To facilitate the implementation of the Measures for the Administration of Standard Contracts for Outbound Transfer of Personal Information (“Standard Contract Measures”) entering force on June 1, 2023, the Cyberspace Administration of China (“CAC”) issued the Guidelines for Record-filing of Standard Contracts for Outbound Transfer of Personal Information (First Edition) (“Standard Contract Guidelines”) on May 30, 2023. The Standard Contract Guidelines aims to assist personal information processors in filing the Standard Contract for Outbound Transfer of Personal Information (“Standard Contract”) in accordance with the Standard Contract Measures.
The Standard Contract Guidelines fleshes out various aspects, such as preparing filing materials, understanding filing procedures, and ensuring inclusion of core contents. To help enterprises better understand and apply the guidelines, we have succinctly addressed ten pertinent questions to facilitate successful preparation for filing the Standard Contract.
1. How should enterprises use the Standard Contract Guidelines to prepare the Standard Contract?
In summary, the Standard Contract Guidelines offers enterprises an extensive and detailed framework for preparing for filing the Standard Contract. The Standard Contract Guidelines explicitly enumerates the requirements related to the scope of application, filing methods, filing procedures, required materials, and Personal Information Impact Assessment (outbound transfer version) (“PIA”), among others.
As we have learned from our practice, enterprises must strictly follow the requirements outlined in the Standard Contract Guidelines and ensure fulfillment of each provision when preparing to file the Standard Contract. Enterprises should take note that the Standard Contract Guidelines serves as the primary reference when the province-level CAC office reviews materials filed in relation to the Standard Contract. For instance, where the Standard Contract Guidelines requires submission of original documents such as the Authorization Letter, the Acknowledgement Letter, and the Standard Contract, enterprises are advised against providing photocopies. Failure to adhere to this guideline may result in the provincial CAC office returning relevant filing materials and requiring the enterprise making such filing to recommence the filling process.
2. How should authorization materials be prepared under the Standard Contract Guidelines?
Similar to the provisions of the Guidelines for the Application of Security Assessment for Outbound Data Transfer (First Edition) (“Self-Assessment Guidelines”), the Standard Contract Guidelines requires personal information processors to prepare the following five categories of authorization materials:
In addition to the formal requirements, our experience has shown that enterprises should pay particular attention to the following key aspects when preparing the authorization materials:
* Ensure consistency across authorization materials. For instance, the Authorization Letter and the Acknowledgement Letter must be signed by the legal representative with a consistent signature style across the two documents. Such consistency helps to avoid any doubts doubt that the CAC may have about the authenticity of the authorization materials, thus preventing the materials from being returned.
* Ensure that the authorization period covers the full duration of the validity period. The authorized person, acting on behalf of a personal information processor, bears a range of responsibilities associated with the Standard Contract, including but not limited to preparing materials, responding to regulatory inquiries, and receiving guidance from the CAC. As such, the authorized person plays a crucial role during the filing process of the Standard Contract, and therefore his or her authorization needs to be intact for the entire duration. To ensure that such authorization remains valid for the entire filing period, we recommend that the authorization period for the authorized person should not be shorter than the validity period specified in the Standard Contract.
* Ensure that the PIA is completed within three months before the filing date. Like the Self-Assessment Guidelines, the Standard Contract Guidelines requires enterprises to complete the PIA within three months before the filing date and make sure that no substantial change occurs before such date. This precaution prevents a disproportionate time lag between the PIA and the filing date, thereby ensuring that the PIA accurately reflects the latest business practices related to the outbound transfer of personal information by enterprises that make such filing.
3. How should enterprises use the Standard Contract template in compliance with the stipulations in the Standard Contract Guidelines?
Enterprises must include the Standard Contract template as part of the required filing materials set forth in the Standard Contract Guidelines. This template must be filled out comprehensively to provide detailed information and clarification about the processing purpose, processing methods, and the total number of individuals whose personal information is subject to the upcoming outbound transfer, all in compliance with the provisions of the Standard Contract Measures.
