A MoFo Privacy Minute Q&A: China PIPL Edition (Issue 3)

This is issue #3 of A MoFo Privacy Minute Q&A: China PIPL Edition, where we answer questions about China’s Personal Information Protection Law (PIPL) in sixty seconds or less.

Question: Has China’s Standard Contract been finalized and what should I know about it?

Answer: The PIPL has adopted an approach similar to GDPR, allowing exports of personal information (PI) to be undertaken in eligible cases if the PI handler (broadly akin to a “controller” in GDPR parlance) enters into a PI export contract in a government-stipulated form (Standard Contract) with the overseas recipient.

In February 2023, sixteen months after PIPL came into force, the Cyberspace Administration of China (CAC) published the Standard Contract and related measures (Measures) in their final form. CAC has now also issued a guide concerning the process and documentary requirements for filing the Standard Contract. The Standard Contract mechanism came into operation on June 1, 2023, with a six-month grace period for compliance concerning ongoing PI exports, meaning that PI handlers have until November 30, 2023 to comply with the Measures governing PI export relationships already in place prior to June 1, 2023.

While modeled on the EU SCCs, the Standard Contract departs from the EU’s Standard Contractual Clauses (EU SCCs) in various respects:

• The Standard Contract mechanism is not available if the activities of the PI handler trigger the requirement for a security assessment. This means that PI handlers wishing to use this mechanism must meet all of the following conditions:

a) the PI handler is not an operator of critical information infrastructure;

b) the aggregate volume of PI handled by the PI handler does not exceed PI of one million individuals;

c) the volume of PI that the PI handler has transferred abroad since January 1 of the previous year does not exceed PI of 100,000 individuals; and

d) the volume of sensitive PI that the PI handler has transferred abroad since January 1 of the previous year does not exceed sensitive PI of 10,000 individuals.

• The Standard Contract mechanism applies only to those PI exports undertaken by a PI handler and therefore applies to controller-to-controller and controller-to-processor transfers but not to processor-to-controller or processor-to-processor transfers. In contrast, the EU SCCs have clauses applicable to all four modules. This is consistent with PIPL’s overall approach, placing the burden almost exclusively on PI handlers to assure compliance with PIPL.

Visit our newly launched China Privacy and Data Security Resource Center to stay up to date on legal and business analysis related to the latest China privacy and data topics. Explore our Privacy + Data Security page for additional information from our Privacy Library and Resource Centers for Cybersecurity, U.S. State Privacy Laws, and the GDPR + European Privacy.