I. Applicability

Pursuant to Article 4 of the Standard Contract Measures, any personal information processor transferring personal information abroad by entering into the standard contract shall meet all of the following conditions: (1) it is not a critical information infrastructure operator (a “CIIO”); (2) it processes the personal information of fewer than one million individuals; (3) it has cumulatively transferred abroad personal information of fewer than 100,000 individuals since 1 January of the previous year; and (4) it has cumulatively transferred abroad sensitive personal information of fewer than 10,000 individuals since 1 January of the previous year.

Pursuant to Article 4 of the Security Assessment Measures, where cross-border transfer by a data processor falls under any of the followingcircumstances, the data processor shall apply for a security assessment: (1) cross-border transfer of important data by a data processor; (2) cross-border transfer of personal information by a CIIO or a personal information processor who has processed the personal information of 1,000,000 or more individuals; (3) cross-border transfer of personal information by a personal information processor who has cumulatively made cross-border transfers of the personal information of 100,000 or more individuals or the sensitive personal information of 10,000 or more individuals since 1 January of the previous year; or (4) other circumstances where an application for the security assessment of a cross-border data transfer is required as prescribed by the national cyberspace administration authority.

Based on the above, in terms of the scenarios of cross-border transfers of personal information and by comparing the requirements of the abovementioned two regulations (both being department regulations published by the CAC), enterprises should continuously monitor whether any of the below thresholds (the “Security Assessment Thresholds”) is triggered:

1. whether the personal information processor is identified as a CIIO;
    
2. whether personal information of one million or more individuals is processed;
    
3. whether personal information of 100,000 or more individuals has been transferred abroad cumulatively (since 1 January of the previous year); or
    
4. whether sensitive personal information of 10,000 or more individuals has been transferred abroad cumulatively (since 1 January of the previous year).

Where the answer to any of the four abovementioned questions is “yes”, the cross-border transfer of personal information can only be conducted through applying for a security assessment, instead of relying solely on a standard contract with the overseas recipient. In other words, concluding a standard contract alone cannot offer an adequate level of protection for the four abovementioned circumstances, and only by applying for and completing a security assessment with the cyberspace administration authority can the legal requirements be fulfilled. Where the answers to all of the four abovementioned questions are “no” and there are no special provisions prescribed by the laws, administrative regulations or the cyberspace administration authority on the cross-border transfer, the personal information processor shall therefore be able to transfer personal information to the overseas recipient after concluding a standard contract with such overseas recipient.

The personal information processor shall also take into consideration other special provisions prescribed by the laws and administrative regulations, if applicable. For instance, pursuant to Article 30 of the Law of the People's Republic of China on Protecting State Secrets (《中华人民共和国保守国家秘密法》), where state secrets have to be furnished for the benefits of contacts and co-operation with foreign countries by an organ or institution or a foreign-appointed or foreign-employed person needs to know a state secret due to genuine needs, such organ or institution shall report the same to and seek approval from the relevant competent department of the State Council or the relevant competent department of the people's government of a province, autonomous region or municipality directly under the Central Government, and conclude a confidentiality agreement with the counterparty. In addition, pursuant to Article 30 of the State Measures for the Management of the Standard, Security and Services of Medical and Health-related Big Data (Trial) (《国家健康医疗大数据标准、安全和服务管理办法（试行）》), medical and health-related big data shall be stored on secure and trustworthy servers within the territory of the People's Republic of China; where there is genuine need for cross-border transfers, a security assessment and approval shall be applied for in accordance with the relevant laws and administrative regulations. Pursuant to Article 57 of the Biosecurity Law of the People's Republic of China (《中华人民共和国生物安全法》), any person providing China's human genetic resources for any overseas organization, individual or any agency established or de facto controlled thereby, or any person making such resources publicly accessible, shall report in advance the same to the competent department of science and technology under the State Council and submit backup information thereto.

