The Cyberspace Administration of China (“CAC”) produced the Measures for Normal Contracts for Cross-border Transfer of Personal Facts (the “Measures”) on February 24, 2023. The Steps present a template of normal contract and comprehensive explanations on the software eventualities, certain problems and submitting specifications of the standard contract for cross-border transfer of particular facts (the “Regular Agreement”).
Overseas banking companies might contain in cross-border transfer of personal data possibly via transfer of personalized details of personnel within just the team or a financial loan venture involving Chinese entities. For that reason, overseas financial institutions require to fork out near interest to the method of getting into into a Conventional Agreement, in unique to the personalized details safety impact assessment (the “PIA”) and the obligations of the abroad receiver.
I. Qualifications of the Promulgation of the Steps
Report 38 of the Personalized Info Defense Regulation stipulates two sorts of cross-border transfer of own facts: (1) where by a particular data processor requirements to transfer personalized details outside of China for business enterprise objective, he shall entire (a) a protection assessment, (b) particular data safety certification or (c) enter into a Model Agreement with the overseas receiver, and (2) where an worldwide treaty or agreement concluded or acceded to by China gives for the situations on cross-border transfer of own details, these kinds of provisions may use.
The Measures are the second set of specialised departmental procedures for the implementation of the higher than provisions of the Own Information Security Legislation, next the Security Assessment Steps for Outbound Facts Transfer. The Measures generally present a template of the Product Contract and thorough explanations on the software situations, particular problems and submitting need.
II. Software Situations of the Standard Deal
In accordance with Article 4 of the Actions, usually, a individual data processor shall not transfer individual information and facts outdoors of China by getting into into a Typical Deal except all of the subsequent conditions are achieved:
- The own data processor is not a crucial information and facts infrastructure operator
- The own information and facts processor has processed the private info of significantly less than just one million persons
- The individual details processor has transferred the personalized info of fewer than 100,000 men and women cumulatively considering the fact that January 1 of the preceding yr outdoors of China
- The own details processor has transferred the sensitive personalized data of significantly less than 10,000 folks cumulatively given that January 1 of the preceding calendar year outside of China.
Therefore, it is a lot more ideal for tiny corporations or the providers processing compact-volume details to transfer individual facts outdoors of China by entering into a Conventional Deal. Relating to to abroad banking companies, usually overseas banking institutions are not essential to transfer big-scale details outside of China. Hence, the Standard Contract delivers a suitable way for abroad financial institutions to transfer particular facts outside of China. In standard, the application scenarios would be as follows:
- For the objective of human sources management, overseas banking institutions transfer or retail outlet the individual information and facts of workers of its onshore branches outside of China, or give overseas headquarters obtain to the personal info of workforce of its onshore branches saved in just China
- In personal loan projects involving Chinese entities (for case in point, the borrower is a Chinese entity, or the guarantor is a Chinese entity in the circumstance of abroad loans less than onshore guarantee), it is vital for onshore branches to transfer the personalized information and facts of clientele (this kind of as the appropriate facts of authorized reps of the clientele) to abroad branches.
III. Processes of Entering into a Regular Contract
In accordance with the provisions of the Measures and our experience, onshore branches of abroad banking companies shall stick to the following actions to transfer particular info to overseas entities:
- Confirming no matter if it can transfer the own information by getting into into a Standard Deal
According to Report 4 of the Actions, a individual info processor can only transfer own data outdoors of China by coming into into a Typical Agreement only if the four situations are glad. In light-weight of the software of the Stability Evaluation Measures for Outbound Facts Transfer, if an company is a vital facts infrastructure operator or if it has processed a massive quantity of private information and facts, it shall implement for a safety evaluation for cross-border transfer of individual info. Hence, onshore branches shall very first have an estimate of the quantity of knowledge to be transferred. If the needs of Report 4 of the Measures are not able to be glad, onshore branches are not able to transfer own info outdoors of China by getting into into a Standard Agreement.
- Conducting private info defense affect assessment
Write-up 5 of the Measures stipulates that the individual information and facts processor shall conduct a PIA prior to transferring own information outdoors of China. As the PIA is just one of the important techniques, we will evaluate it in detail later.
