In August 2021, after the personal Information Protection Law was promulgated, the cross-border transmission of personal information has become the focus of enterprises. We have received many inquiries from foreign companies about how to comply with the regulations of personal information outbound: The human resources department of foreign enterprises is generally very anxious, because foreign enterprises employ Chinese employees, the cross-border transmission of employee information to the headquarters, if the violation of the legal liability is very heavy, the maximum penalty can be imposed under 50 million yuan or the turnover of the previous year under 5% of the fine.

Therefore, in the same month when the law was promulgated, we consulted the competent authorities: According to Article 38 of the Personal Information Protection Law, those who provide personal information abroad should sign a contract with the overseas recipient in accordance with the standard contract formulated by the competent authorities. Can the standard contract be provided? The response was: currently, as the business environment is optimized, competent authorities are generally less likely to interfere with enterprises' cross-border transmission of employees' personal information.

My understanding is that this personal information exit standard contract has not been ready, so we according to your own experience and understanding of the legal compliance processes and standards for the personal information and exit legal texts, though this is ready to solve problems for customers, but the lawyer also hope to have the official standard contract, because more authority. When we looked at the draft, the content of the standard contract and procedures was basically what our lawyers expected.

I. After which enterprise signs standard contract, can transmit individual information to leave the country?

The draft is a method of exclusion, which triggers any of the following four conditions, but does not work:

(1) Operators of critical information infrastructure. Key information infrastructure refers to important network facilities and information systems in such important industries and fields as public communications and information services, energy, transportation, water conservancy, finance, public services, e-government, and defense science, technology and industry.

Operators of critical information infrastructure cannot transfer personal information across borders through standard contracts. In principle, they should store the personal information they collect in China locally; If it is really necessary to transmit abroad, it shall pass the security assessment organized by the cyberspace administration department. For example, Didi, as China's largest mobility and transportation platform and the operator of the country's critical information infrastructure, must pass security assessments and cannot directly transfer data across borders through standard contracts.

(2) Handling personal information of more than 1 million persons. In fact, the threshold of 1 million people is not high, many FMCG enterprises, tmall flagship store opened a membership card may be over one million members, so it can not be applied to sign a standard contract after the personal information exit. Other conditions set out in the Personal Information Protection Act, such as security assessments or authentication, are required for cross-border data transfer.

(3) Providing overseas the personal information of a total of 100,000 persons since January 1 of the previous year. For example, if the personal information of employees of foxconn, a large manufacturing company that employs millions of people, leaves China, it cannot be applied to sign a standard contract.

(4) Providing overseas sensitive personal information of up to 10,000 persons in total since January 1 of the previous year. Sensitive personal information refers to information such as biometrics, religious beliefs, specific identities, medical and health care, financial accounts and movements, as well as personal information of minors. This is aimed at sensitive industries, such as Tesla, if more than 10,000 vehicle tracks are exported, the standard contract can not be applied to personal information exported.

II. What does a standard contract include?

Draft criteria prescribed by article 6 of the contract, including basic information, personal information of both the purpose and scope of the abroad, prior consent, the protection of personal information alone's responsibility and mission, etc., and has been clear about the recipient countries outside influence on personal information protection laws and regulations of standard contract, basically also prescribed in article 39 of the with the personal information protection act.

The draft for comments is accompanied by a standard contract template, which further clarifies the content of the contract terms. It is particularly important to note that the standard contract template explicitly requires overseas enterprises to accept the jurisdiction of Chinese laws, which directly solves the problem of law application between the two parties in the negotiation process.

III. Can the contents of the standard contract be amended?

Article 2 of the draft stipulates that when personal information is exported, the standard contract should be signed by both parties, and when personal information is exported for other activities, it does not need to correspond verbatim with the standard contract, as long as it does not conflict with the standard contract. That is to say, only from the perspective of the current draft standard contract did not say do not modify, stipulated in the personal information only exit must conclude a contract for the standard, but exit the personal information of other activities, can according to the specific situation to make corresponding changes to your standard contract, modify permissions on the biggest is not conflicts with standard contract.

Even so, as the draft for comments is determined to adopt the system of combining independent contracting and administrative filing, even if the corresponding contract has been signed, it still needs to go through the filing procedures. The strict degree of the requirement of the record to the standard contract also determines the revision scale of the content of the standard contract.

IV. What should personal information protection impact assessment include?

The draft stipulates that contract and personal information protection impact assessment reports should be provided for filing. Therefore, in addition to signing standard contracts, enterprises still need to carry out the impact assessment of personal information protection in advance. Highlights of the assessment include:

Legality, legitimacy and necessity of the purpose, scope and method of exit of personal information; The quantity, scope, type and sensitivity of personal information, and the risks that the exit of personal information may bring to the rights and interests of personal information; Whether the security of outbound personal information can be guaranteed by the responsibility and obligation undertaken by the overseas recipient, as well as the management, technical measures and ability to fulfill the responsibility and obligation; The risk of disclosure, damage, tampering and abuse of personal information after leaving China, and whether the channels for individuals to safeguard their rights and interests of personal information are smooth, etc.; Evaluate the possible impact of overseas local personal information protection policies and regulations on compliance with the Terms of this Contract: other matters.

In addition, the personal information security impact assessment guide information security technology, the personal information security regulations, as well as the data exit safety assessment guidelines (draft) "and to evaluate the content, process and methods of regulation, also for the enterprise to carry out the personal information protection impact assessment provides the reference basis.

Finally, although promulgated a little late, the draft is indeed good for most small and medium-sized enterprises that need to legally transfer personal information abroad, because it solves the problem of heavy legal responsibility for cross-border transmission of personal information after the promulgations of the Personal Information Protection Law, but unclear supporting regulations. When our lawyers provide corresponding compliance services for enterprises, they also have a more authoritative basis.