China Measures for Standard Contracts for the Exit (Export) of Personal Information 2023

Data protection has emerged as a crucial concern for individuals, companies, and governments alike in today's increasingly digital world. The threats and difficulties posed by protecting it are increasing at an unprecedented rate, along with the volume of data being produced and exchanged. As a result, new laws, rules, and technologies are fast emerging to solve these issues, changing the data protection environment. Organizations of all sizes face major problems as a result of the continuously evolving data protection landscape. To stay compliant with regulations and protect their data from cyber threats, they must stay on top of the most recent advancements.

The National Internet Information Office of China issued the Measures for Standard Contracts for the Exit (Export) of Personal Information (“SCCs Regulations or SCCs”) on 24th February 2023. The SCC Measures provide one the mechanisms for the cross-border transfer of personal information alongside Security Assessment Measures (“Assessment Measures”) and Cross-border Certification Guidelines (“Certification Guidelines”) as stipulated by Article 38 of Personal Information Protection Law (PIPL) of China.

The SCCs came into effect on 01 June 2023 and organizations have a 6-month grace period till 30 November 2023 to ensure that their data transfer activities are in compliance with the SCC Regulations. To further help with understanding the SCCs, the National Internet Information Office of China also released accompanying FAQ guidance.

Additionally, the Cyberspace Administration of China (CAC) also published Guidelines for the Recording of Standard Contracts for Exporting Personal Information (“SCC Guidelines”) on 30th May 2023 which came into effect along with the SCCs. Particularly, the SCC Guidelines require personal information processors to submit specific materials when filing a standard contract. These materials include a photocopy of the unified social credit code certificate, a photocopy of the legal representative's ID card, a signed power of attorney template, a letter of commitment, the standard contract, and a completed Personal Information Protection Impact Assessment (PIPIA), and also provide templates for each of these documents.

Scope

The SCC Regulations control the export of personal information from China to an overseas recipient. In particular, these regulations outline the terms, conditions, and filing requirements of standard contracts, present a sample standard contract, and provide comprehensive guidelines for the transfer of personal information abroad.

Applicability

Personal information exit activities can only be carried out after the standard contract takes effect and therefore, organizations/data exporters must adopt standard contracts as per the SCCs Regulations.

Businesses adopting the standard contracts must fulfill all of the following criteria:

• Non-critical information infrastructure operators;
• Processing personal information of less than 1 million people;
• A total of less than 100,000 personal information has been provided abroad from January 1 of the previous year;
• If less than 10,000 sensitive personal information has been provided abroad from January 1 of the previous year.

It is important to note that organizations exporting the data (“data exporter”) are not allowed to segment/split the data volume to avoid the security assessment conducted by the CAC by concluding standard contracts. If the organizations/data exporters process the personal information of more than 1 million individuals or send personal information or sensitive personal information of more than 100,000 or 10,000 individuals respectively, then Assessment Measures must be adopted.

Procedure

The personal information exit activities will only be carried out once the standard contract has been concluded between the data exporter and the overseas recipient. Before the transfer of personal information belonging to a data subject outside of China, both data exporter and overseas recipients must ensure that they have assessed the type, scope, sensitivity or personal information and the scale and frequency of transfer. If previously any cross-border transfer took place with the same recipient, must make a note of any security incidents that occurred. Additionally, the organization and the recipient must take into account the policies, rules and regulations of the region the overseas recipient is located and if the recipient is part of any global or regional organization in relation to personal data protection. This would help assess the mechanisms under the regulatory or legal framework in the recipient country/region for the protection of personal information.

Organizational Responsibilities under SCCs Regulations

Article 6 of the SCCs stipulates that the standard contract must strictly be in accordance with the Model Standard Contract for Personal Information Exit (“Model Contract”) provided in the Annexure of SCCs Regulations. The overseas recipient may have additional conditions for the transfer of personal information, but these conditions should not be in conflict with the “Model Contract”. Additionally, it lays down a number of responsibilities for the data exporters, processors and overseas recipients.

Obligations of the Data Exporter

When handling personal information, data exporters must comply with relevant laws and regulations. In addition to this, the principle of data minimization should be followed while sharing personal information with recipients abroad. If consent is being used as the legal basis for the transfer of personal information outside of China, then it is important to obtain it from the data subject or their parent or guardian if the data subject is under 14 years of age.

