The Chinese Cyberspace Administration has announced the Standard Contractual Measures for the Export of Personal Data. The purpose of these measures, which will take effect on June 1, 2023, is to protect the interests and rights of individuals regarding their data and to regulate the export of personal data. The Measures set out the scope, conditions for conclusion and requirements for submission of the standard contract for the export of personal data abroad. They also provide specific guidelines for the transfer of personal data.
When providing personal data outside China, processors must enter into standard contracts with overseas recipients. Companies should pay attention to the combination of independent contracting and records management, as well as the combination of protection of rights and interests and risk avoidance, to ensure safe and free flow of data across borders. Processors of personal data that transfer such data abroad by signing a standard contract must also comply with certain conditions. For example, they must not operate critical information infrastructures and must have processed less than one million personal data – less than 100,000 data in the case of sensitive personal data – since January 1 of the previous year.
The measures clarify that processors must conduct a data protection impact assessment before transferring personal data abroad. The essential content of the assessment is also explained. They must also apply for registration with the local information department of the provincial network within ten working days of the standard contract coming into effect.