A Canadian Perspective on China’s New Standard Contract for Cross-Border Transfers of Personal Information
In recent years, governments and regulators across the globe have responded to rising privacy concerns by enacting rigorous frameworks to regulate cross-border transfers of personal information (“PI”). As we discussed in an earlier publication, China is one of the new entrants to this regulatory scene, having passed the Personal Information Protection Law (“PIPL”) on November 1, 2021. PIPL outlines three main mechanisms through which exporters of PI may lawfully engage in cross-border transfers of PI from China to other jurisdictions: (i) undergoing a PI protection certification conducted by a specialized body, in accordance with the regulations of the Cyberspace Administration of China (“CAC”); (ii) passing a security assessment organized by the CAC; or (iii) concluding a CAC-approved standard contract with the foreign recipient of the PI.[1]
On February 24, 2023, the CAC released the final version of the Measures on Standard Contracts for the Export of Personal Information (the “Measures”), which set out the conditions and requirements that must be met for conducting cross-border transfers of PI under the standard contract mechanism. The Measures will take effect on June 1, 2023, with a six-month grace period for bringing existing transfers into conformity with the new requirements. In this blog, we provide an overview of what must be included in the standard contract, who is eligible to use this mechanism, which other steps they are required to take, and the potential sanctions that could apply for non-compliance. We will also compare China’s regime for cross-border transfers of PI with that of the EU, Canada, and Quebec.
What must be included in the standard contract?
As part of the Measures, the CAC has provided an attachment which contains a mandatory standard contract that must be entered into for cross-border transfers of PI.[2] Although parties are free to supplement the standard contract with additional clauses, it is firmly established that such clauses may not contradict the existing ones.[3] It is worth noting that the CAC reserves the exclusive right to make any modifications to the standard contract where it is found to be necessary.[4] The standard contract addresses important considerations such as the respective obligations of the PI exporter and recipient[5], the potential impact of the PI policies and regulations in effect in the country of the recipient[6], and the rights of the subjects whose PI is being transferred[7]. The standard contract must also include: (i) the contact information of both the exporter and the recipient; (ii) an appendix which sets out prescribed details pertaining to the PI processing, transfer, and storage[8]; (iii) the technical and management measures the recipient will take to protect PI[9]; and (iv) a mandatory dispute resolution clause[10].
Who is eligible to conduct cross-border PI transfers via standard contract?
Only entities engaged in PI processing of relatively limited scope will be able to leverage the standard contract as a PI transfer mechanism. The eligibility criteria are the following:
qualify as not being a critical information infrastructure operator (a broad term covering entities operating in sectors of national security importance such as telecom, energy, finance, public service, etc.[11]);
process the PI of fewer than 1 million individuals;
have exported the PI of fewer than 100,000 individuals since January 1 of the previous year; and
have exported the sensitive PI of fewer than 10,000 individuals since January 1 of the previous year.[12]
PI exporters who do not qualify under these criteria will have to conduct cross-border transfers using other mechanisms mentioned above (e.g. obtaining a CAC-approved PI protection certification or passing a security assessment organized by the CAC).
Which other steps must be taken?
Prior to transferring PI via a standard contract, exporters must also conduct a “personal information protection impact assessment” (“PIPIA”). The PIPIA must take into account the following considerations:
the legality, legitimacy, and necessity of the purposes, scope, and methods of PI processing by the exporter and recipient;
the scale, scope, types, and degree of sensitivity of the PI exported and the potential risks to the rights and interests of individuals in PI that might arise;
the commitments of the foreign recipient with respect to the protection of PI, as well as whether the foreign recipient has the capabilities and has implemented management and technical measures to ensure the security of the exported PI;
the risks of PI being altered, destroyed, leaked, lost, or illegally used; and the effectiveness of the channels that individuals can use to protect their rights and interests in PI;
the impact of the PI protection policies and regulations of the foreign recipient's jurisdiction on the performance of the standard contract; and
other matters that might impact the security of exported PI.[13]
As per the standard contract, the PI exporter must retain the PIPIA report for at least three years.[14] The PIPIA may also need to be updated or redone if there are changes to the processing of exported PI, changes to policies and regulations in the recipient jurisdiction, or other situations that may impact the rights and interests of individuals in PI.[15]
What are the potential consequences for non-compliance?
Non-compliance with the Measures could result in significant sanctions under PIPL, including administrative fines of up to RMB 50 million (approx. CAD 10 million) or 5% of an organization’s turnover from the previous year.[16] The persons directly involved in a violation may also be held personally liable and subject to a fine of up to RMB 1 million (approx. CAD 200,000) as well as face restrictions from occupying certain management functions within the organization for a period of time. Furthermore, non-compliance can lead to mandatory suspension of operations until rectification and revocation of business permits or licences. In addition, in cases where the rights and interests of a large number of individuals are affected, violations can also lead to criminal charges and/or civil claims initiated by specified groups.[17]
Comparison with EU, Canada (Federal), and Quebec Regimes
In many ways, China’s approach to regulating cross-border transfers of PI echoes that of other jurisdictions. For instance, many of the clauses in China’s standard contract address similar concerns as the standard contractual clauses (“SCCs”) required under the EU’s General Data Protection Regulation (“GDPR”). However, while China’s standard contract deploys a one-size-fits-all approach to all data exports, the SCCs modulate the parties’ obligations depending on whether the PI export constitutes a controller-to-processor transfer or a controller-to-controller transfer. Further, China’s Measures require the exporter to file the executed standard contract and the PIPIA report to the provincial equivalent of the CAC within ten working days of the standard contract’s effective date.[18] While the GDPR also grants regulatory bodies the right to request disclosure of the SCCs by the signing parties, it does not impose upfront filing obligations.
