Data Security: Standard Contract for Outbound Transfer of Personal Information Released

31 3 月 2023 Data Security: Standard Contract for Outbound Transfer of Personal Information Released

Posted at 00:00h in China News by

1. Data Security: Standard Contract for Outbound Transfer of Personal Information Released

The State Administration for Market Regulation and the Cyberspace Administration of China (“CAC”) issued the Standard Contract for Outbound Transfer of Personal Information (“Standard Contract”) on February 24, 2023, which makes the current legal framework of data compliance more complete. Companies whose business concerns cross-border data transfer (“CBDT”) in China shall pay special attention to this Standard Contract.

According to the Personal Information Protection Law (“PIPL”), where a personal information handler (“PI Handler”) needs to provide personal information outside the territory of the PRC, it shall at least meet one of the following conditions:

(i) CAC Secuirty Evaluation: pass the security evaluation organized by the CAC;[1]

(ii) Certification: be certified by a specialized institution for protection of personal information;[2]

(iii) Standard Contract: PI handler to enter into a contract with the overseas recipient under the standard contract formulated by the CAC.[3]

This means that there are three mechanisms for CBDT, and the recent Standard Contract thus serves as one CBDT mechanism. Within the three mechanisms, once the company reaches certain threshold, it is mandatory for the company to choose the first CAC security evaluation;[4] otherwise, the company is free to choose either Certification or Standard Contract.

For PI Handler, the Standard Contract will be effective as of June 1, 2023. A grace period of six month is granted as well, which means PI Handler has to comply with the requirements of Standard Contract before December 1, 2023.

The principal articles are as follows:

(1) Scenarios of application of Standard Contract[5]

PI Handler shall meet all of criteria:

  • not a critical information infrastructure operator
  • handling personal information of less than one million individuals
  • having provided personal information of less than 100,000 individuals in aggregate to overseas recipients since January 1 of the previous year
  • having provided sensitive personal information of less than 10,000 individuals in aggregate to any overseas recipients since January 1 of the previous year

(2) Principal procedure[6]

(http://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm)

 

[1] Please kindly refer to our previous publication: https://asiallians.com/en/data-security-security-assessment-of-outbound-data-transfers-clarified/ https://asiallians.com/en/data-security-first-two-cases-passed-cbdt-security-assessment/
[2] Please kindly refer to our previous publication: https://asiallians.com/en/cybersecurity-announcement-on-the-implementation-of-certification-for-personal-information-protection-released/
[3] Article 38 of the PIPL.
[4] Please kindly refer to our previous publication: https://asiallians.com/en/data-security-security-assessment-of-outbound-data-transfers-clarified/ https://asiallians.com/en/data-security-first-two-cases-passed-cbdt-security-assessment/
[5] Article 4 of the Standard Contract.
[6] Articles 5-8 of the Standard Contract.

2. Legalization: China to Abolish the Requirement of Legalisation for Cross-border Use of Public Documents

The Apostille Convention[7] will enter into force in China on November 7, 2023. Prior to China’s accession to the Apostille Convention, foreign documents to be used in China had to go through a complex and time-consuming legalization process, that is, the documents had to be certified by many competent authorities including Chinese embassy or consulate in the foreign countries.

After China’s accession to the Apostille Convention, the previous legalization process will be abolished, so that relevant official documents issued by other members of the Apostille Convention can be used in China simply after obtaining an Apostille. An Apostille is a simple form of certification issued by one authority of the members of Apostille Convention (normally the Apostille department), to replace the legalization process certified by many authorities including the embassy or consulate of the members of destination.  Such Apostille is then recognized in the members of destination. It will simplify procedures as well as save time/costs for any cross-border use of public documents in the foreseeable future.

As of today, members of Apostille Convention include but not limited to France, Germany, India, Ireland, Italy, South Koreau, Japan, Netherlands, Norway, New Zealand, Portugal, Russia, Signapore, Spain, UK, United States, etc. It is estimated that as of November 7, 2023, French documents like Extrait Kbis, birth certificate, passport can be used in China after obtaining an Apostille from the Apostille department in France, instead of going through French Foreign Affairs Bureau and Chinese embassy or consulate for a legalization process.

(https://mp.weixin.qq.com/s/DvbllkR3Th1p511U5O1Ojw)

Should you need to know more details, please reach us at asialians@asiallians.com.

 

[7] Convention Abolishing the Requirement of Legalisation for Foreign Public Documents.