On May 30, 2023, one day before the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information (“Measures”) were scheduled to take effect, the Cyberspace Administration of China (“CAC”) released a first edition of its guidance on how organizations should complete the filing procedure for Standard Contracts (“CAC Guidance”). (See our prior blog posts on the Standard Contract here.)

In addition to underscoring that only companies which are not required to undergo a CAC-administrated security assessment can rely on the Standard Contract as a transfer mechanism, the CAC Guidance provides more details on (1) the submission of documentation when filing the Standard Contract, (2) decision on the submission and any supplementary requests, and (3) supplementing or re-filing the Standard Contract once it is approved an in effect, if necessary.

In the initial phase of filing the Standard Contract, the personal information processing entity (functionally equivalent to a data controller under EU’s General Data Protection Regulation) must provide specific documents, which include the Standard Contract and a “Personal Information Protection Impact Assessment Report” that provides a detailed description of the transfers covered by the Standard Contract. To that end, the CAC’s guidance includes a template Standard Contract and Personal Information Protection Impact Assessment Report. Note that the template Personal Information Protection Impact Assessment Report requires a similar level of detail as the template self-assessment report on cross-border data transfer risks for companies subject to the security assessment. (See our prior blog post on the security assessment application here).

Upon receiving the required documentation, the provincial CAC has 15 working days to accept or reject the submission, and then must inform the personal information processing entity of its decision. If the submission is accepted, it will be assigned a record-filing number. If it is rejected, the provincial CAC will issue a notice of failure and may request supplementary information for further review, which the personal information processing entity must respond to within 10 working days.

The CAC Guidance notes that, once a Standard Contract is approved and in effect, situations may arise that warrant re-evaluation of the impact of transfers on personal information protection, and even an amendment or re-execution of the Standard Contract. Such cases may include, in particular, material changes to the purpose, scope, type, sensitivity, mode, storage location/period, or use of personal information by the Overseas Recipient, as well as changes to the personal information protection laws or policies of the Overseas Recipient’s jurisdiction. The personal information processing entity must warrant to the authenticity of any submitted documents, and will bear legal consequences for the submission of any false materials.

(This blog post was written with contributions from Mingxin Liu.)

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Photo of Xuezi Dan Xuezi Dan

Xuezi Dan is an associate in the firm’s Beijing office. She focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China and cross major Asian jurisdictions.

Xuezi Dan is an associate in the firm’s Beijing office. She focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China and cross major Asian jurisdictions. With the rapid revolution of artificial intelligence (AI) technology and regulatory framework, she advises on AI related issues from development to implementation. She also has experience advising clients on general corporate and antitrust matters. Xuezi has advised leading companies in various industries, including technology, healthcare, automotive, and telecommunications.

Photo of Nicholas Shepherd Nicholas Shepherd

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national implementing…

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national implementing laws, EU/UK direct marketing laws, emerging state privacy laws in the United States, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border data transfers, data breach response, artificial intelligence, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements on transparency, consent, lawful processing, data sharing, and related issues.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick now leverages his multi-faceted legal background and international experience from the U.S. to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.