Diagram 2 – Applicable Rules for Prerequisites for cross-border transfer of personal information

We hereby provide the following analysis on the four key factors relating to security assessments:

With regards to the first factor, with reference to the relevant stipulations of the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China and the PIPL, the Standard Contract Measures specify that personal information collected and produced in the course of business operation by a CIIO within the territory of the People's Republic of China cannot be transferred abroad by concluding a standard contract with the overseas recipient as a protection mechanism. In principle, a CIIO shall store personal information and important data collected and produced during operations within the territory of the People's Republic of China. Where there is genuine need to transfer such information and data abroad, a security assessment shall be applied to the CAC regardless of the quantity of such data or whether such data is personal information or important data. Furthermore, only after passing the security assessment shall the CIIO transfer abroad the personal information collected and produced within the territory of the People's Republic of China.

With regards to the second factor, the Standard Contract Measures address personal information processors who “process personal information of fewer than one million individuals” while the Security Assessment Measures refer to the “cross-border transfer of personal information by a personal information processor who has processed the personal information of one million or more individuals”. One may argue that based on the above wording, the regulations focus on personal information processors that process personal information to a certain extent, rather than the processing activities, and such personal information processors will have to process personal information of one million or more individuals before being subject to the regulations. However, considering the Regulations on Network Data Security Management (Draft for Comments) (《网络数据安全管理条例（征求意见稿）》) issued by CAC on 14 November 2021, Article 26 of which stipulates that, “A data processor processing the personal information of one million or more individuals shall also abide by the provisions of Chapter IV of these Regulations relating to the processors of important data.” In other words, in terms of the regulatory trends, personal information processors processing personal information of one million or more individuals are also required by the laws and administrative regulations to perform the same obligations as processors of important data. That is, regardless of the quantity of data and the personal information of any number of individuals that are transferred abroad, as long as the personal information processor has processed personal information of one million or more individuals, it shall apply to the CAC for security assessment and abide by the provisions relating to the processors of important data.

Based on the above understanding, we advise that enterprises pay attention to the following: (1) a personal information processor that has processed personal information of one million or more individuals shall apply to the CAC for security assessment instead of concluding a standard contract before transferring personal information abroad, regardless of the quantity of such personal information being transferred. For example, operators of internet products including websites, Apps and miniprograms with more than one million registered users should apply to the CAC for security assessment instead of concluding a standard contract to perform compliance obligations, regardless of the quantity of data transferred abroad in each batch; and (2) a personal information processor that has processed personal information of fewer than one million individuals may choose any compliance mechanism for cross-border transfer of personal information in accordance with Article 38 of the PIPL, even if one million or more personal information fields may be transferred abroad. Where the Standard Contract Measures are applicable and there are no other special provisions, a majority of enterprises may prefer to rely on concluding a standard contract.

With regards to the third and the fourth factors, the Standard Contract Measures confirm that the calculations for  the number of individuals whose personal information has been transferred abroad cumulatively should start from 1 January of the previous year. For example, where an enterprise plans to transfer personal information abroad on 11 June 2023, if it concludes its self-assessment on 27 February 2023, it should calculate for the period of 1 January 2022 to 27 February 2023 whether the Security Assessment Thresholds are exceeded. If the thresholds are exceeded, the enterprise should apply to the CAC for security assessment in accordance with the Security Assessment Measures. If on concluding the self-assessment the enterprise is found to have not exceeded the above thresholds, the enterprise should continue to estimate the number of individuals whose personal information may be transferred abroad from 27 February 2023 to 10 June 2023 (the day before cross-border transfer). If by adding its estimates for the period of 27 February 2023 to 10 June 2023, the Security Assessment Thresholds are exceeded, the enterprise should adjust its compliance mechanism for cross-border transfer of personal information and apply to the CAC for security assessment instead of concluding a standard contract.

Based on the above analysis, our preliminary conclusion is that, the factors that should be considered for a security assesment mainly include the quantity of the personal information the enterprise processes and the quantity of the personal information transferred abroad. Enterprises who transfer personal information abroad by concluding a standard contract are generally able to do so because the frequency of such cross-border transfer is low and the number of individuals whose personal information is transferred abroad is small, and such personal information does not involve large amounts of sensitive personal information. For most large-scale enterprises that conduct cross-border transfers of personal information in their ordinary course of business, they are required to pass security assessment before transferring personal information abroad. Can they avoid the requirement to apply for security assessment by means of splitting or spinning off data? The answer is clearly no. Such action not only goes against the intention of establishing the mechanisms for cross-border transfer of data, but also seriously threatens national security and public interest. Accordingly, the Standard Contract Measures explicitly prohibit such action: When using the standard contract for cross-border transfer of information, the personal information prossesor shall not use methods such as quantity splitting on the personal information that is required by law to undergo security assessment.

