On 30 May 2023 — just two days before the Measures on Standard Contracts for Outbound Cross-Border Transfers of Personal Information (“SC Measures”) took effect and started requiring certain handlers of personal information (“PI”) from China to enter into mandatory “standard contracts” with the overseas recipients of such PI — the Cyberspace Administration of China (“CAC”) published the Guidelines for Filing Standard Contracts for Outbound Cross-Border Transfers of Personal Information (“SC Filing Guidelines”), which aim to clarify certain uncertainties and fill relevant gaps under the SC Measures.
In particular, the SC Filing Guidelines offer guidance to PI handlers in China regarding the detailed documentation, procedures, and timeline requirements that they will need to satisfy when handling the standard contract filings required under the SC Measures (“SC Filings”). A summary of the key takeaways from the SC Filing Guidelines is provided below.
Who is entitled to transfer PI offshore via standard contracts?
The Personal Information Protection Law of the People’s Republic of China (“PRC PIPL”) offers three potential methods for PI handlers in China to transfer PI to offshore recipients:
(1) passing a CAC-led “security assessment”, which, generally speaking, involves a robust and substantive (and therefore, burdensome) review and approval process with the CAC;
(2) obtaining a “personal information protection certification” from a specialized body designated by the CAC, a process which is still subject to considerable uncertainty;[1] or
(3) executing standard contracts with relevant overseas recipients of relevant PI, which must essentially follow the terms under the Standard Contract template issued by the CAC. This standard contract approach is envisioned as being a less burdensome path to legally transferring PI to overseas recipients in the case of qualifying PI handlers.[2]
