2022年6月30日, 国家网信办发布了《个人信息出境标准合同规定(征求意见稿)》。千呼万唤始出来, 该规定对应《个人信息保护法》第三十八条规定的个人信息出境条件之一, 为企业落实个人信息出境义务提供了明确指引。通力数据合规团队针对个人信息出境标准合同的适用范围和重点内容重磅推出双语法评, 中文版请见【《个人信息出境标准合同规定(征求意见稿)》重点速览】。
On 30 June 2022, the Cyberspace Administration of China (CAC) released the long-awaited draft of Personal Information Export Standard Contract (Exposure Draft) (the “SC Draft”). Deriving from article 38 of the Personal Information Protection Law (the “PIPL”), the SC Draft elaborates on one of the three personal information export mechanisms, which is expected to be frequently used by MNCs for data export. This briefing focuses on the application scope and key points of the SC Draft.
1、The last missing piece to the personal information export puzzle
Measures on Data Export Security Assessment
(Exposure Draft) (the “Data Export Draft”), Practice Guidelines for Cyber Security Standards – Technical Specifications for Certification of Cross-Border Processing of Personal Information, and the SC Draft respectively elaborates on the three mechanisms stipulated by article 38 of the PIPL, which are (1) assessment, (2) certification, and (3) standard contract. Below we prepared a flow chart for identifying which mechanism to apply:
2、Scope of application
Consistent with the preconditions and thresholds stipulated in the Data Export Draft, the SC Draft limit the use of Standard Contract to a Personal Information Processor that:
(1) is not a Critical Information Infrastructure Operator,
(2) processes personal information of less than 1 million individuals,
(3) has not exported personal information of more than 100,000 individuals cumulatively since 1 January of the preceding year, and
(4) has not exported sensitive personal information of more than 10,000 individuals cumulatively since 1 January of the preceding year.
3、Nine clauses
The SC Draft also provides a 16-page and 9-clause Standard Contract Provisions (the “SC Template”). Because the SC Template is not mandatory, companies are allowed to draft their own standard contracts and prepare bilingual versions, as long as they do not contradict the SC Template.
The nine clauses basically reflect the provisions in the PIPL and Information Security Technology Personal Information Security Specifications. The key terms include:
4、Nexus with other data export contracts
Although the SC Draft stipulates that, entities which meet the four conditions may transfer personal information abroad by signing the standard contract, it does not waive the condition of signing data export contracts in other circumstances of personal information export. Entities still must sign data export contracts if they (1) undergo the government-led personal information security assessment; or (2) undergo the personal information protection certification.
5、Calculation of personal information amount
Article 4 of the Data Export Draft stipulates that personal information processors: (1) who process personal information of more than 1 million individuals; or (2) accumulatively provide personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals abroad, need to apply for the government-led security assessment. The Data Export Draft does not specifically explain how to define “processing 1 million individuals’ personal information”, or how to define “accumulatively”. As a helpful clarification, the SC Draft stipulates in article 4 that “January 1 of the preceding year” should be the starting point for accumulative calculation. This provision narrows down the time range for calculating the number of individuals involved in outbound data, and adopts rolling calculation principle. As a result, if the Data Export Draft does not make amendments or explanations to the calculation mechanism accordingly, it will cause contradiction. For example, if the number of individuals involved in outbound data since January 1 of the preceding year has reached 80,000, and the number of individuals involved in the outbound data since January 1 of the year before the preceding year was 90,000, the company may adopt the standard contract mechanism for data export according to the SC Draft. However, the number of individuals accumulated has reached 170,000, which triggers the threshold for government-led security assessment according to the Data Export Draft. We expect that the formally effective Personal Information Export Standard Contract will resolve this contradiction by taking a unified position.
Highlight of Draft Personal Information Export Standard Contract
作者:DavidPan SusanDeng ShanaSha来源:通力律师事务所

2022年6月30日, 国家网信办发布了《个人信息出境标准合同规定(征求意见稿)》。