Standardizing Cross-Border Transfer of Personal Information in China

The Chinese government, since enforcing the PRC Data Security Law in June 2021, is progressing towards a functional supervision system for outbound personal data transfers. Under the PRC Personal Information Protection Law (PIPL), the standard contract approach is emphasized for such transfers.

On February 24, 2023, the Cyberspace Administration of China (CAC) released the Measures and final version of the Standard Contract for Outbound Cross-border Transfer of Personal Information, effective from June 1, 2023.

Like the EU GDPR Standard Contract, PIPL's Standard Contract applies to outbound personal data transfers not requiring a security assessment under China’s PIPL.

Applicability of the Standard Contract
The Standard Contract applies for cross-border transfers of personal data managed by a personal information processor (PI processor) meeting specific criteria, including handling personal information of fewer than 1 million individuals, and transferring abroad the personal information of fewer than 100,000 individuals since the beginning of the previous year.

Given these criteria, the Standard Contract approach mainly benefits small or medium-sized enterprises conducting minor cross-border transfers of personal data.

Steps for Standard Contract Adoption
The adoption process involves:

• Impact assessment: A Personal Information Protection Impact Assessment (PIPIA) must be carried out before transferring personal information abroad.
• Contract signing: The PI processor and the overseas recipient mutually agree and sign the Standard Contract, which can't be altered or deleted.
• Regulatory filing: The PI processor must file with the provincial CAC within 10 working days of the Standard Contract's effective date, submitting the signed standard contract and the PIPIA report.
• Follow-up: Any change in the transferred personal data's characteristics requires a new PIPIA and contract update or execution.

Companies have a six-month grace period, ending November 30, 2023, to comply with these requirements.

Observations and Recommendations
The Standard Contract Approach, owing to its shorter timeframe, provides a convenient option for small to medium-sized companies to comply with administrative requirements on outbound personal information transfer.

Eligible companies should update their data processing agreements and personal information protection impact assessment reports before the grace period ends and submit these to Chinese authorities to ensure ongoing or future cross-border transfers of personal information comply with PIPL.

In May 2023, MAZDA MOTOR (CHINA) Co., Ltd. and Sephora (SHANGHAI) Cosmetics Co., Ltd. became the first Shanghai companies to pass the security assessment of outbound cross-border personal data transfer. The enforcement of the Standard Contract approach is expected to facilitate more such successful transfers.