In addition, it should be noted that, pursuant to Article 1 of the Standard Contract, the “personal information processor” refers to any organization or individual that independently determines the purpose and method of processing in their activities of processing of personal information and who transfers personal information outside the territory of the People’s Republic of China. In this regard, Standard Contract cannot be used if the entrusted party in the personal information processing activities intends to further entrust another overseas entity to process personal information[1].

II. Personal Information Protection Impact Assessment

Article 5 of the Standard Contract Measures stipulates that, prior to the cross-border transfer of personal information, the personal information processor shall conduct a personal information protection impact assessment. Pursuant to Article 55 of the PIPL, personal information processors providing personal information to an overseas recipient shall conduct a personal information protection impact assessment before the event, and keep a record of the processing. We have made the following comparisons in relation to the self-assessment requirements for cross-border transfer as stipulated by the Security Assessment Measures, the Standard Contract Measures and the Authentication Specification v2.0, respectively:

Although the Security Assessment Measures, the Standard Contract Measures and the Authentication Specification v2.0 place emphasis on different aspects of personal information protection impact assessment, such differences are insignificant in general. When enterprises assess the legality, legitimacy, and necessity of the cross-border transfer of personal information and the effectiveness of the protection measures and their proportionality to the risk, they should also refer to the latest version of the Information Security Technology - Guide to the Personal Information Security Impact Assessment (《信息安全技术 个人信息安全影响评估指南》) (current version: GB/T 39335-2020) for guidance. Enterprises should also submit the report on personal information protection impact assessment for record-filing in accordance with Article 7 of the Standard Contract Measures. In the case that the personal information processed by the enterprise keeps evolving and updating when the enterprise conducts the assessment, we recommend that in practice, the assessment list that the enterprise uses to conduct personal information protection impact assessment for the cross-border transfer of personal information should be as comprehensive as possible. Omission of one or several key aspects of assessment may adversely affect the overall result of the assessment. In summary, the following key aspects of assessment should be included:

1. whether the cross-border provision of personal information complies with the laws and administrative regulations;
    
2. the legality, legitimacy, and necessity of the cross-border transfer of personal information and the processing of personal information by the overseas recipient in terms of the purpose, scope and method;
    
3. the quantity, scope, type, and sensitivity of the cross-border personal information, the risks that may be brought about by the cross-border transfer of personal information to national security, public interests, or the lawful rights and interests of other organizations, and the impact on the rights and interests of individuals;
    
4. the obligations that the overseas recipient promises to undertake, and whether the management and technical measures and capabilities of the overseas recipient to perform the obligations can ensure the security of the personal information to be transferred abroad;
    
5. the risk of the cross-border personal information being tampered with, damaged, leaked, lost, relocated or illegally acquired or used during and after the cross-border transfer of personal information, and whether the channels for individuals to safeguard their personal information rights and interests are unobstructed;
    
6. whether data security protection responsibilities and obligations are sufficiently stipulated in the legal documents entered into with the overseas recipient, or whether the standard contract includes any additional data security protection responsibilities and obligations; and
    
7. the impact of the legal and cybersecurity environment in the country or region where the overseas recipient is located on the cross-border transfer of personal information, protection of rights and interests of individuals and performance of contracts (or standard contract).

It can be concluded from comparison that, apart from the impact of cross-border transfer on the rights and interests of individuals, the Security Assessment Measures also emphasize that enterprises should assess the risk to and impact on national security, public interests, or the lawful rights and interests of other organizations in its self-assessment. The logic of such requirement is: on one hand, the Security Assessment Measures regulate not only personal information, but also important data; on the other hand, enterprises that can meet the applicability conditions of the Standard Contract Measures generally process personal information of a small number of individuals and do not involve complicated scenarios of cross-border transfer of data, and the possibility of being required to abide by the provisions relating to the processors of important data due to the number of individuals whose personal information is processed by such enterprises is relatively low (unless such enterprises control important data). By contrast, the Standard Contract Measures do not explicitly require enterprises to include assessment of the risk to and impact on national security, public interests, or the lawful rights and interests of other organizations in its self-assessment.

