On May 30, 2023, the Cyberspace Administration of China (the “CAC”) released the Guidance on Filing Standard Contract for the Cross-Border Transfer of Personal Information (First Edition) (the “Filing Guidelines”). The Filing Guidelines provide operational guidance for enterprises planning to provide personal information from China to overseas recipients by entering into standard contracts and marks the formal opening of the door to personal information export through standard contracts.
As the third compliance path for cross-border personal information transfer, in addition to CAC data export security assessment and personal information protection certification, the standard contract attracts widespread attention due to its wider applicability and more flexible implementation compared to the route of certification. The previously introduced Measures on Standard Contract for the Cross-Border Transfer of Personal Information (the “Measures”) only made principled provisions on the filing and personal information protection impact assessment (“PIA”) that needs to be submitted together with the filing. For the first time, the "Filing Guidelines" have clarified the details of these two steps.
To the slight surprise of expectations, there is a possibility that the filing may not pass, and the personal information protection impact assessment has not been substantially simplified compared to the data export self-assessment associated with the data export security assessment. Both of these have raised concerns among practitioners and relevant enterprises about the failure to pass the filing in a timely manner, which increased uncertainty of the continuity of cross-border personal information transmission based on standard contracts. Given that the Measures come into effect on June 1 stipulate a rectification period of 6 months, it is necessary for relevant enterprises to start preparations as soon as possible to avoid compliance risks arising from the failure to complete the signing and filing of standard contracts in a timely manner.
In our previous articles, we have analyzed the Measures and the key points of the standard contract. In this article, we will analyze the specific requirements outlined in the Filing Guidelines and combine our experience in data export security assessment projects to propose our observations and views on the issues that have not yet been addressed in the standard contract filing process.
Filing Requirements
Regarding the filing requirements for standard contracts, the Filing Guidelines further specify the following points based on Article 7 of the Measures:
Filing Time: Within 10 business days from the effective date of the standard contract
Filing Format: Submit written materials and electronic versions of the materials
Filing Authority: Provincial-level Cyberspace Administration where the personal information handler is located
Based on the practice of data export security assessments, the authority to receive personal information handlers usually will be the provincial CAC where the filing entity is registered. The electronic version of the materials usually refers to the editable document files on a CD.
Filing Process
Regarding the filing process for standard contracts, the Filing Guidelines divide the filing process into steps including applicant material submission, CAC material verification, CAC feedback of filing results, and applicant supplementation or re-filing. The related flowchart and key points are as follows:
1. PIA must be completed within 3 months before filing
In the template provided in the Filing Guidelines, the “Undertaking Letter” explicitly requires that the PIA should be completed within 3 months prior to the submission of filing, and no significant changes should occur until the filing.
Based on the practice of data export security assessments, when initially submitting filing materials, filing applicants usually can ensure that the PIA is completed within 3 months before the filing. However, if the filing applicant is required to supplement the materials, especially in the case of multiple rounds of supplementation, the time for submitting the filing materials may exceed the 3-month validity period. In such cases, the filing entity may need to conduct additional PIA work.
2. Time limit for filing review
According to the Filing Guidelines, after receiving the materials, the provincial-level Cyberspace Administration will complete the material verification within 15 working days and notify the personal information handler of the filing results. If the personal information handler is requested to supplement the materials, the personal information handler should submit the supplementary filing materials within 10 working days. The time for material verification for supplementation or re-filing is still 15 working days.
According to the above provisions, if a filing entity can pass the material verification at once, it can obtain the filing approval result within 15 working days. However, if supplementation of materials is required, it may take at least 40 working days to obtain the filing result. Based on current practices of data export security assessment, where companies are often required to supplement materials multiple times when submitting data export security assessments to the CAC, companies may need more time to obtain the filing result. Furthermore, filing entities may also need to consider extending the authorization period of the authorized agent appropriately.
3. Circumstances for Supplementing or Re-filing
The Filing Guidelines reaffirm the provisions of the Measures and state that if the following circumstances occur during the validity period of the standard contract, the personal information handler should conduct a new PIA, supplement or re-establish the standard contract, and fulfill the corresponding filing procedures:
There are changes in the purpose, scope, type, sensitivity, method, storage location of personal information provided to overseas recipients, or in the purposes and methods of personal information processing by the overseas recipients, or an extension of the period for retaining personal information overseas;
Changes occur in the personal information protection policies and regulations of the country or region where the overseas recipients are located, which may affect the rights and interests of personal information;
Other circumstances that may affect the rights and interests of personal information.
The Filing Guidelines further specify that if supplementary materials need to be provided, the personal information handler should submit the supplementary materials to the provincial-level Cyberspace Administration. If a new standard contract needs to be established, it should be re-filed. However, there is no clear boundary between circumstances requiring supplemental materials and the ones requiring re-fling of a new contract and it is also unclear whether enterprises have the discretion to make the judgment by themselves. Therefore further clarification may be needed.
Materials to be Submitted for Filing
Compared to Article 6 of the Measure, the Filing Guidelines further detail the materials that should be submitted for standard contract filing and provide corresponding templates, including:
Photocopy of the Unified Social Credit Code certificate;
Photocopy of the legal representative’s identity document;
Photocopy of the agent’s identity document;
Authorized power of attorney for the agent;
Letter of undertaking;
Standard contract;
PIA Report.
Regarding the aforementioned materials, the following key points are worth noting:
1. Simplification of Material Requirements
Compared to the Guidelines for Security Assessment of Cross-border Data Transfer (First Edition) issued by the CAC on August 31, 2022, the filing of standard contracts does not require application forms and other related supporting documents. However, since the Filing Guidelines still give the provincial-level Cyberspace Administration the discretion to conduct supplement inspections, it is not ruled out that enterprises submitting filings may still need to submit the required supporting documents in the future.
