Standard contracts for cross-border data transfers

published on 4 August 2022

by Felix Engelhardt

This article is the second part of the article series Cross-border Data Transfer in China and is dedicated to standard contracts for cross-border data transfers.

Data regulation in China is advancing at an incredible speed compared to most countries in the world, but at the same time still raises numerous questions for data-processing companies. Many important aspects are insufficiently regulated by the relevant laws and do not serve as a reliable basis for the lawful handling of data of all kinds.

This includes, in particular, the transfer of data between China and abroad, which is essential in international business transactions. For data relating to individuals (so-called "personal information"), Article 38 of the Personal Information Protection Law ("PIPL") contains a catalogue of circumstances under which a cross-border transfer is permitted. These are:

passing a security review organized by the Cyberspace Administration of China ("CAC");
certification by an accredited organization in accordance with relevant regulations of the CAC;
entering into a contract with the overseas data recipient in accordance with the standard contract published by the CAC;
other provisions in Chinese laws, regulations or in accordance with the rules of the CAC.

International agreements and treaties on cross-border data transfer applicable to China may also provide for special rules, but these are currently lacking.

For the security assessment under Article 38(1) PIPL, the CAC issued the Outbound Data Transfer Security Assessment Measures on 7 July 2022, which will come into force on 1 September 2022. We introduce these measures in detail in the third part of our article series. A recently published guideline, which was the subject of the first part of this series, is substantially related to Article 38(2) PIPL (certification by an accredited organization).

In this second part, we would like to take a look at the draft Provisions on the Standard Contract for Outbound Cross-Border Transfer of Personal Information ("Provisions") published by the CAC on 30 June 2022, which serve to implement Article 38(3) of the PIPL (Standard Contract) and are practically the most significant for most companies operating in China and their international data transfers.

Provisions on the Standard Contract for Outbound Cross-Border Transfer of Personal Information

The draft Provisions, on which comments can be submitted until 29 July 2022, are composed of four parts:

the general provisions of the regulations concerning the prerequisites, the necessary content of the standard contract, reporting obligations, complaint channels and methods as well as liability issues;
the standard contract specified by the CAC;
Annex I to the standard contract concerning the specific circumstances of the respective data transfer; and
Annex II to the standard contract, in which the parties can make further agreements.

In order to be allowed to transfer personal information abroad on the basis of a standard contract, the transferor must meet the following requirements:

Not be an operator of so-called critical information infrastructure ("CIIO");
Processing of personal information of less than 1 million individuals;
Cross-border transfer of personal information of less than 100,000 individuals in total since 1 January of the previous year;
Cross-border transfer of sensitive personal information of less than 10,000 individuals in total since 1 January of the previous year.

If one of these requirements cannot be met, i.e. the transferor exceeds the thresholds or qualifies as a CIIO, it is mandatory to conduct an official security assessment in accordance with the Outbound Data Transfer Security Assessment Measures before exporting the data.

The Provisions repeat the duty of the transferor, already regulated in the PIPL, to carry out a personal information protection impact assessment before transferring the data abroad, which must comprehensively determine the risk of the transfer for the rights and interests of affected individuals.

In terms of content, the draft Provisions stipulate that the standard contract must contain clauses on at least the following points:

General information of the contracting parties (such as name, address, contact person, etc.);
Purpose, scope, types of data, number, method of transfer, duration of storage, storage location, etc.;
Responsibilities and obligations of the parties as well as existing technical and organizational measures to limit risks;
Impact of national law in the recipient's country on compliance with the provisions in the standard contract;
Rights of the individuals concerned as well as on how they can exercise these;
Remedies, contract termination, liability, dispute resolution.

In addition, the parties may agree on further points concerning personal information protection or data security, as long as these do not contradict the provisions in the standard contract. However, the actual transfer of the personal information may only take place after the standard contract concluded with the recipient has come into force.

An important feature and significant difference to standard contractual clauses under the GDPR is the obligation of the transferor to submit the standard contract concluded with the recipient to the competent supervisory authority at provincial level within 10 days of its entry into force. Furthermore, this also applies to the personal information protection impact assessment report. Although this does not constitute a registration procedure requiring official approval, it will probably have the effect that the CAC will know which companies transfer personal information abroad and in this respect further monitoring and official intervention cannot be ruled out. In addition, failure to notify the authority, or not notifying it in a timely manner, or not notifying it accurately, may trigger liability on the part of the transferor.

In the event of significant changes to the data transfer itself (e.g. purpose, scope, type of data, etc.) or to the situation in the recipient's country, it is mandatory to conclude a new standard contract in accordance with the draft Provisions and to notify the competent authority. In addition, the authority may require the transferor to immediately cease all transfer operations based on the standard contract, should the transfer no longer meet the security requirements from the standard contract as well as the relevant laws (especially the PIPL).

Our opinion and recommendations

The fact that, after a long period of uncertainty, a first draft concerning standard contracts has finally been published is basically to be welcomed. Many of the aspects contained in the Provisions or the attached standard contract come as no surprise, especially for those companies that have already established a well-functioning management system for data protection and cross-border data transfers. However, it should not be assumed without checking, especially when using the standard contractual clauses according to the GDPR, that data transfers out of China should be possible without any problems. By carefully comparing the respective regulations under EU and Chinese law, discrepancies can be identified and resources can be deployed where differences may lead to an increased risk of damage or liability.

It now remains to be seen whether and to what extent the CAC will take into account the comments received on the draft Provisions. Until the final version is published, the Provisions in their current form already provide very useful guidance for drafting and negotiating appropriate contracts with data recipients abroad.

In the last part of this series, we take a look at the Outbound Data Transfer Security Assessment Measures, which will come into force on 1 September 2022 and introduce specific regulations on regulatory security assessment for particularly sensitive data export scenarios.