In addition, the Standard Contract Measures require enterprises to assess the impact of policies and regulations for the protection of personal information on the performance of the standard contract and the performance of the obligations of personal information protection and safeguarding of personal information rights and interests in the country or region where the overseas recipient is located. Although Article 5 of the Security Assessment Measures does not mention this requirement, the Self-assessment Report on the Risk of Cross-border Transfer of Data (Template) issued by the CAC explicitly requires the applicant to specify the “data security protection policies and regulations and the cybersecurity environment in the country or region where the overseas recipient is located”, which is one of the matters of the security assessment of cross-border data transfers conducted by the CAC. It should be noted that the Authentication Specification v2.0 also includes similar requirements. Therefore, no matter which compliance mechanism the enterprise chooses for cross-border transfer of personal information, it should assess the data security policies and regulations in the country or region where the overseas recipient is located. Similar requirements for cross-border transfer impact assessment were also made by the EU in the Schrems II case. If the enterprise has difficulty in conducting such self-assessment, it may consider seeking assistance from external assessment institutions.

III. Specific Content of the Standard Contract

Compared with Draft Provisions on the Standard Contract, the Standard Contract Measures do not provide an exhaustive list of the contents of the contract, possibly to leave room for further revisions or to allow for supplementing and updating the specific contents of the contract after implementation. According to the current version of the Standard Contract which is annexed to the Standard Contract Measures, the contents mainly include: (i) basic information of the personal information processor and the overseas recipient, including but not limited to the name, address, contact name/title and contact information; (ii) the purpose, manner, scale, type, transfer method, retention period and location of the personal information transferred overseas; (iii) the obligations of the personal information processor and the overseas recipient to protect personal information, as well as the technical and management measures taken to prevent possible security risks arising from the cross-border transfer of personal information; (iv) the impact of the personal information protection policies and regulations of the overseas recipient's country or region on the performance of the contract; (v) the rights of the personal information subject, as well as the ways and means to protect the rights of the personal information subject; and (vi) remedies, termination of the contract, liability for breach of the contract and dispute resolution, etc.

Since the export of personal information (cross-border transfer) is a type of personal information processing activity, it is subject to the requirements of the PIPL for personal information processing activities. Therefore, the general principles and approach of the PIPL are also reflected in some of the provisions of the Standard Contract template. In particular, the Standard Contract addresses the mandatory obligations of the personal information exporter and importer in relation to the cross-border transfer of personal information, while allowing the two parties to contractually determine other rights and obligations. It is important to note that, according to Article 6 of the Standard Contract Measures, the personal information processor may sign other agreements with the overseas recipient, provided that they do not conflict with the standard contract. And, if the standard contract, at the time of its conclusion, conflicts with any other agreement already in existence between the parties, the terms of the standard contract shall prevail.

IV. Filing Requirements

The Standard Contract Measures have innovatively introduced the filing requirements for signed standard contracts. According to Article 3 of the Standard Contract Measures, if an enterprise concludes a standard contract as a compliance measure for the cross-border transfer of personal information, it must ensure both independent contracting and proper record management.

Article 46 of the EU General Data Protection Regulation (the “GDPR”) also stipulates that data exporters and data importers shall enter into Standard Contractual Clauses (the “SCC”), which are adopted by the European Commission or by the supervisory authorities of the member states and approved by the European Commission, as one of the compliance mechanisms for the cross-border transfer of personal data to allow data processors to transfer data to countries, regions or international organizations that are not considered by the EU to have an "adequate level of data protection" if certain conditions are met. It is clear from the Standard Contract Measures that our standard contract mechanism is not identical to the SCC mechanism under the GDPR. Under the GDPR, when a company has conducted a Data Protection Impact Assessment (DPIA), performed a Transfer Impact Assessment (TIA), and selected and signed one of the applicable SCC templates issued by the EU Data Protection Board (EDPB) based on its own data transfer links, it does not need to perform a separate filing procedure with the regulator. The (administrative) filing of the standard contract as required by Standard Contract Measures is also different from the nature of other cross-border transfer mechanisms approved by the EDPB on the basis of the GDPR.