The data subject should also be informed of certain information about the overseas recipient, such as their name, contact information, the type of personal information that will be shared, the purpose of handling personal information, the retention periods, and the procedure for exercising data subject rights. If sensitive personal information is being shared with the overseas recipient, it is important to explain the purpose of doing so and any potential impact on the individual's rights and interests. Finally, a copy of a standard contract should be provided to the data subject upon request.

1. Security:

Data exporters must ensure that the overseas recipient takes appropriate technical and administrative measures to protect the personal information being transferred. These measures can include encryption, anonymization, de-identification, access control, and other security protocols. Organizations must also provide the overseas recipient with copies of legal and technical standards upon request to ensure that they have a clear understanding of their obligations in handling the personal information.

2. Impact Assessments:

SCCs require data exporters to conduct an impact assessment (DPIAs) prior to making any transfer of personal information abroad. DPIAs should address:

• legality, legitimacy and necessity of the purpose, scope and method of personal information processing;
• management, technical measures and capabilities adopted by the overseas recipient to ensure the safety of personal information abroad;
• scale, scope, type and sensitivity of the outbound personal information and associated risks;
• risk of tampering, destruction, leakage, loss and illegal use of personal information after leaving China and whether or not the channels for safeguarding the rights and interests of personal information are unrestricted; and
• impact of personal information protection policies and regulations of the recipient country.

Organizations must file the DPIA and the standard contract with the local provincial network information department within 10 working days from the effective date of the standard contract.

The local network information department may ask the businesses to re-conduct the DPIA or supplement or re-contract the standard contract if:

• there occurs any change to the purpose, scope, type, sensitivity, method, place of deposit or the purpose and method of handling personal information by the overseas recipient;
• there is any change to the personal information protection policies and regulations of the recipient country that may impact owners of personal information;
• Other circumstances that may affect the rights and interests of owners of personal information.

Obligations of Overseas Recipient & Entrusted Entity

The SCCs Regulations require the overseas recipient to fulfill the same obligations as the data exporters in certain areas. This includes obtaining consent from the data subject or, in the case of a child, their parent or guardian, handling personal information in a way that has the least impact on the rights and freedoms of individuals, and providing a copy of the standard contract to the data subject.

Apart from this, when a data exporter entrusts personal information handling to another entity (“entrusted entity" or more commonly “processor”), such an entity must ensure that the purpose and manner of handling personal information does not exceed the original agreed purpose.

1. Record-Keeping Requirement

Overseas recipients must provide the data exporter with information and documentation to demonstrate compliance with the obligations under the standard contract. Objective record of personal information processing activities must be maintained for at least 3 years.

2. Notification Requirement

Overseas recipients are required to notify the organization/data exporter located within China if any of the following circumstances arise:

• in case of any change in the regulations or policies of the region or country due to which overseas recipients cannot fulfill the obligations under the standard contract;
• if the government department or judicial body of the recipient country/region requests for the provision of personal information under the standard contract.

The notification under SCCs Regulation must be transmitted to the specified address by email, telegram, telex, facsimile, registered airmail, or written notice to a different address from that address. If the notice is sent through registered airmail, it will be considered received one day after the postmark date. If you send a notice via email, telegram, telex, or facsimile, it will be considered received one business day after it is delivered.

3. Security and Confidentiality

It is important to handle personal information in a secure manner by adopting appropriate technical and administrative measures and conducting regular security checks. This includes ensuring that the persons authorized to handle the personal information fulfill confidentiality obligations. To achieve this, the overseas recipient must establish minimum authorized access control permissions. Additionally, personal information should be stored for the minimum period necessary to achieve the purpose of processing.

If personal information is given to a processor and the entrustment contract is no longer effective, or has been rendered invalid, revoked or terminated, then the personal information should be returned to the data exporter/organization or deleted along with a written explanation. If deletion is not technically possible, then the personal information must not be processed and should be stored in a secure manner.

4. Breach

In the event of a breach of personal information, including falsification, destruction, leakage, loss, unlawful use, unauthorized provision, or access, the entrusted entity or the overseas recipient must adopt the following procedures:

• Firstly, take remedial measures to mitigate the impact on the data subject. This may include stopping the breach, preventing further unauthorized access, and notifying affected parties.
• Secondly, immediately notify the data exporter and regulatory authorities of the details of the breach, including the mitigation measures taken, any relevant action that can be taken by the data subject, and the contact details of the person handling the situation. Overseas recipients are required to document and retain all information relating to the breach, including the remedial measures taken.

5. Sharing with Third Parties

Personal information may be disclosed to a third party outside of China under certain conditions. First, there must be a legitimate business need for doing so. Additionally, the data subject must be informed about the third party's name, contact details, the purpose and manner of processing, the type of personal information to be processed, the retention period, and the procedure for exercising their data subject rights.

