China: Measures for the standard contract for outbound transfer of personal information – part one
Managing IP is part of Legal Benchmarking Limited, 4 Bouverie Street, London, EC4Y 8AX
Copyright © Legal Benchmarking Limited and its affiliated companies 2024

Accessibility | Terms of Use | Privacy Policy | Modern Slavery Statement
Expert AnalysisLocal Insights

China: Measures for the standard contract for outbound transfer of personal information – part one

Sponsored by

Tahota logo.JPG
social-media-1635577 (1).jpg

In the first of a two-part series, Charles Feng, Lian Xue and Yifan Lu of Tahota outline the key features of China’s new measures for the cross-border sharing of personal information

On February 24 2023, the Cyberspace Administration of China (CAC) published the Measures for the Standard Contract for Outbound Transfer of Personal Information (the Measures). It also published its annexes of Standard Contract for Outbound Transfer of Personal Information (Standard Contract), which will be implemented from June 1 2023. The Measures were issued after the issuance of the Security Assessment Measures for Outbound Data Transfers in September 2022. The Measures, along with a security assessment and personal information protection certification, will be one of the three major approaches for the outbound transfer of personal information.

In comparison to the other two routes, the Standard Contract for personal information is widely regarded as having certain advantages. These include lower costs and an easier operation, with high reference and application value for enterprises with cross-border personal information transfers. In conjunction with the new Measures and the Standard Contract, there are the following key points that enterprises need to focus on in their compliance work for cross-border personal information transfer.

Salient features of the Standard Contract

Strict format contract

In comparison to previous drafts of the Measures and Standard Contract for public comments, the official version of the Standard Contract further restricted the autonomy of will. The domestic personal information processor and the overseas recipient must sign and perform in strict accordance with the terms provided by the CAC. In addition, only the CAC is authorised to amend and modify the Standard Contract. The Standard Contract of the Measures is complete and specific, covering various aspects including:

  • Basic information;

  • Obligations of personal information processors and overseas recipients;

  • Rights and obligations of subjects of personal information;

  • The relationship between laws and regulations of the receiving place and the performance of the Standard Contract; and

  • Remedies and liabilities for breach of contract.

In addition, the Measures clearly stipulate that enterprises must not make additional agreements or any other forms of documents that conflict with the terms of the Standard Contract.

Recordation of the Standard Contract

According to the Measures, personal information processors are required to file a recordal of the Standard Contract with their local cyberspace administration within 10 working days from the effective date of the Standard Contract. Compared to the security assessment, the application of the Standard Contract is ampler in terms of preparation time and simpler in terms of administrative procedures. For enterprises that meet the requirements of the Standard Contract, such a path is undoubtedly more convenient and flexible, which is an advantage.

Protection of rights of the owner of personal information

The Standard Contract embodies the rights and obligations of three parties, namely: the domestic personal information processor, the overseas recipient and the owner of personal information. The establishment of the Standard Contract between the domestic personal information processor and the overseas recipient as the contracting parties will have a direct impact on the rights of the owner of personal information. The Standard Contract provides the owner of personal information as:

  • A beneficiary, and

  • Authorised to sue the personal information processor and the overseas recipient directly.

The Standard Contract also facilitates litigation and remedies for the owner of personal information through joint and several liability clauses if infringement occurs.

Tahota would like to thank Jing-mei Luo for their contribution to the article.

more from across site and ros bottom lb

More from across our site

The group of lawyers, which includes seven IP partners, say they were impressed by ArentFox Schiff's wide-reaching experience
Andy Sherman, general counsel at Dolby Laboratories, says the company will continue to make GE Licensing’s patents available through existing pools
CMS, which represents Nestlé, had been told to respond to a cancellation action by February 12 but filed its response a day later
Keith Bergelt, CEO of the Open Invention Network, explains why AI technologies were not part of an update to its cross-licensing project
Kirkland & Ellis partners explain how they secured the dismissal of a patent case in which the other side had lied under oath
Managing IP understands the association had been considering other options, including Madrid or Vienna, after concerns were raised over Dubai’s positions on various rights
Chris Marando tells Managing IP that he's excited to work on PTAB matters at Perkins Coie, which recently hired another lawyer from his former firm
To mark Pride month, Darren Smyth, cochair of IP Out, says the legal profession must not forget that some members still face exclusion and hostility
Lawyers say the opening of the Milan central division this month is likely to boost the so far 'modest' activity in Italy
Sharon Urias tells us why she still has to explain the difference between copyright and trademarks
Gift this article