationprocessors have processed the personal information of more than 1 million people;
  14. c)     The cumulative export of personal information exceeds 100,000 people since 1 January of the previous year;and
  15. d)    Thecumulativeexport of sensitive personal information exceeds 10,000 people since 1 January of the previous
  16. 8.     Those circumstances are the personal information export activities of “criticalinformationinfrastructure            operators and personal information processors who handle the number of personal information specified by the state network information department“, as stated in Articles 38 and 40 of the PIPL. Such transfers should be      preceded by an application for a Security Assessment under the Measures for Security Assessment of Data         Export (Draft) (29 October 2021) rather than the signing of a Standard Contract.
  17. Several categories of Chinese enterprises that should apply for security assessments do not need to legalise    theirpersonal information exports by signing a Standard Contract. Instead, and according to the Measures for Security Assessment of Data Export (Draft for Comments), they should sign a contract with the overseas           recipient that includes but is not limited to the following:

(1) The purpose, method, and scope of data exported, and the purpose and method of processing data by overseas recipients;

(2) The place and period of time for which the data is kept overseas, as well as measures for handling     outbound data after the retention period is reached, the agreed purpose is completed, or the contract is terminated;

(3) Restrictive clauses restricting overseas recipients from transferring outbound data to other organisations or individuals;

(4) The security measures that the overseas recipient shall adopt when there is a substantial change in its actual control or business scope, or when the legal environment of the country or region in which it is       located makes it difficult to ensure data security;

(5) Liability for breach of contract and binding and enforceable dispute resolution clauses for breach of data security protection obligations;

(6) When risks such as data leakage occur, properly carry out emergency response, and ensure smooth channels for individuals to safeguard personal information rights and interests.

  1. Article4 is also consistent with Article 38 of the PIPL, which only stipulates that “personal information   processors” may sign the “Standard Contract“. However, it does not explicitly address whether “entrusted   processors” under the PIPL can or should sign the Standard Contract. For readers more familiar with the GDPR, “personal information processors” are roughly equivalent to data controllers, while the concept of “entrusted  processors” is roughly equivalent to data processors.
  2.   In servingclients, wehave observed that some business models involve data transfers from (i) a Chinese   personal information processor to (ii) a domestic entrusted processor to (iii) an overseas sub-processor.  Domestic personal information processors and domestic entrusted processors often disagree over which party should sign the Standard Contract with the overseas sub-processor.
  3.  Webelievedomestic personal information processors should usually bear the primary obligation for signing a  Standard Contract containing a clear mechanism describing the parties’ obligations and responsibilities with an overseas subcontractor to enable a domestic entrusted processor to provide data to said overseas  subcontractor.
  4.  Analternativeapproach would be for a domestic personal information processor, domestic entrusted processor and overseas subcontractor to sign a tripartite Standard Contract. However, this would require further clarity     regarding the mechanism for domestic entrusted processors to provide data to overseas subcontractors and each party’s contractual obligations and responsibilities.

Article 5: Before personal information processors provide personal information overseas, they shall carry out a personal information protection impact assessment in advance, focusing on the following content:

(1) The legality, legitimacy, and necessity of the purpose, scope, and methods of processing personal information by personal information processors and overseas recipients;

(2) The quantity, scope, type, and sensitivity of outbound personal information, and the risks that personal  information may bring to the rights and interests of personal information that may be brought about by the export of personal information;

(3) The responsibilities and obligations undertaken by the overseas recipient, as well as whether management and technical measures and capabilities for performing responsibilities and obligations can ensure the security of outbound personal information;

(4) The risk of personal information being leaked, damaged, altered, or abused after leaving the country, and  whether the channels for individuals to safeguard personal information rights and interests are unobstructed, and so forth;

(5)The impact of personal information protection policies and regulations on the performance of standard contracts in the country or region where the overseas recipient is located;

(6) Other matters that might affect the security of personal information leaving the country.

Analysis of Article 5:

  1.   Article5 refinesthe requirements for personal information protection impact assessments before exporting personal information under the PIPL by providing additional detail and specification.
  2.   It is worth noting that Chinese enterprises need to assess “theimpact of personal information protection policies and regulations of the country or region where the overseas recipient is located on the performance of standard  contracts“, which is not a small task. Going forward, Chinese enterprises will need to rely more heavily on advice from overseas legal professionals and assistance from overseas recipients.

Analysis of Article 6:

  1.   Article6 providesan overview of the Standard Contract. Regarding the specific content of the Standard

Contract, we will analyse and interpret it separately.

Article 7: Personal information processors shall file a record with the provincial-level internet information department for the area where they are located within 10 working days of the standard contract taking effect. The following materials shall be submitted for filing:

(1) standard contracts;

(2) personal information protection impact assessment reports.

The personal information processor is responsible for the authenticity of the materials filed. After the standard contract takes effect, the personal information processor may carry out personal information export activities.

Analysis of Article 7:

  1.     TheArticle7 filing provisions are new legal requirements without any precedent in the PIPL. The Standard Contract and the personal information protection impact assessment report on the export of personal       information will need to be filed with the government.
  2.     Consideringthatmany enterprises will need to make filings, national administrative resources are limited, and other factors, filing management within provincial CACs may only consist of formality reviews. Based on           informatisation trends in China, the CAC may establish an online filing system to facilitate filings.

