On May 30, 2023, the Cyberspace Administration of China (CAC) published a guide for the registration of the Standard Contract for Personal Data Export, which explains the process, materials and results of the registration of the Standard Contract for Personal Data Export and provides some template for the registration of materials. The Standard Contract Measures for the Export of Personal Data became effective on June 1, 2023.
If the notification is approved, the provincial cyberspace authority issues a notification number. If the notification is not approved, the authority will ask for supplementary documents. The filing schedule is as follows: First, companies should identify the personal data that may be exported after signing a standard contract. Then, they must conduct a Personal Information Security Impact Assessment (PIA), which is required for the cross-border data transfer. If the PIA is not accepted by the authority, the issues must be addressed until the PIA is passed. In addition, companies should sign the standard contract within two and a half months after passing the PIA. Finally, within 10 working days after the standard contract takes effect, they should submit all documents to the provincial cyberspace authority to apply for the registration of the standard contract.
According to this guidance, it remains unclear whether the Provincial Cyberspace Authority will conduct a formal review of materials or a substantive review based on the PIA. In addition, it is not yet made clear whether the rejection of the application will result in legal liability risks for the company and whether it will be allowed to continue exporting personal data after the rejection. Companies should pay attention to the timing of the various tasks involved in the standard contract notification and consider hiring external experts to smoothly pass the process and avoid legal risks.
China Intellectual Property Blog 