2. Third-Party Institutions Are Explicitly Required to Stamp the PIA report
In the filing material templates provided in the Filing Guidelines, the PIA report explicitly requires that if a third-party institution is involved in the PIA work, the basic information and participation in the assessment of the third-party institution should be stated, and the official seal of the third-party institution should be affixed on the relevant pages.
3. PIA Report Focuses on the Impact on Personal Information Rights and Interests
Compared to the Data Export Risk Self-Assessment Report Template provided in the Guidelines for Security Assessment of Cross-border Data Transfer (First Edition) issued by the CAC on August 31, 2022, the PIA Report Template provided in the Filing Guidelines has many similarities in terms of format and evaluation points. The core difference lies in the fact that the self-assessment for data exports focuses more on the impact of data exports on national security and public interests, while the PIA focuses on the impact on personal information rights and interests. Specifically, it includes:
Adding explanations regarding the processing of sensitive personal information and the use of personal information for automated decision-making;
Adding explanations regarding whether personal information is provided to third parties;
Adding explanations regarding how both parties ensure the implementation of standard contract clauses.
Considering that the assessment points and granularity of the PIA Report Template are similar to the Data Export Risk Self-Assessment Report Template, and no substantial simplification has been made, we recommend that enterprises planning to submit filings conduct comprehensive mapping and review of data processing activities and start arranging rectification in order to complete the filing by the deadline set in the Measure, which is November 30, 2023.
Our Observations and Perspectives
Although the release of the Filing Guidelines provides guidance and assistance for personal information handlers to carry out standard contract filing work in a standardized and orderly manner, combined with the practice of data export security assessments, the following issues still require clearance from the CAC in the subsequent filing process:
1. Can affiliated companies file jointly?
Regarding the outbound transfers of personal information between different entities within a group, whether it is permissible for one company, such as the holding company of the group in China, to file jointly is unclear in the Filing Guidelines and the Measures. Based on the practice of data export security assessments, whether different entities within a group can file jointly or must file separately needs to be determined based on the specific scenario, taking into consideration factors such as equity relationships, information system relationships, business relationships, data sharing, and data flow between these entities.
2. What is the relationship between the standard contract and IGDTA?
Multinational corporations (“MNCs”) often already have intra-group data transfer agreements (“IGDTA”) to facilitate cross-border data transfers within the group. These MNCs usually want to utilize existing IGDTA as much as possible or include the scenarios of providing personal information from China to overseas recipients into their existing IGTDA. However, according to the Measures, it is explicitly stated that the standard contract should be concluded strictly in accordance with the version published by the CAC. Therefore, the IGDTA cannot replace the standard contract for personal information cross-border transfers from China. As long as the content of the IGTDA and the provisions of the standard contract do not conflict, personal information handlers and overseas recipients can include the IGDTA as detailed in Appendix II of the standard contract or explicitly specify the scope and effectiveness of the standard contract for personal information cross-border transfers from China by referencing it in the IGDTA.
3. Can the entrusted party sign standard contracts?
China’s standard contracts do not differentiate versions based on the legal status of the contracting parties as data controllers or data processors such as the EU Standard Contractual Clauses. From the provisions of the standard contract, it appears that the contracting parties are limited to scenarios where the data provider within China is a personal information handler (i.e. a data controller under GDPR), and the recipient outside China is either a personal information handler or an entrusted party for processing personal information (i.e. a data processor under GDPR). However, based on our experience, CAC does not specifically distinguish whether the domestic provider is a personal information handler or an entrusted party for processing personal information in the application of data export security assessments. Moreover, in practice, there are often situations where the domestic entrusted party provides personal information to the overseas personal information handler (entrusting party) or the domestic entrusted party provides personal information to the overseas entrusted party and if it is not possible to sign a standard contract, it may result in non-compliant data transfers in such situations. Therefore, we take the view that in the case where the domestic provider acts as a entrusted party, it may still transfer data abroad by signing a standard contract with the overseas recipient.
4. Is the filing limited to formal review or can it involve substantive review? Will a failed filing affect the provision of personal information to overseas recipients?
The Filing Guidelines clearly state that the results of filing can be categorized as “passed” or “failed”, indicating that the regulatory authorities may conduct substantive reviews of the filing materials. However, for companies that fail to pass the filing, the Filing Guidelines do not specify what liabilities they may bear. According to Articles 6 and 7 of the Measures, filing is not a prerequisite for the effectiveness of the standard contract, and a personal information handler may transfer the data abroad upon the standard contract takes effect. However, the Measures do not clarify what liabilities the relevant enterprises will bear if they fail to pass the filing of standard contracts.
Considering that the reason for a failed filing may be a non-compliance with the PIA or the export contract does not meet the requirement of the Measures, which may constitute a violation of the Personal Information Protection Law, we take the view a failed filing could still result in termination of personal information export activities or other administrative penalties.
With the Measures coming into effect today, June 1, 2023, the countdown to the six-month rectification period has officially begun. From the perspective of the practice of data export security assessment, it takes a long time to carry out PIA work, conduct research and sort out data export information, prepare PIA reports, and negotiate with overseas recipients to sign standard contracts. Therefore, for enterprises that need to complete the filing of standard contracts, it is recommended to carry out relevant work as soon as possible to ensure the legal compliance of personal information export activities.
CAC Released Guidelines on China SCC Filing
作者:KevinDua KemengCai LianXu来源:汉坤律师事务所

On May 30, 2023, the Cyberspace Administration of China (the “CAC”) released the Guidance on Filing