On May 30, 2023, the Cyberspace Administration of China (“CAC”) issued the Guidelines for Filing Standard Contracts for Cross-border Transfer of Personal Information (“Guidelines”) – just two days before the Chinese Standard Contract for the Export of Personal Information (“SC”) was set to become effective on 1 June 2023.
Under China’s Personal Information Protection Law (“PIPL”), which came into effect on November 1, 2021, companies are required to undergo certain procedures in order to transfer certain types of data and certain volumes of personal information (“PI”) outside of China. The SC is one of a few different PIPL-compliant mechanisms for cross-border data transfer.
The SC Measures were initially released by the CAC on February 22, 2023 clarifying how companies can transfer PI outside of China by signing a “Standard Contract” with the overseas recipient of the data – a much simpler procedure than the other options as it does not require an external audit.
The Guidelines are the final pieces in the puzzle. Under the SC Measures, data controllers are required to file the executed SC and a Personal Information Protection Impact Assessment (PIPIA) with the local CAC office within ten working days from the effective date of the executed SC. However, beyond those high level requirements, the SC Measures lacked further details as to the process and other documentary requirements. These gaps were now addressed in the Guidelines, for instance, which companies are eligible for this mechanism, the requirements for additional procedures – such as self-assessments, and the requisite contents of the contract itself.
The key elements of the Guidelines are summarized here.