According to Article 2 of the Measures for the Administration of Administrative Filing in Hebei Province, administrative filing refers to the act of an administrative organ or an organization authorized by laws, regulations or rules to accept, in accordance with the law, the submission of relevant materials from citizens, legal persons or other organizations to engage in a specific activity and to record the filing materials for post-event supervision. Article 2 of the Administrative Filing Management Measures of Guangzhou (2019 Revision) also defines administrative filing, i.e., the act of administrative authorities requiring citizens, legal persons and other organizations to submit materials relating to their engagement in a specific activity in accordance with the law in order to strengthen administrative supervision and management, and to file the submitted materials for inspection. As there is no clear characterization of the nature of the administrative filing procedure after the signing of a standard contract, it is clear from the provisions of some local regulations on administrative filing that filing is mainly for the purpose of strengthening administrative supervision and management by requiring citizens, legal persons or other organizations to submit relevant materials to the competent administrative organ for post-facto supervision and inspection without amounting to the obtaining of administrative approval. The Guidance of the State Council on Accelerating the Standardization, Regulation and Facilitation of Administrative Services also describes administrative filing, administrative licensing and administrative confirmation in parallel, and therefore administrative filing is not treated as administrative licensing or administrative confirmation and therefore does not create or confirm any rights and obligations.

Specific to the act of cross-border data transfer, this is also reflected in the time difference between the filing and effective date of a Standard Contract. According to Articles 6 and 7 of the Standard Contract Measures, personal information processors may not carry out personal information cross-border transfer activities until after the standard contract has entered into force, and within 10 working days from the effective date of the standard contract, personal information processors shall submit the standard contract and the personal information protection impact assessment report to the provincial cyberspace authority where it located for filing. The overall process can therefore be summarized as follows:

“conclude a contract → contract takes effect → carry out personal information cross-border transfer activities → contract filing”; or

“conclude a contract → contract takes effect → contract filing → carry out personal information cross-border transfer activities”.

It should be noted that administrative filing is not a necessary condition for the standard contract to take effect.

According to Article 12 of the Standard Contract Measures, any violation of the provisions of the Standard Contract Measures shall be dealt with in accordance with the PIPL and other laws and regulations; if the violation constitutes a crime, criminal liability shall be investigated in accordance with the law.

In conjunction with the above provisions, if an enterprise fails to comply with the filing procedures, it will face administrative penalties and, if such violations constitute a crime, it may also bear criminal liability. However, it should also be noted that the failure to comply with filing procedures will not affect the validity of the contract, i.e., the enterprise can carry out personal information cross-border transfer activities after the contract comes into effect. This fully reflects the concept in Article 3 of the Standard Contract Measures, which is to maintain the practice of independent contracting combined with record-filing management, protection of rights and interests combined with the prevention of risks, and protection of the cross-border security combined with free flow of personal information.

V. Remedies, Penalties and Others

Article 8 of the Standard Contract Measures provides for the circumstances under which the personal information processor shall conduct a personal information protection impact assessment again, and supplement the existing standard contract or execute a new standard contract, as well as file a record again. The said circumstances are: (i) there is any change in the purpose, scope, type, sensitivity, quantity, method, retention period, and retention location of the personal information transferred overseas, or any change in the purpose and method of the personal information processing of the overseas recipient, or an extension of the overseas retention period of the personal information; (ii) there is any change in personal information protection policies and regulations in the country or region where the overseas recipient is located, which may affect personal information rights and interests; or (iii) other circumstances that may affect personal information rights and interests.

It is worth noting that, firstly, when the above circumstances arise, not only is it necessary to supplement or re-enter into a standard contract and file a record, but the personal information processor shall also conduct a new personal information protection impact assessment internally; secondly, compared to the Draft Provisions on the Standard Contract, the circumstance of “change in the 'quantity' of personal information provided outside the country” has been removed from the Standard Contract Measures. We believe that this removal reflects the difficulties in defining the change in the quantity of personal information to be exported, and it is also uncertain whether the change in "quantity" refers to the change in the size of the data or the number of persons. It is also unclear whether it is necessary to refile whenever there is an increase or decrease related to the quantity. Although the Standard Contract Measures have avoided the above uncertainties, it remains to be seen whether the cyberspace authority will provide further guidance on whether a new personal information protection impact assessment is required for situations where there are occasional surges in the quantity of personal information to be exported, and whether a supplementary or new standard contract is required.

