The Cyberspace Administration of China (“CAC”) released the Measures for Standard Contracts for Cross-border Transfer of Personal Information (the “Measures”) on February 24, 2023. The Measures provide a template of standard contract and detailed explanations on the application scenarios, specific conditions and filing requirements of the standard contract for cross-border transfer of personal information (the “Standard Contract”).

Overseas banks may involve in cross-border transfer of personal information either through transfer of personal information of employees within the group or a loan project involving Chinese entities. Therefore, overseas banks need to pay close attention to the procedure of entering into a Standard Contract, in particular to the personal information protection impact assessment (the “PIA”) and the obligations of the overseas recipient.

I. Background of the Promulgation of the Measures

Article 38 of the Personal Information Protection Law stipulates two types of cross-border transfer of personal information: (1) where a personal information processor needs to transfer personal information outside of China for business purpose, he shall complete (a) a security assessment, (b) personal information protection certification or (c) enter into a Model Contract with the overseas recipient, and (2) where an international treaty or agreement concluded or acceded to by China provides for the conditions on cross-border transfer of personal information, such provisions may apply.

The Measures are the second set of specialized departmental rules for the implementation of the above provisions of the Personal Information Protection Law, following the Security Assessment Measures for Outbound Data Transfer. The Measures mainly provide a template of the Model Contract and detailed explanations on the application scenarios, specific conditions and filing requirement.

II. Application Scenarios of the Standard Contract

In accordance with Article 4 of the Measures, generally, a personal information processor shall not transfer personal information outside of China by entering into a Standard Contract unless all of the following conditions are met:

1. The personal information processor is not a critical information infrastructure operator;
2. The personal information processor has processed the personal information of less than one million people;
3. The personal information processor has transferred the personal information of less than 100,000 people cumulatively since January 1 of the preceding year outside of China;
4. The personal information processor has transferred the sensitive personal information of less than 10,000 people cumulatively since January 1 of the preceding year outside of China.

Therefore, it is more suitable for small companies or the companies processing small-volume data to transfer personal information outside of China by entering into a Standard Contract. Regarding to overseas banks, generally overseas banks are not required to transfer large-scale data outside of China. Therefore, the Standard Contract provides a suitable way for overseas banks to transfer personal information outside of China. In general, the application scenarios would be as follows:

1. For the purpose of human resources management, overseas banks transfer or store the personal information of employees of its onshore branches outside of China, or give overseas headquarters access to the personal information of employees of its onshore branches stored within China;
2. In loan projects involving Chinese entities (for example, the borrower is a Chinese entity, or the guarantor is a Chinese entity in the case of overseas loans under onshore guarantee), it is necessary for onshore branches to transfer the personal information of clients (such as the relevant information of legal representatives of the clients) to overseas branches.

III. Procedures of Entering into a Standard Contract

In accordance with the provisions of the Measures and our experience, onshore branches of overseas banks shall follow the following steps to transfer personal information to overseas entities:

1. Confirming whether it can transfer the personal information by entering into a Standard Contract

   According to Article 4 of the Measures, a personal information processor can only transfer personal information outside of China by entering into a Standard Contract only if the four conditions are satisfied. In light of the application of the Security Assessment Measures for Outbound Data Transfer, if an enterprise is a critical information infrastructure operator or if it has processed a large quantity of personal information, it shall apply for a security assessment for cross-border transfer of personal information. Therefore, onshore branches shall first have an estimate of the quantity of data to be transferred. If the requirements of Article 4 of the Measures cannot be satisfied, onshore branches cannot transfer personal information outside of China by entering into a Standard Contract.

2. Conducting personal information protection impact assessment

   Article 5 of the Measures stipulates that the personal information processor shall conduct a PIA before transferring personal information outside of China. As the PIA is one of the key steps, we will analyze it in detail later.

