On February 24, 2023, the Cyberspace Administration of China (“CAC”) released the final version of the Measures on the Standard Contract for the Cross-border Transfer of Personal Information (“Measures”) (only available in Chinese here), including a template contract (“Standard Contract”) accompanying the Measures.  The Measures will take effect on June 1, 2023, but are subject to a 6-month grace period to allow companies time to bring their activities into compliance.

The finalization of the Measures marks another important step forward in the establishment of China’s cross-border data transfer framework.  With implementing rules for all three lawful transfer mechanisms now in place, China appears to be entering into a new phase where cross-border transfer activities will be more closely regulated and enforcement actions are more likely to arise for non-compliance. 

Background on Cross-Border Transfer Mechanisms in China

China’s Personal Information Protection Law (“PIPL”) sets out three legal mechanisms that organizations with operations in China may rely upon to transfer personal information out of China: (1) undergo a CAC-administered security assessment; (2) enter into the Standard Contract with the recipient outside of China; or (3) obtain a certificate from a CAC-recognized professional organization.  While all three of these mechanisms are generally available to organizations processing personal information under the PIPL, those that transfer “important data,” or are designated as Critical Information Infrastructure (“CII”) operators, or otherwise are processing or transferring certain threshold volumes of personal information, must file for the CAC-administered security assessment.

Thus far, many companies across a range of sectors have filed their security assessment applications with the CAC (as the 6-month grace period for such filings ends on March 1, 2023), and the CAC has now begun reviewing the applications submitted.  By contrast, there have been no reported examples of companies seeking to obtain a certification from a CAC-certified body, as the rules are still evolving on how exactly this will work in practice.

With the rules implementing the Standard Contract now finalized, companies that are not required to file a security assessment application will need to decide to either adopt the Standard Contract or obtain a certification for their cross-border transfers.

Comparison of the Draft and Final Versions

At a high level, the final version of the Measures and the Standard Contract track closely with the draft version published in June 2022 (see our blog post on that draft here), but there are some noteworthy changes, including:

  • emphasizing that companies cannot circumvent the CAC-administered security assessment by simply “segregating” their cross-border transfers so that the total volume of personal information transferred does not reach the statutory threshold (Measures, Article 4);
  • strengthening the draft’s language requiring that the cross-border data transfer agreement not deviate from the Standard Contract.  While the draft version only specified core terms that must be included in a transfer agreement, it is now explicitly states that no substantive deviation is allowed and only the CAC has the right to adjust the Standard Contract as needed.  While it is possible for parties to add terms to the agreement, such terms must not conflict with the terms in the Standard Contract (Measures, Article 6); and
  • specifying two scenarios in which a company is required to supplement, revise or enter into a new transfer contract – namely, when: (1) the purpose, type, scope, sensitivity or other key aspects of the transferred personal information are changed; or (2) the laws or regulations governing personal information protection change in the jurisdiction where the transfer recipient is located.  Further, in the event of such changes to the transfers, the company must complete a new data protection impact assessment (“DPIA”) and re-file it with the CAC (Measures, Article 8).

As for the template Standard Contract, some noteworthy changes to the final terms include:

  • requiring the recipient of the personal information outside of China to respond to requests from Chinese authorities regarding their personal information processing activities (Standard Contract, Article 2.7);  
  • requiring the recipient of personal information outside of China to immediately inform the data exporter if it receives a request from the authorities in the jurisdiction where it is located to disclose the transferred personal information. (Standard Contract, Article 4.6); and
  • removing a provision from the draft version stating that the overseas recipient may charge data subjects if they make unreasonable or burdensome requests.

Finally, the Measures state that if and when the CAC discovers major risks involved in a company’s transfer activities or a security incident occurs, it can “summon” the company and ask it to rectify its conduct and eliminate risks (Measures, Article 11). 

With the finalization of all three transfer mechanisms under PIPL, we expect enforcement actions arising from the cross-border transfer rules to start gradually, and companies will need to carefully calibrate their privacy compliance programs in the coming months to address these regulatory requirements.   

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Photo of Xuezi Dan Xuezi Dan

Xuezi Dan is an associate in the firm’s Beijing office. Her practice focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China.

She also has experience…

Xuezi Dan is an associate in the firm’s Beijing office. Her practice focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China.

She also has experience advising clients on general corporate and antitrust matters.