4. How should enterprises understand the PIA per the Standard Contract Guidelines?
The Standard Contract Guidelines provides a comprehensive PIA template to assist enterprises in preparing the PIA Report for outbound personal information transfer. The PIA template focuses on four mandatory areas of assessment: an overview of the self-assessment procedures, a summary of all outbound activities, an analysis of the proposed outbound operations, and the conclusions drawn from the impact assessment. The Standard Contract Guidelines explicitly requires enterprises to thoroughly assess all aspects outlined in the template. The content of the PIA template largely mirrors that of the Self-Assessment Report, a requisite declaring materials required by the Self-Assessment Guidelines. Based on our previous experience, enterprises should take into account the following considerations when preparing the PIA Report:
* When crafting the Outbound PIA Report, enterprises should follow all the assessment points required by the Standard Contract Guidelines. For instance, when preparing the PIA Report, enterprises should include all pertinent information regarding data centers (including cloud services) involved in the outbound transfer of personal information. As required by the Standard Contract Guidelines, such information should include the names of data centers, their exact addresses, and the corresponding systems used by these data centers to transfer personal information. According to our experience, enterprises often mistakenly believe that they do not have to provide the required information about the data centers when using third-party services like SaaS or Pass, as such data centers are owned not by personal information processors themselves but by third-party service providers. However, such interpretation does not align with the requirements of the Standard Contract Guidelines and should be avoided.
* In following the principle of equal protection and considering the consistency of the regulatory intent, enterprises may seek to enhance their comprehension of the PIA Report by referring to the comprehensive instructions set forth in the Self-Assessment Guidelines. For instance, while the Standard Contract Guidelines requires enterprises to disclose information about outbound transfer data links during the PIA process, it does not specifically explain what should be included in such “data links”. To address this ambiguity, enterprises might consult the Self-Assessment Guidelines, which suggests that descriptions of data links should include, at a minimum, details of the data link providers, the number and bandwidth of the links, the names and physical locations of onshore and offshore data centers, and the associated IP addresses.
5. How should enterprises understand the timelines in the Standard Contract Guidelines?
The Standard Contract Guidelines outlines key timelines for preparation and filing of the Standard Contract that enterprises should duly observe:
* The Completion Date of the PIA. The PIA should be completed within three months before the filing date and should not undergo any material changes prior to that date. Please refer to previous discussion for a better understanding of this assessment period.
* Date of Filing. Personal information processors should submit the filing materials to their local, provincial CAC office within 10 working days after the effective date of the Standard Contract. It’s worth noting that the Standard Contract template does not explicitly stipulate how a Standard Contract should take effect. Contracts generally become effective upon both parties’ signatures and/or company stamps without special agreements. Should enterprises and overseas recipients wish to expedite execution of the Standard Contract to allow for additional time for preparation of filing materials, they may consider adding conditional effectiveness provisions in the appendix to the Standard Contract to prevent any potential failure to submit the required filing materials within the prescribed 10-working-day period.
* Inspection Period for Filing Materials. In contrast to the filing requirements for the Security Assessment for Outbound Data Transfer, the filing process for the Standard Contract gravitates more towards formality, and the provincial CAC office does not mandate a “completeness check” as a preliminary review process. On the contrary, the provincial CAC office should review the filing materials within merely 15 working days of receipt. If the filing fails, personal information processors are granted 10 working days to supplement and resubmit the filling materials.
* Deadlines for Supplementation or Resubmission due to Special Circumstances. Unlike the filing requirements associated with the Security Assessment for Outbound Data Transfer, the filing of the Standard Contract focuses on form. This process does not require a preliminary “completeness check” by the provincial CAC office. Rather, the provincial CAC office must review the submitted materials within 15 working days of receipt. If the filing is unsuccessful, personal information processors are afforded another 10 working days to revise and resubmit the filing materials.
6. How should enterprises understand the transitional relationship between the Standard Contract and the Security Assessment?
Whether an enterprise may choose the Standard Contract path or must declare for the Security Assessment depends on the following four criteria:
* Does the enterprise that processes the personal information of 1 million or more individuals provide any amount of personal information abroad?
* Is the enterprise a Critical Information Infrastructure Operator (“CIIO”) that transfers personal information abroad?
* Has the enterprise transferred the personal information of 100,000 or more individuals or sensitive personal information of 10,000 individuals or more abroad since January 1 of the previous year? or
* Does the enterprise engage in the transfer of important data overseas?
As business operation models evolve, enterprises that have completed the filing of the Standard Contract may find themselves, in future operations, triggering conditions that obligate them to declare for the Security Assessment for Outbound Data Transfer. Nonetheless, the similarity in the requirements for the outbound PIA report in the Standard Contract Guidelines and the Self-Assessment report in the Self-Assessment Guidelines is a favorable advantage. Enterprises that have completed the filing of the Standard Contract will therefore be strategically positioned to efficiently complete the Security Self-Assessment for Outbound Data Transfer and prepare the required documents, employing similar methods as before, should the need arise.
