China’s cyber regulator – the Cyberspace Administration of China (CAC) – released the Filing Guidelines on the Personal Information Export Standard Contract (Guidelines) on 30 May 2023, two days before China’s Personal Information Export Standard Contract (Standard Contract, also known as the “China SCCs”) comes into force on 1 June 2023.
Re-cap on the filing requirements
Under the PRC Personal Information Protection Law (PIPL), entering into the Standard Contract is one of the three key mechanisms to legitimise cross-border transfers of personal information out of China. As summarised in our prior newsletters (here, here and here), organisations planning to rely on the Standard Contract to legitimise their data exports to a third jurisdiction will need to file both their Standard Contracts and reports on personal information protection impact assessments (PIPIA) with their local branches of the CAC, within 10 days from the effective date of their Standard Contracts.
However, before tonight, no guidance was available to clarify how the filing procedure would work and what must be assessed in these PIPIA reports. With the effectiveness of the Standard Contract regime approaching, platforms operating in the cross-border digital economy and multinationals alike have been expecting the CAC to release the Guidelines addressing the numerous questions on how to implement the Standard Contract.
Questions answered
The Guidelines clarify various procedures and formalities required to file a Standard Contract. However, at first glance, some of these requirements appear much more burdensome than anticipated. In particular, the Guidelines suggest that a successful filing would require the CAC’s review and approval, as opposed to a filing automatically being completed on simply submitting all requested documents.
We set out below some key requirements in the filing process specified by the Guidelines.
Required materials for the filing: Except for the executed Standard Contract and the PIPIA report, a data exporter will also need to submit various associated documents, including copies of:
- its business licence
- the ID document of its legal representative (who is an individual holding this special statutory position under the PRC Company Law rather than a legal professional, to allay a common confusion)
- a power of attorney and ID document of the employee authorised to make the submission (if the data exporter appoints an employee to submit the filing other than its legal representative, a director or who board approved individual), and
- a letter of commitment from the data exporter.
Procedure of the filing: Set out below is a flowchart describing the filing procedure:
Template of the PIPIA report: Although the Guidelines do not provide a detailed template for organisations to fill in to complete the PIPIA report, an outline of what the PIPIA report must contain is set out in attachment 5 of the Guidelines.
This PIPIA template report appears to largely leverage the existing self-assessment template report that was released in the CAC’s other guidelines for organisations subject to the mandatory data export security assessment regime.
The content of the PIPIA report will no doubt need discussion and buy-in from internal stakeholders before submission. On the one hand, data exporters must consider the level of detail that they are comfortable to include. On the other, this requested form implies that data exporters have less flexibility in practice to rely on their existing impact assessment templates and content.
Some multinationals may have envisaged relying on their existing data protection impact assessment (DPIA) templates, which were designed to achieve GDPR compliance. If so, gaps analysis will now be needed between their DPIA and the details prescribed in the Guidelines. Based on our experience in handling the data export security assessment, the CAC expects organisations to strictly follow the structure of the provided template form. If the same approach is taken by the CAC in respect of the PIPIA, most multinational businesses will unlikely be able to rely on existing collateral on the books of the group.
Questions not answered
Unfortunately, the Guidelines fail to address many key questions that the market has been eager to receive clarification on from the CAC. For example:
- Can an offshore personal information processor subject to the extraterritorial application of the PIPL similarly adopt the Standard Contract?
- Since the current structure of the Standard Contract does not allow a China-based entrusted party (akin to a “data processor” under the GDPR) to use the Standard Contract with its overseas recipients, how does an entrusted party legitimise its necessary transfer activities with overseas recipients?
- Can the Standard Contract be incorporated as part of a wider intra-group data transfer agreement, or must it be separately signed as a standalone agreement?
- Can the standard contract be signed among multiple entities, or is only bilateral signature acceptable?
In addition, given the CACs have appeared to be occupied by reviewing the data export security assessment applications in the past few months, another question would be whether the CACs will have sufficient resources to receive the considerable number of Standard Contract filings from businesses in parallel over the next few months. While there is a “grace period” until 30 November 2023 for data transfer arrangements that are ongoing as of 1 June, the Guidelines do not state that “new” transfers initiated on or after 1 June can continue until the end of November pending confirmation from the CAC filings have been passed.
Next steps
Although the Standard Contract was anticipated to be a vital and more efficient tool enabling international transfers of personal information out of mainland China, the current filing requirements specified in the Guidelines would seem to place more burden on those operating in China or with Chinese counterparties.
How to lawfully implement the Standard Contract will almost certainly present challenges for all international businesses. Consultations with the CAC will be necessary for many businesses and we expect the hotline provided in the Guidelines may have a “line busy” tone for several days or not weeks, pending more guidance from the authorities.
With the regime taking effect on 1 June, businesses relying on the Standard Contract approach for their exports of personal information from China will need to put processes in place rapidly to meet the grace period deadline and the filing requirements.
We are here to help as always!