Jul 142022

China Data Law Update: Certification Rules and Draft Standard Contract Are Issued

Lei Li and Lianying Wang
, , , , ,

As the year approaches its halfway point, Chinese government accelerates the legislation for cross-border data transfers.

Certification Rules for Cross-Border Data Processing Activities Are Finalized

Following an exposure draft dated April 29, TC260 finalized and released the Certification Rules for Cross-Border Data Processing Activities on June 24, 2022. The final version does not substantially depart from the exposure draft, which has been discussed in our previous blog post.

One important question remains unsettled in the final version: which institutions are authorized to issue certification in accordance with the Certification Rules. Therefore, companies planning to obtain a certification have to await further notice from Chinese authorities. Considering the China Cybersecurity Review Technology and Certification Center and China Electronics Standardization Institute have supported the development of the Certification Rules from a technical perspective, it is possible that they might be designated as authorized institutions to issue certifications.

China Solicits Public Comments on Standard Contract for Personal Information Export

On June 30, 2022, the Cyberspace Administration of China (CAC) issued the draft Provisions on Standard Contract for Personal Information Export (the Standard Contract Regulation) for public comments. Companies have until July 29 to submit their comments and suggestions via email or letter.

The Standard Contract Regulation consists of 13 articles which set out the general rules and requirements for companies to legitimize cross-border transfers of personal information based on the standard contract and an accompanying schedule (i.e., the standard contract).

  • Who can rely on the standard contract?

A company can rely on the standard contract to export personal information from China only if it:

  1. is not the operator of a critical information infrastructure;
  2. processes personal information of fewer than 1 million individuals; and
  3. since January 1 of the preceding year, has not transferred outside of China the personal information of 100 thousand individuals or the sensitive personal information of 10 thousand individuals.

If a company, however, does not satisfy any of the above thresholds, it will not be permitted to rely on the standard contract. In that event, the company will have to pass a governmental security review in order to continue to lawfully export personal information from China.

  • What are the procedures to follow the standard contract route?

In order to legitimize cross-border data transfers based on a standard contract, companies must take the following actions:

  1. conduct a personal information protection impact assessment (PIA), which shall include consideration of:
    • the lawfulness, legitimacy and necessity of the purpose, scope, method, etc. of the processing by the data exporter and the overseas recipient;
    • the amount, scope, categories and sensitivity of the exported personal information, and the risks that may be caused to the individuals’ rights and interests by the export;
    • the responsibilities and obligations that the overseas recipient promises to take, and whether the corresponding administrative and technical measures and capabilities are adequate to protect the security of the exported personal information;
    • the risks of leakage, destruction, tampering or misuse after the personal information is exported, and whether there exists an unobstructed channel for individuals to safeguard their rights and interests;
    • the impact of the personal information protection policies, laws and regulations in the recipient’s country or region on the performance of the standard contract; and
    • other matters that may impact the security of the personal information export.
  2. enter into a standard contract with the overseas recipient; and
  3. within 10 working days from the effective date of the standard contract, make a filing with the CAC at the provincial level by submitting the signed standard contract and the PIA report.

If any material aspects of the cross-border data transfer (e.g., the transfer purpose, the storage location, or the laws of the recipient’s jurisdiction) change, the data exporter must re-sign the standard contract and submit a new filing with the CAC.

  • What is in the standard contract?

The standard contract is in Chinese only, and consists of 9 sections and 2 appendices:

– Clause 1 Definitions
– Clause 2 Obligations of the data exporter
– Clause 3 Obligations of the overseas recipient
– Clause 4 Impact of local policies, laws and regulations on observance of the standard contract
– Clause 5 Data subjects’ rights
– Clause 6 Remedies for individuals
– Clause 7 Termination
– Clause 8 Liability for breach of contract
– Clause 9 Miscellaneous
– Appendix 1 Description of the personal information export
– Appendix 2 Supplemental clauses agreed by the parties (if any)

Under the standard contract, the data exporter is obliged to, among other things:

  1. ensure that the exported data are limited to the minimum scope necessary for achieving the processing purpose;
  2. notify data subjects of relevant matters and obtain their consent;
  3. make copies of relevant legal provisions and technical standards available to the data recipient;
  4. make reasonable efforts to ensure the recipient’s compliance with the contract;
  5. respond to inquiries from regulators, unless the parties agree that the recipient shall respond to such inquiries;
  6. conduct PIAs;
  7. make copies of the standard contract available to data subjects (which may be redacted  to the extent necessary for protection of trade secrets or other confidential information).

The overseas recipient is obliged to, among others:

  1. implement effective technical and administrative measures to protect the security of personal information;
  2. take remedial measures, and notify Chinese regulators and affected individuals when a data breach occurs;
  3. only transfer personal information to third parties outside of China based on business needs after:
    • notifying data subjects of relevant matters relating to the onward transfer and obtaining their consent; and
    • entering into a written agreement with the relevant third parties, which shall be made available to the data subjects.
  4. provide the data exporter with all necessary information to demonstrate its compliance with the contract and permit the data exporter to audit its processing activities; and
  5. accept supervision and administration of Chinese regulators.

Our Observations

China permits three cross-border data transfer mechanisms, i.e., governmental security review, certification and standard contract. Now, with the issuance of the draft Standard Contract Regulation, the implementation rules for all three transfer mechanisms have been published.

Given the Certification Rules have been finalized, it is possible that certification may become the first practically available mechanism upon which companies can actually rely. Companies planning to sign a standard contract, still have to wait until the relevant rules are finalized.

The current draft of the standard contract resembles the EU model of standard contractual clauses in some aspects, but also has a number of key differences.  For example, the Chinese standard contract does not distinguish between controller-to-controller and controller-to-processor transfers, but prescribes a uniform set of clauses for both scenarios. We recommend international companies in China keep a close watch on future developments and seek external support and advice as necessary.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Lei Li

Beijing, Shanghai

lei.li@sidley.com

Lianying Wang

Beijing

lianying.wang@sidley.com

You might also like
Top 10 Questions on the EU AI Act

The EU AI Act will be the first standalone piece of legislation worldwide regulating the use and provision of AI in the EU, and will form a key consideration in AI governance programs. The AI Act will have a significant impact on many organizations inside and outside the EU, with failure to comply potentially leading to fines of up to 7% of annual worldwide turnover.

EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.