China Issues Guidelines regarding Filing Standard Contracts for Cross-Border Transfer of Personal Information
Listen
to
this
post
On
May
30,
2023,
the
Cyberspace
Administration
of
China
(“CAC”)
issued
the
Guideline
for
Filing
the
Standard
Contract
for
Cross-border
Transfer
of
Personal
Information
(“SC”).
On
June
1,
2023,
the
SC
became
an
effective
mechanism
for
transferring
personal
data
outside
of
China.
When
using
the
SC
as
a
transfer
mechanism,
it
must
be
filed
with
the
CAC
and
the
new
Guideline
provides
guidance
for
doing
so.
The
key
elements
of
the
Guideline
are
summarized
below.
Scope
of
Application
of
the
SC
According
to
the
CAC,
a
personal
information
handler
may
use
the
SC
as
the
mechanism
for
the
cross-border
transfer
of
personal
information
if
it
meets
any
of
the
following
conditions
(unless
otherwise
provided
by
law):
-
It
is
not
a
critical
infrastructure
information
operator; -
It
is
processing
personal
information
of
less
than
one
million
individuals; -
It
has
transferred
personal
information
of
less
than
100,000
individuals
from
January
1
of
the
preceding
year;
or -
It
has
transferred
sensitive
personal
information
of
less
than
10,000
individuals
from
January
1
of
the
preceding
year.
The
CAC
further
explains
circumstances
which
would
be
deemed
a
cross-border
transfer
of
personal
information
and
the
SC
could
be
used,
including
(1)
the
data
handler
transferring
personal
information,
collected
and
generated
in
operations
within
China,
outside
of
China
or
storing
such
information
outside
of
China;
and
(2)
the
organization,
entity
or
individual
outside
China
accessing,
retrieving,
downloading
or
exporting
personal
information,
collected
and
generated
in
operations
within
China,
from
China.
It
is
not
clear
from
the
Guideline
whether
a
data
handler
subject
to
the
Personal
Information
Protection
Law
(“PIPL”)
by
virtue
of
extraterritorial
jurisdiction
may
execute
the
SC
for
cross-border
transfer
of
personal
information.
Filing
Requirements
for
the
SC
According
to
the
Guideline,
the
data
handler
shall
file
the
executed
SC
together
with
an
Impact
Assessment
Report
for
Personal
Information
Protection
(“Report”)
with
the
competent
CAC
at
the
provincial
level
(“Local
CAC”)
within
10
business
days
from
the
effectiveness
of
the
SC.
The
data
handler
shall
provide
materials
both
in
writing
and
electronic
form
for
such
filing.
The
Local
CAC
shall
complete
the
review
of
the
application
documents
within
15
business
days
and
notify
the
result
of
filing,
either
“pass”
or
“fail.”
If
the
result
is
“fail,”
the
data
handler
shall
provide
supplementary
materials
within
10
business
days.
Conditions
for
Supplementary
Filing
or
Re-Filing
During
the
term
the
SC
is
applicable
to
a
specific
transfer,
if
any
of
the
following
circumstances
arise,
the
data
handler
shall
re-prepare
the
Report
and
submit
the
supplementary
filing
or
conduct
re-filing
of
the
SC:
-
Any
change
of
the
purpose,
scope,
type,
sensitivity,
means,
storage
location
outside
of
China,
usage
and
means
of
processing,
or
extension
of
retention
period; -
Any
change
of
personal
information
protection
policies
and
laws
of
the
country/region
where
the
data
recipient
is
located;
or -
Any
other
circumstances
potentially
having
impact
on
the
interests
of
personal
information.
If
the
data
handler
executes
the
supplementary
agreement
to
the
SC,
it
shall
submit
the
supplementary
materials
to
the
Local
CAC.
If
the
data
handler
re-signs
the
SC,
it
shall
conduct
re-filing
of
the
re-signed
SC.
The
review
period
for
supplementary
filing
and
re-filing
is
15
business
days.
About Author
