Privacy & Information Security Law Blog

On May 30, 2023, the Cyberspace Administration of China (“CAC”) issued the Guideline for Filing the Standard Contract for Cross-border Transfer of Personal Information (“SC”). On June 1, 2023, the SC became an effective mechanism for transferring personal data outside of China. When using the SC as a transfer mechanism, it must be filed with the CAC and the new Guideline provides guidance for doing so. The key elements of the Guideline are summarized below.

Scope of Application of the SC

According to the CAC, a personal information handler may use the SC as the mechanism for the cross-border transfer of personal information if it meets any of the following conditions (unless otherwise provided by law):

• It is not a critical infrastructure information operator;
• It is processing personal information of less than one million individuals;
• It has transferred personal information of less than 100,000 individuals from January 1 of the preceding year; or
• It has transferred sensitive personal information of less than 10,000 individuals from January 1 of the preceding year.

The CAC further explains circumstances which would be deemed a cross-border transfer of personal information and the SC could be used, including (1) the data handler transferring personal information, collected and generated in operations within China, outside of China or storing such information outside of China; and (2) the organization, entity or individual outside China accessing, retrieving, downloading or exporting personal information, collected and generated in operations within China, from China.

It is not clear from the Guideline whether a data handler subject to the Personal Information Protection Law (“PIPL”) by virtue of extraterritorial jurisdiction may execute the SC for cross-border transfer of personal information.

Filing Requirements for the SC

According to the Guideline, the data handler shall file the executed SC together with an Impact Assessment Report for Personal Information Protection (“Report”) with the competent CAC at the provincial level (“Local CAC”) within 10 business days from the effectiveness of the SC. The data handler shall provide materials both in writing and electronic form for such filing.

The Local CAC shall complete the review of the application documents within 15 business days and notify the result of filing, either “pass” or “fail.” If the result is “fail,” the data handler shall provide supplementary materials within 10 business days.

Conditions for Supplementary Filing or Re-Filing

During the term the SC is applicable to a specific transfer, if any of the following circumstances arise, the data handler shall re-prepare the Report and submit the supplementary filing or conduct re-filing of the SC:

• Any change of the purpose, scope, type, sensitivity, means, storage location outside of China,  usage and means of processing, or extension of retention period;
• Any change of personal information protection policies and laws of the country/region where the data recipient is located; or
• Any other circumstances potentially having impact on the interests of personal information.

If the data handler executes the supplementary agreement to the SC, it shall submit the supplementary materials to the Local CAC. If the data handler re-signs the SC, it shall conduct re-filing of the re-signed SC. The review period for supplementary filing and re-filing is 15 business days.