On 24 February 2023, the Cyberspace Administration of China (“CAC”) published the finalized Measures on Standard Contracts for the Outbound Cross-Border Transfer of Personal Information (“SC Measures”), together with the Standard Contract for the Outbound Cross-Border Transfer of Personal Information (“Standard Contract”).[1] The SC Measures will take effect on 1 June 2023. As such, companies engaged in the outbound cross-border transfer of personal information (“PI”) from China within the scope of the SC Measures will need to be prepared to swiftly adopt responsive measures in order to comply with these new regulations. A summary of the key takeaways from the SC Measures is provided in the sections below.
Applicable Scope of the SC Measures
A PI handler[2] will be subject to the SC Measures if it engages in the transfer of PI out of China based on contractual arrangements, unless such PI handler has already completed a PI protection certification from a qualified certification institution designated by the CAC.[3] However, PI handlers that meet any of the threshold requirements for the mandatory application of the Data Export Security Assessment Measures (“SA Measures”) will still remain subject to the CAC-led security assessment regime for their cross-border data transfers and are not permitted to engage in such transfers under the standard contract regime.
For the reader’s reference, the SA Measures mandatorily apply to PI handlers transferring PI outside of China in cases where the PI handler:
- is a critical information infrastructure operator (“CIIO”);
- has processed the PI of at least one million individuals;
- has exported the PI of at least 100,000 individuals to overseas parties on a cumulative basis since 1 January of the preceding year; or
- has exported the sensitive PI of at least 10,000 individuals on a cumulative basis to overseas parties since 1 January of the preceding year.
The SC Measures further support the strict interpretation of these thresholds under the SA Measures by expressly prohibiting PI handlers from selectively distributing the volume of the PI that is processed or exported across different operating entities, so as to avoid meeting the thresholds above and thereby circumventing security assessment obligations. As such, the standard contract regime may be an unrealistic option for the transfer of PI outside of China in the case of PI handlers that are CIIOs or that are implicated by the thresholds under the SA Measures.