Article 9 of the Standard Contract Measures also requires that the cyberspace authorities and their staff members shall keep confidential any personal privacy, personal information, trade secrets, or confidential business information that they come to know in the course of the performance of their duties, and must not disclose or illegally provide to others or use such information.

In terms of remedies, Articles 10 and 11 of the Standard Contract Measures provide that organizations or individuals may report any violation of the Standard Contract Measures, and that cyberspace authorities may conduct a regulatory interview with the personal information processor if they find any considerable risk or any personal information security incident in relation to the personal information cross-border transfer activity. Compared to the Draft Provisions on the Standard Contract, the Standard Contract Measures have removed the provision that the personal information processor shall terminate the personal information cross-border activity in accordance with the notification of the cyberspace authority. In cases where there is a greater risk of personal information cross-border transfer activities or a personal information security incident, whether the personal information processor shall take corrective measures on its own after interactions with the cyberspace authority or shall implement specific requirements proposed by the cyberspace authority during the regulatory talk remains to be further observed in practice.

In addition, compared to the Draft Provisions on the Standard Contract, the Standard Contract Measures remove the specific description of the punishment for violation of the Standard Contract Measures. Punishment for violations of the provisions will therefore be in accordance with the PIPL and other laws and regulations while those constituting a crime will be dealt with in accordance with the relevant criminal laws.

Conclusion

Supplementing the SCC

Articles 21 and 23 of the PIPL provide for two modes of data processing, namely “entrusted processing” and “provision to external parties”. However, the Standard Contract Measures do not make a clear distinction between these two types of data processing, but rather treat personal information cross-border transfer as a special data processing activity while setting out the obligations of both domestic and oversea parties. Unlike the SCC in the context of the EU GDPR, which distinguishes between “data controllers” and “data processors”, and the SCC in the context of the Hong Kong Personal Data Privacy Ordinance, which distinguishes between “data users” and “data processors”, the Standard Contract Measures do not have different versions of the standard contract for different data processing relationships, and both personal information processors and overseas recipients are liable for personal information processing activities. Therefore, for personal information cross-border transfer, whether it is necessary to consider differentiated treatment and different versions of standard contracts based on the potential roles and relationship between domestic and foreign parties is also an issue that should be considered by the regulator.

Transferring Personal Information to Third Parties Overseas

If the personal information processor and the overseas recipient are in an entrusted processing relationship along the data processing chain, as the personal information processor will ultimately be responsible for how data is handled overseas, the default position as set out in the Standard Contract is that the overseas recipient must not transfer personal information to third parties without the prior consent of the personal information processor and that the Overseas Recipient will assume responsibility for the actions of the third party. However, it is our view that as the ultimate responsibility for ensuring that personal information is adequately protected remains with the personal information processor, the personal information processor should also conduct adequate due diligence on the third party and not solely rely on compliance by other parties on an agreement to which it is not a party. It is also recommended that the domestic personal information processor explicitly agree, in the standard contract with the overseas recipient such information as the scope of processing, storage location, retention period and other relevant details of the processing to be conducted by the third party. If appropriate, the personal information processor may consider by limiting in item 6 of Appendix I of the standard contract the third parties to whom the overseas recipient is permitted to provide the personal information so as to avoid the need for further standard contracts or supplementary agreements and multiple filings with the cyberspace authority.

In conclusion, with the gradual release of laws, regulations and supporting documents related to the personal information cross-border transfer, the compliance requirements and operational path for the personal information cross-border transfer have been initially determined. For processors dealing with a relatively smaller number and scale of personal information, full consideration should still be given to situations which may result in cross-border data transfer activities. Compliance risk can be further managed with compliance tools such as personal information protection certification and personal information protection impact assessment while paying close attention to the latest legal and regulatory trends, supporting guidelines and relevant documents that may be issued by the cyberspace authority.

[1] Expert Explanation｜The issuing of the Measures for the Standard Contract for Cross-Border Transfer of Personal Information contributes to the domestic plans for cross-border transfer of data, http://www.cac.gov.cn/2023-02/24/c_1678882701238102.htm.

Please click the button "Download" at the end of this article to read "Standard Contract for Cross-border Transfer of Personal Information".