The Cyberspace Administration of China (the “CAC”) released the Guidelines for the Filing of Standard Contracts for Outbound Transfer of Personal Information (First Edition) (the “SCC Guidelines”) on May 30th, 2023, aiming to guide personal information processors (the “PI processor(s)”, equivalent to “data controller” under GDPR) to carry on the filing of standard contracts as required in the Measures on Standard Contract for Outbound Transfer of Personal Information (the “SCC Measures”), which takes effect on June 1st, 2023.
The SCC Guidelines specify the application scope, filing methods and procedure, and provide the requirements for filing materials as well as the templates for power of attorney, letter of commitment, standard contract, and personal information impact assessment report.
1. Who can transfer personal information abroad through the conclusion of the standard contract ?
A company (the processor of personal information) that meets the following conditions : (a) it is not a critical information infrastructure operator (“CIIO”, in particular, in the industry of public communication and information, energy, transportation, water conservancy, finance, public services, e-government, etc.) ; (b) the personal information that it processes should be less than 1 million individuals ; (c) the personal information that it has cumulatively transferred abroad should be less than 100,000 individuals since January 1 of the previous year ; (d) the sensitive personal information that it has cumulatively transferred abroad should be less than 10,000 individuals since January 1 of the previous year.
For critical information and the amount of personal information that exceeds the above-mentioned thresholds, the company should conduct an outbound security assessment and should not split the amount of personal information to avoid such a security assessment.
In general, multinational enterprises that have established entities in China or are dealing with Chinese users, clients, suppliers, or Chinese enterprises doing outbound business, that meet the above-mentioned criteria are likely to adopt this method of conclusion of a standard contract to conduct their personal information outbound activities.
2. What are the materials required to be submitted ?
- The standard contract concluded ;
- The report of the personal information protection impact assessment ;
- Photocopy of the unified social credit code certificate (such as business license, certificate of registration of overseas NGO representative office, etc.) ;
- Photocopy of the identity document of the legal representative (such a ID card, passport, residence permit for Hong Kong, Macao, and Taiwan Residents) ;
- Photocopy of the identity document of the person designated by the PI processor to handle the filing procedure and the power of attorney of such person ;
- Letter of commitment (including a compliance commitment, a commitment of not splitting the amount of personal information to evade security assessment, a commitment of completion of personal information protection impact assessment within 3 months before the filing date, and no major changes have occurred up to the filing date, etc.).
3. What is the method and procedure of SCC filing ?
The PI processors should have the above-mentioned materials submitted to the local provincial cyberspace administration in writing and electronic versions within ten working days from the effective date of the standard contract. The local provincial cyberspace administration should check the materials within 15 working days and notify the PI processors of the filing result of “pass” or “fail”. In the case of failure of filing, the PI processor might be notified to supplement the filing materials within 10 working days.
4. Does the standard contract remain valid if the filing fails and can the PI processor continue to transfer the personal information abroad ?
In general, the SCC filing does not affect the validity of the standard contract by nature.
However, if the PI processor continues to transfer the data abroad without a positive filing result, it may be ordered to make corrections or encounter administrative penalties, such as fines, confiscation of illegal gains, and/or suspension of relevant businesses.
5. When and how to carry on the personal information protection impact assessment ?
The personal information protection impact assessment should be completed within 3 months before the SCC filing. Considering that the SCC Measures became effective on Jun 1st 2023 with a 6-month grace period of correction, enterprises that intend to apply the method of concluding the standard contract to transfer personal information to their overseas affiliates, clients, or suppliers should initiate the personal information protection impact assessment as soon as possible.
Referring to the template of the report of personal information protection impact assessment attached to the SCC Guidelines, the report should include the following four parts :
The summary of the assessment work, including the start and end time of the assessment work and its organizational status, process, and method. If any third-party entity is involved, such situation should be indicated and the third party should stamp the relevant content.
The overall situation of the outbound activities, including the basic information of the PI processor (such as the equity structure, actual controller, foreign investment) ; the business and informative system involving the personal information outbound, the status of the personal information to be transferred (such as the platform and data center to store the personal information inbound and outbound) ; the personal information protection capacity of the PI processor ; and the information of the foreign recipient (such as the laws and policies of the foreign recipient’s regions or countries, description of the entire process of the foreign recipient’s processing of personal information).
The situation of the impact assessment, focusing on the issues and risks found in the assessment, as well as the remedial measures and its effectiveness, such as : the foreign recipient’s obligations, management, and technical measures to perform its obligations, and the impact of the foreign laws and policies on the performance of the standard contract.
The conclusion of the impact assessment.
In light of the above, the SCC Guidelines seem to impose rather strict requirements on the personal information protection impact assessment and expect a comprehensive and practical report. However, the competent authorities are only given 15 working days to review the SCC filing. Hence, whether such review would be substantive or formal and the degree of review remains to be discovered in practice or in further normative documents.