7. Per the Standard Contract Guidelines, is the process of filing the Standard Contract easier to prepare than the Security Assessment declaration?
From the perspective of preparation workload, the process can be challenging. Any enterprise with experience of the Security Assessment for Outbound Data Transfer will know that primary challenges and difficulties will be brought by the extensive Self-Assessment requirements set out in the Self-Assessment Guidelines, which create a significant challenge in sifting through data compliance facts. Similarly, it is evident from the context of the Standard Contract Guidelines that the extensive evaluation requirements under PIA do not fall short compared to those of the Self-Assessment. Therefore, enterprises are advised to soon engage skilled professionals to conduct due diligence investigations and thoroughly review compliance facts related to the Standard Contract.
8. Is the Standard Contract filing really an administrative filing process?
Generally, supervisory authorities conduct formality rather than substantial reviews during the administrative filing process. Nevertheless, it is not uncommon for some supervisory authorities to apply substantial review standards during the proposal process under the guise of a filing process, leading enterprises to doubt whether the filling process of the Standard Contract is really an administrative filing process.
That being said, the provincial CAC office is likely to limit its evaluation to formal reviews during the Standard Contract filing process. This observation is drawn from the fact that, in formulating the Standard Contract Guidelines, the CAC has left out the requirement to provide supporting evidence stipulated in the Self-Assessment Guidelines. This change implies that enterprises are only required to prepare relevant materials per the Standard Contract Guidelines and are not required to submit additional supporting documents that substantiate their capabilities to protect personal information. Additionally, such supporting documents fall outside the purview of the assessment by the provincial CAC office. Consequently, the administrative review conducted during the Standard Contract filing process is primarily a formality review.
9. How do affiliated companies within the same group company choose between the “Standard Contract” and the “Security Assessment for Data Outbound Transfer”?
Under the framework of group governance, various factors such as the type of business, the scale of personal information processed, and the sensitivity of the personal information, may lead affiliated companies to choose different paths between the Standard Contract and the Security Assessment. For instance, assume that Company A, a consumer goods subsidiary within a group, processes and transfers personal information of millions of individuals abroad each year. In contrast, Company B, a large equipment sales subsidiary within the same group, conducts minimal cross-border personal information transfer each year without triggering conditions that necessitate a Security Assessment. Company A should be subject to the Security Assessment, but is it feasible for Company B to proceed directly with the Standard Contract filing process? The answer may require some elaborations.
As unified group governance structure often spells intricacies, it is imprudent to determine the compliance approach to the outbound transfer of personal information based solely on the circumstances of each member of the group alone. Per our consultations with the CAC, several criteria should be considered when deciding whether Company B in the above example is eligible to choose the Standard Contract filing process, namely, whether it truly functions as an independent data processor:
* Is the legal representative of Company A and Company B the same? If they are the same, Company B may not be able to act as an independent data processor, which may require it to file a joint declaration for the Security Assessment for Outbound Data Transfer with Company A.
* Does Company B share the group’s IT infrastructure with Company A, thereby potentially giving Company B’s overseas recipients of personal information remote access to Company A’s personal data? If so, Company B may be unable to act as an independent data processor and should consider declaring the Security Assessment for Outbound Data Transfer jointly with Company A.
10. Is it necessary to assess the laws and regulations of the country where the re-transfer recipients are located?
Per the feedback received from the CAC, a personal information processor is not obligated to furnish and explain the data security protection policies, laws, and regulations or to conduct an analysis of the network security environment of the country or region in which its re-transfer recipients are located, as mandated for foreign recipients in the Standard Contract Guidelines. Furthermore, when assessing the legal environment of the country where the foreign recipient is located, the personal information processor and the external experts engaged are only required to conduct a genuine and truthful assessment. Importantly, there is no requirement to maintain professional qualifications under foreign laws to provide specialized legal opinions.
The discussions within the Q&A above underscore the importance of understanding and effectively implementing the requirements prescribed by the Standard Contract Guidelines. Businesses must recognize that while some may be exempt from the Security Assessment for Outbound Data Transfer, a thorough assessment of matters such as the nature of their business, the scope and scale of personal information processed, is still necessary per the Standard Contract Guidelines. Enterprises must remain agile in an ever-evolving operation landscape with regulatory compliance obligations in place even after completing the Standard Contract filling process. An informed decision on whether to opt for a Standard Contract filing or the Security Assessment can help them remain compliant without compromising their business strategies.