Interpretation of Contract Measures and Filing Guidelines for Personal Information Exit Standards

2023 06/27

The "Standard Contract Measures for the Exit of Personal Information" (hereinafter referred to as the "Measures") officially came into effect on June 1, 2023. On May 30, 2023, the National Cyberspace Administration issued the "Guidelines for the Filing of Personal Information Exit Standard Contracts (First Edition)" (hereinafter referred to as the "Guidelines"). The Measures and Guidelines provide clear guidance for personal information processors to provide personal information overseas by signing standard contracts.


At present, there are three ways for personal information processors to provide personal information overseas: (1) through security assessments organized by the national network information department; (2) Certified by a professional organization for personal information protection; (3) Sign a contract with the recipient in accordance with the standard contract formulated by the national network information department. The three kinds of personal information exit routes have different application conditions. The provision of personal information overseas by signing a standard contract must also meet the conditions of "subject+quantity", that is, the personal information processor is not the operator of key Information infrastructure, and has handled less than 1 million personal information. Since January 1 of last year, less than 100000 people have provided personal information overseas accumulatively, and less than 10000 people have provided sensitive personal information overseas accumulatively since January 1 of last year. At the same time, it should be noted that measures such as quantity splitting should not be taken, and personal information that should pass the exit security assessment according to law should be provided overseas through the establishment of standard contracts.


According to the provisions of the "Measures" and "Guidelines", if a personal information processor provides personal information overseas by signing a standard contract, it should first determine whether the exit route is applicable based on the "subject+quantity" condition; Secondly, conduct a personal information protection impact assessment, including identifying risk sources and assessing the likelihood of security incidents, analyzing the impact of personal rights and interests and determining the degree of impact, and conducting a comprehensive assessment of personal information protection risks. Finally, draw conclusions on the impact assessment of outbound activities and form a personal information protection impact assessment report; Once again, strictly follow the standard contracts formulated by the network information department to sign contracts with overseas recipients; Finally, within 10 days from the effective date of the standard contract, the standard contract and personal information protection impact assessment report shall be submitted to the online information department for filing. After the filing is approved, personal information exit activities shall be implemented.


The Guidelines stipulate two types of filing outcomes: pass and fail, which means that in addition to formal review, regulatory authorities may conduct substantive reviews of standard contracts and personal information protection impact assessment reports. Personal information processors should try to avoid "preemptive behavior" and carry out personal information outbound activities after the standard contract takes effect and is filed. If the personal information outbound activities carried out before the effective date of the Measures do not comply with the provisions of the Measures, rectification should be completed by December 31, 2023. If a personal information protection event occurs due to the failure to properly fulfill various obligations stipulated in the Personal Information Protection Law, or if regulatory authorities believe that there is a significant risk of relevant personal information outbound activities, the enterprise may not only be interviewed by relevant departments, but also bear various responsibilities stipulated in laws and regulations such as the Personal Information Protection Law.