On February 24, 2023, the Cyberspace Administration of China published the
Measures for the Standard Contract for Outbound Cross-border Transfer of Personal
Information (the “Measures”), effective on June 1, 2023.
The Personal Information Protection Law of China (the “PIPL”) establishes fou
compliance paths for the outbound transfer of personal information, namely: (1) through
the security assessment organized by the Cyberspace Administration; (2) Pass the
protection certification of professional institutions; (3) Sign the standard contract
formulated by the Cyberspace Administration; (4) Comply with other conditions stipulated
by laws, administrative regulations or the provisions of Cyberspace Administration.
The promulgation of the Measures make it possible for personal information processors
to comply with PIPL by signing the standard contract on the outbound cross-border
transfer of personal information.
Content of the Standard Contract
A personal information processor and the overseas recipient of the information shall
execute the contract in strict accordance with the content of the standard version- the
annex of the Measures.
The parties may agree on additional or supplementary terms, provided that such terms
must not conflict with the terms of the standard version.
Applicability
The standard contract is applicable in the following scenarios:
1. non-CIIO;
2. the processor is processing personal information of less than 1 million people;
3. providing personal information of less than 100,000 people abroad since January 1 of
the previous year;
4. providing personal information of less than 10,000 sensitive personal information
since January 1 of the previous year;
Recordation
A personal information processor shall file a record with cyberspace administration
authority the Standard Contract together with a personal information protection impact
assessment report within 10 working days from the effective date of an executed
Standard Contract.
Deadline for compliance
The Measures shall come into force on June 1, 2023. For the outbound data transfer act
prior to the effective date, there is a rectification period of six months ending on Dec. 1,
2023 (inclusive)