Article 8: Where any of the following circumstances occur during the validity period of a standard contract, the personal information processor shall re- sign the standard contract and file it for the record:

(1) Where the purpose, scope, type, sensitivity, quantity, method, retention period, storage location, and purpose or method of handling personal information handled by overseas recipients change, or extend the period for personal   information to be retained abroad;

(2) Where changes in personal information protection policies and regulations in the country or region where the overseas recipient is located may affect personal information rights and interests;

(3) Other circumstances that might affect the rights and interests of personal information.

Analysis of Article 8:

  1.    Consideringtherequirements of Articles 5 and 6 above, the content of Article 8 seems reasonable at face value.
  2.    However, determiningwhetherthe “personal information protection policies and regulations ofthe country or  region where the overseas recipient is located” has “changed” and “may affect the rights and interests of  personal information” is a big challenge for even the largest multinational enterprises. It seems that Chinese      enterprises will be expected to keep abreast of changes in policies and regulations related to overseas personal information protection. This may require them to retain overseas legal professionals on an ongoing basis.
Article 9: Institutions and personnel participating in the filing of standard contracts shall preserve the confidentiality of personal privacy, personal information, commercial secrets, confidential business information, and so forth that  they learn of in the course of performing their duties, and must not leak or illegally provide or use them to others.

Analysis of Article 9:

  1.    Some enterprises, especiallymultinationalenterprises, may have concerns about whether the Standard Contract and the personal information protection impact assessment report filing mechanism may cause information leakages. Article 9 seems to be an attempt to pre-empt such concerns.
  2.   Theexpression”confidential business information” has also appeared in the Measures for the Security  Assessment of Data Export (Draft for Public Consultation). How the CAC will define it in practice remains to be seen.
Article 10: Where any organisation or individual discovers that a person handling personal information has violated these Provisions, they have the right to make a complaint or report to the provincial level Internet information  department.

Analysis of Article 10:

  1.    Complaintsandreports may come from a personal information processor’s (possibly disgruntled) employees or Personal Information Subjects.
  2.   Wespeculatethat, in the future, the CAC could publish lists of enterprises that have completed the filing procedures and that Personal Information Subjects could use such lists to determine whether a personal information processor has fulfilled its filing obligations to make targeted reports.
Article 11: Where provincial-level Internet information departments discover that personal information outbound     activities through the signing of standard contracts no longer meet the requirements for security management of personal information export in the course of actual processing, they shall notify the personal information processors in writing to terminate personal information export activities. Personal information processors shall immediately   terminate personal information export activities upon receipt of the notice.

Analysis of Article 11:

  1.   Asmentionedabove, many enterprises may need to make filings, and state resources are limited. As such, filing management by the CAC may only consist of a formality review. However, given the content of Article 11,  provincial-level CACs may also adopt methods such as spot checks, focusing on specific enterprises or industries

and making investigations based on whistle-blowing leads to conduct targeted substantive reviews of outbound personal information transfers.

Article 12: Where personal information processors follow these Provisions to conclude standard contracts with  overseas recipients to provide personal information overseas, and any of the following circumstances occur, the       provincial-level Internet information department is to follow the provisions of the “Personal Information Protection Law of the People’s Republic of China” to order corrections within a time limit; Where they refuse to make  corrections or harm the rights and interests of personal information, order them to stop activities of exporting  personal information, and punish them in accordance with law; Where a crime is constituted, criminal responsibility is to be pursued in accordance with law.

(1) Failing to perform filing procedures or submitting false materials for filing;

(2)Failing to perform the responsibilities and obligations stipulated in the standard contract, infringing on the rights and interests of personal information, causing harm;

(3) Other circumstances affecting the rights and interests of personal information arise.

Analysis of Article 12:

  1.    Itisworth noting that a “failure to sign the Standard Contract” is not a violation of these Provisions. However, as discussed above, the legal paths for exporting personal information are limited to those stipulated in Article 38   of the PIPL, which are:

(1) Critical information infrastructure operators and personal information processors handling personal  information that reach the number of personal information processors provided for by the state network information departments for outbound conduct shall pass a security assessment organised by the state   network information departments;

(2) Conduct personal information protection certification through professional bodies in accordance with the provisions of the state network information departments;

(3) Conclude a contract with an overseas recipient in accordance with a standard contract formulated by the State Internet Information Department, stipulating the rights and obligations of both parties;

(4) Other requirements provided for by laws, administrative regulations, or the State Network Information Department.

  1.    IfaChinese enterprise fails to sign a Standard Contract and fails to meet the requirements of other personal      information export routes, it will not be punished for violating the provisions of Article 12. However, it will have violated Article 38 of the PIPL and may need to bear legal liability.
Article 13: These Provisions shall take effect as of

Analysis of Article 13:

  1.   Wehopethat when the CAC issues the final version of the above provisions, it will fully consider the time required for enterprises to comply with the new regulations (legal analysis, translation, negotiation with  overseas recipients, etc.) and provide a reasonable time for enterprises to comply before the official         implementation date.