- Negotiating and executing the Normal Contract dependent on the template
Article 6 of the Actions stipulates that the Conventional Contract shall be concluded in accordance with the template. On the other hand, the events may perhaps agree to other terms primarily based on the Common Contract which are not in conflict with the textual content thereof. For abroad banking institutions, in frequent organization scenarios, the provider of individual data would normally be the onshore branches. Given that the onshore and overseas branches belong to the same team, we realize that there would commonly be no disputes arising from the negotiation of Conventional Contracts. Yet, we would advise that the functions really should reach to an settlement about the crucial provisions on the obligations and obligations of every single social gathering to stay clear of any disputes.
- Filing specifications
Write-up 7 of the Actions presents that the particular information and facts processor shall, within just 10 performing times of the powerful date of the Typical Deal, file the Normal Deal and the PIA report with the cyberspace administration at the provincial degree of the position in which it is found. In addition, if there is a transform to the scope, type and time period of the personal details to be transferred during the term of the Common Contract, the particular information processor have to re-carry out the PIA, re-sign the Common Agreement and re-file the Standard Contract with the cyberspace administration.
IV. Important Troubles that Overseas Financial institutions Need to Focus On
1. How to perform a PIA
The PIA is an crucial stage in the approach of the cross-border transfer of particular details. At current, the paperwork that can be referred to when conducting a PIA are (1) the Information security technology—Personal facts (PI) stability specification, (2) the Information stability engineering-Advice for particular details security affect assessment, which elaborates on the scenarios, framework, evaluation procedure, and precise implementation solutions of the PIA, and (3) the Information and facts Stability Engineering- Suggestions for Facts Cross-Border Transfer Safety Assessment (Draft for Responses), which clarifies the system, important factors and procedures of the protection assessment for private facts and data to be transferred outdoors of China.
According to the previously mentioned paperwork, the onshore branches of overseas financial institutions (as onshore private information and facts processors) must fork out particular focus to the subsequent five facets when conducting a PIA: (i) processing reason and authorized basis, (ii) notification and consent, (iii) compliance hazard for particular details processing in the knowledge lifestyle cycle, (iv) response to particular legal rights, and (v) protection steps.
The PIA procedure is primarily as follows:
- Deciding on certain small business scenarios that will need to be assessed (for example, the cross-border transfer of personalized info)
- Acquiring proof about the 5 critical facets in the above situations by various research approaches
- Comparing the proof gathered from enterprise eventualities with the prerequisites of the nationwide paperwork
- Determining and examining the distinct hazards concerned in the previously mentioned eventualities and examining the likely harms of these dangers to the legal rights and pursuits of the particular person subjects of own details
- Taking corresponding safety and manage steps or enhancement actions to tackle the dangers based on the stage of the hazards.
Given that the PIA is challenging, onshore branches of abroad banking companies could take into consideration participating exterior third get-togethers (such as law companies and technological consultants) to aid in the approach of the PIA. In addition, pursuant to Write-up 5 of the Actions, it should also contain “the influence of the personal information defense procedures and rules of the country or location exactly where the abroad receiver is found on the performance of the Standard Agreement” in the PIA. Consequently, it also depends on the coordination and cooperation of abroad legal professionals to carry out an in general assessment of the abroad bank’s abilities of protecting particular information and facts and the polices and laws of the nation or location exactly where the abroad financial institution is located.
2. Obligations of the overseas receiver
In addition to the implementation of the PIA, the obligations of the abroad recipient are also the essential difficulties that overseas banking institutions must spend awareness to when transferring own information and facts outdoors of China.
Short article 3 of the template of the Normal Agreement offers the certain obligations of the overseas recipient, which include the retention time period of the personal information and facts and deletion of private info thereafter, adoption of specialized and management measures these as encryption and anonymization, and the prerequisite of the overseas receiver to agree to be supervised and managed by the CAC. For that reason, overseas financial institutions must be fully conscious of the obligations to be done prior to the cross-border transfer of personal information. If some of the obligations cannot be fulfilled, overseas banking companies should rethink the requirement of transferring private information and regardless of whether there are other options.
Considering the fact that overseas financial institutions usually transfer own info on a little scale, the implementation of the Typical Agreement provides a suitable way for abroad banking companies to transfer own information outdoors of China. It not only enhances the efficiency, but also clarifies the standards of the own information safety obligation of the onshore particular details processor and abroad receiver. In the approach of cross-border transfer of individual details, overseas banking institutions need to emphasis on the implementation of the PIA and the obligations of overseas recipient to ensure the compliance of the transfer method.