3. Negotiating and executing the Standard Contract based on the template

   Article 6 of the Measures stipulates that the Standard Contract shall be concluded in accordance with the template. However, the parties may agree to other terms based on the Standard Contract which are not in conflict with the text thereof. For overseas banks, in common business scenarios, the provider of personal information would normally be the onshore branches. Since the onshore and overseas branches belong to the same group, we understand that there would normally be no disputes arising from the negotiation of Standard Contracts. Nevertheless, we would suggest that the parties should reach to an agreement about the important provisions on the obligations and responsibilities of each party to avoid any disputes.

4. Filing requirements

   Article 7 of the Measures provides that the personal information processor shall, within ten working days of the effective date of the Standard Contract, file the Standard Contract and the PIA report with the cyberspace administration at the provincial level of the place where it is located. In addition, if there is a change to the scope, type and term of the personal information to be transferred during the term of the Standard Contract, the personal information processor must re-conduct the PIA, re-sign the Standard Contract and re-file the Standard Contract with the cyberspace administration.

IV. Key Issues that Overseas Banks Should Focus On

1. How to conduct a PIA

The PIA is an important step in the process of the cross-border transfer of personal information. At present, the documents that can be referred to when conducting a PIA are (1) the Information security technology—Personal information (PI) security specification, (2) the Information security technology-Guidance for personal information security impact assessment, which elaborates on the scenarios, framework, assessment process, and specific implementation methods of the PIA, and (3) the Information Security Technology- Guidelines for Data Cross-Border Transfer Security Assessment (Draft for Comments), which clarifies the process, key points and methods of the security assessment for personal information and data to be transferred outside of China.

According to the above documents, the onshore branches of overseas banks (as onshore personal information processors) should pay special attention to the following five aspects when conducting a PIA: (i) processing purpose and legal basis, (ii) notification and consent, (iii) compliance risk for personal information processing in the data life cycle, (iv) response to personal rights, and (v) security measures.

The PIA process is mainly as follows:

1. Selecting specific business scenarios that need to be assessed (for example, the cross-border transfer of personal information);
2. Obtaining evidence about the five key aspects in the above scenarios through different research approaches;
3. Comparing the evidence collected from business scenarios with the requirements of the national documents;
4. Identifying and assessing the specific risks involved in the above scenarios and analyzing the potential harms of such risks to the rights and interests of the individual subjects of personal information;
5. Taking corresponding security and control measures or improvement measures to address the risks based on the level of the risks.

   Since the PIA is complicated, onshore branches of overseas banks may consider engaging external third parties (such as law firms and technical consultants) to assist in the process of the PIA. In addition, pursuant to Article 5 of the Measures, it should also include “the impact of the personal information protection policies and laws of the country or region where the overseas recipient is located on the performance of the Standard Contract” in the PIA. Therefore, it also relies on the coordination and cooperation of overseas lawyers to conduct an overall assessment of the overseas bank’s capabilities of protecting personal information and the regulations and laws of the country or region where the overseas bank is located.

2. Obligations of the overseas recipient

In addition to the implementation of the PIA, the obligations of the overseas recipient are also the key issues that overseas banks should pay attention to when transferring personal information outside of China.

Article 3 of the template of the Standard Contract provides the specific obligations of the overseas recipient, including the retention period of the personal information and deletion of personal information thereafter, adoption of technical and management measures such as encryption and anonymization, and the requirement of the overseas recipient to agree to be supervised and managed by the CAC. Therefore, overseas banks should be fully aware of the obligations to be performed before the cross-border transfer of personal information. If some of the obligations cannot be fulfilled, overseas banks should reconsider the necessity of transferring personal information and whether there are other alternatives.

V. Conclusion

Since overseas banks usually transfer personal information on a small scale, the implementation of the Standard Contract provides a suitable way for overseas banks to transfer personal information outside of China. It not only improves the efficiency, but also clarifies the standards of the personal information protection obligation of the onshore personal information processor and overseas recipient. In the process of cross-border transfer of personal information, overseas banks should focus on the implementation of the PIA and the obligations of overseas recipient to ensure the compliance of the transfer process.