In Canada, the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) is considerably less prescriptive than the Measures or the GDPR when it comes to cross-border transfers of PI. Rather than setting out specific mechanisms or clauses that must be used for cross-border transfers, it simply provides that an organization is “responsible for personal information in its possession” and “shall use contractual or other means to provide a comparable level of protection” when PI is being processed by a third party.[19] This rule applies regardless of whether the third party processor is located in Canada or in another country. The Office of the Privacy Commissioner (“OPC”) clarified in its Guidelines for processing personal data across borders that in the context of cross-border transfers, PIPEDA does not require “a measure by measure comparison by organizations of foreign laws with Canadian laws”, but does require organizations to “assess the risks that could jeopardize the integrity, security and confidentiality of [PI] when it is transferred to third party service providers operating outside of Canada”. The OPC further stated that organizations should ensure, notably through contractual commitments and audit rights, that third parties have effective policies, training, and security measures in place to properly safeguard PI at all times. Finally, organizations must be transparent about their PI processing practices by advising individuals of possible transfers of their PI to other jurisdictions. Note that PIPEDA will most likely be replaced in the near future by the Consumer Privacy Protection Act (“CPPA”), which is currently undergoing its second reading in the House of Commons. While the CPPA will still adopt a principle-based approach that draws from PIPEDA and the OPC’s guidelines, it will formulate the obligations in a stricter manner. For a more detailed description of the obligations under PIPEDA and the CPPA regarding transfers of PI, see our earlier post on this topic.
In Quebec, we find more prescriptive rules on cross-border transfers of PI that share more traits with the Chinese and European regimes than its federal counterpart. Starting on September 22, 2023, unless the consent of the person concerned is obtained, organizations conducting business in Quebec will have to enter into written agreements prior to communicating PI to third party service providers in order to comply with new obligations introduced by Quebec’s Act to modernize legislative provisions as regards the protection of personal information (“Law 25”, formerly known as Bill 64). While, Law 25 does not set out model clauses that must be used for transfers of PI in the cross-border context, it requires all written agreements for communications of PI to third party service providers (whether located in Quebec or elsewhere) to contain clauses requiring the latter to:
take specified measures to protect the confidentiality of the PI communicated
ensure that the PI is used only for carrying out the mandate or performing the contract;
not keep the PI after the expiry of the mandate or contract;
notify the organization without delay of any violation or attempted violation by any person of any obligation concerning the confidentiality of the PI communicated; and
allow the organization to conduct any verification relating to confidentiality requirements.[20]
The requirements are stricter for communications of PI outside Quebec, including to other Canadian provinces. Not unlike what is required by China’s Measures, under Law 25, prior to communicating PI across Quebec’s borders, organizations will be tasked with carrying out privacy impact assessments (“PIAs”) that take into account:
the sensitivity of the information;
the purposes for which it is to be used;
the protection measures, including those that are contractual, that would apply to the communication; and
the legal framework applicable in the State in which the information would be communicated, including the PI protection principles applicable in that State.[21]
The communication may only occur if such PIAs establish that the PI concerned would receive adequate protection, in particular in light of generally recognized principles regarding the protection of PI. Further, organizations will have to disclose to individuals, at the time of collection and upon request, the possibility of their PI being communicated outside Quebec.[22]
Takeaways
With China’s Measures coming into effect on June 1, 2023, businesses with a presence in China and that transfer any amount of PI from China to other countries must conduct a careful review of their processes and agreements to ensure that they are in compliance with these new requirements. Importantly, the Measures contain requirements which are unique to China and compliance with the GDPR or Law 25, which have been considered by Canadian regulators as the gold standard for privacy practices, will not suffice when exporting or importing PI from China.
As the privacy regimes of multiple jurisdictions undergo important updates, companies with a presence in more than one jurisdiction must monitor the regulatory landscape closely and refine their policies, practices, and agreements accordingly in order to avoid significant monetary penalties and reputational risks. To learn more about how the Cyber/Data Group can assist you in navigating these requirements and effectively prepare you for compliance with overlapping cross-border data transfer regimes, please contact national co-leaders Charles Morgan and Daniel Glover for more information.
[1] PIPL, Article 38, unofficial English translation available at: https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-republic-of-china-effective-nov-1-2021/.
[2] Unofficial English translation of the standard contract available at: https://iapp.org/resources/article/chinas-standard-contractual-clauses-english-translation/.
[3] Measures, Article 6, unofficial English translation available at: https://www.chinalawtranslate.com/en/personal-information-export-contract/.
[4] Ibid.
[5] Standard contract, Articles 2 and 3.
[6] Standard contract, Article 4.
[7] Standard contract, Article 5.
[8] Standard contract, Appendix I.
[9] Standard contract, Article 2.5.
[10] Standard contract, Article 9.4.
[11] Cybersecurity Law of the People's Republic of China, Article 31, English version available at: https://digichina.stanford.edu/work/translation-cybersecurity-law-of-the-peoples-republic-of-china-effective-june-1-2017/.
[12] Measures, Article 4:
[13] Measures, Article 5.
[14] Standard contract, Article 2.8.
[15] Measures, Article 8.
[16] PIPL, Article 66.
[17] PIPL, Article 69.
[18] Measures, Article 7.
[19] PIPEDA, Principle 4.1.3.
[20] Law 25, Section 18.3.
[21] Law 25, Section 17.
[22] Law 25, Section 8.2.