If sensitive personal information is involved, the data subject must be informed of the necessity of such disclosure and any potential impact on their rights and interests, unless otherwise provided by law or regulations. If the disclosure is based on the data subject's consent, such consent must be obtained, or the parent or guardian's consent if the data subject is under 14 years of age.

Furthermore, a contract must be concluded with the third party to ensure their compliance with China's data protection laws, and that the third party will be held liable for any violation of the data subject's rights. The data subject must be provided with a copy of this contract.

6. Automated-Decision Making

The overseas recipient must ensure that transparency is maintained in the decision-making process, and the results must be fair and equitable in case of automated decision-making. Additionally, data subjects must not be subjected to unreasonable differential treatment when it comes to transaction prices, etc. This means that automated-decision making should not generate results that discriminate against data subjects based on their specific characteristics.

The data subject must be given the option to opt-out or a convenient way to refuse the use of their personal characteristics if commercial marketing is conducted through automated decision-making.

Protections to Data Subjects

The data subject is a third-party beneficiary and, unless he/she specifically objects within 30 days, and may use his/her third-party beneficiary rights under the terms of the standard contract. SCC measures stipulate that the data subjects have the following rights with regard to the transfer of his/her personal information outside of China:

1. Right to be informed and decide on how their personal information is handled;
2. Right to refuse or restrict the handling of their personal information;
3. Right to access and copy;
4. Right to rectify & update;
5. Right to deletion;
6. Right to request an explanation of rules of handling the personal data;

Whenever a data subject requests to exercise a certain right, the data exporter/organization and the overseas recipient must take measures to fulfill such request. The requested information must be made available by the overseas recipient to the data subject in an understandable and clear language in a true, accurate and complete manner. If the overseas recipient is unable to fulfill the request, it must provide the reasons for doing so.

Complaint Mechanism

The overseas recipient needs to appoint an authorized person to overlook the personal information handling activities and provide contact details of such a person to both the data exporter as well as the data subject. These details must be provided in an accessible and easy to understandable manner through a notice or a website.

Breach, Liability & Termination

Each party will be liable for any loss or damage caused to the other party as a result of a breach of the standard contract. Moreover, if the breach of the contract adversely impacts the rights and freedoms of the data subjects, the party responsible for the breach will be liable to bear any civil, or legal responsibility. If both parties are jointly or severally liable, then the data subject can request for both parties to assume responsibility for the breach.

The organization/data exporter can terminate the contract and accordingly inform the supervisory/regulatory authority of the termination of the contract or suspension of the provision of personal information to the overseas recipient:

• if there is any change to the laws, policies or regulation of personal information protection in the overseas recipient country/region;
• violation of this contract by the overseas recipient.

When the contract is terminated, the overseas recipient must delete or return all personal information to the data exporter/organization.

Dispute Resolution

The creation, validity, execution, interpretation, and any dispute between the parties arising out of this contract shall be governed by the applicable laws and regulations of the People's Republic of China.

If the data subject has any reservations with regard to the handling of his/her personal information with either the data exporter or overseas recipient, both parties should work together to resolve the matter. If the matter is not resolved amicably, then the data subject can either exercise his/her rights via a:

• complaint to a regulatory body; or
• through a competent court having jurisdiction within China; or
• through an arbitration institution based within China.

How Securiti Can Help

Companies that transfer personal information out of China should comply with the Measures for Standard Contracts for the Exit (Export) of Personal Information by:

• Conducting a risk assessment: Companies should assess the risks associated with the transfer of personal information, including the security and protection of the personal information, the level of data protection provided by the recipient's country or region, and the potential impact on individuals.
• Selecting a contract template: The CAC has published a standardized contract template that companies can use to comply with the SCCs. Companies can also develop their own contract template, but it should include all the required provisions as set out in the template.
• Implementing and monitoring compliance: Companies should implement the measures set out in the contract and monitor compliance with the contract provisions, including regular reviews and audits and regularly update the contract as necessary to reflect changes in the business or regulatory environment.

Securiti brings all the critical controls as discussed above under one roof with Data Command Center. The Data Command Center solution enables organizations to effectively comply with China’s Measures for Standard Contracts for the Exit (Export) of Personal Information, manage their sensitive data discovery, access governance and intelligence, conduct secure cross-border data transfers and optimize the entire process via a common data command center.

Request a demo to see Securiti in action.