China recently released its China Standard Contract for Export of Personal Information (China SCs), which are required to export any personal information (unless stricter rules apply such as critical information and/or large volume personal data). As the template is only in Chinese, we created this bilingual draft to assist in understanding its content and the obligations. Please note that the China SCs must be filed in Chinese, and it remains unclear whether the authorities will accept a bilingual version. However, in the hopes that this bilingual version can be filed, we have clarified within Annex II, that the Chinese version governs in the event of a discrepancy.
You may note several similarities to the EU/UK Standard Contractual Clauses, but also some significant differences, such as the requirement for Processors to notify the China authorities and individuals in the event of a breach, and the duty to follow Chinese authority requests as to that China data subject information stored abroad.
In addition to signing the SCs, the data exporter in China must also conduct/create a Personal Information Protection Impact Assessment (PIPIA) detailing, among other things, the necessity of exporting each piece of data, as well as the nature of the recipient jurisdictions data protection regime. The data exporter in China must file both the China SCs and PIPIA with the authorities within 10 working days from the effective date of the SCs and prior to the data export. This comes into effect June 1, 2023, except for prior exports, which have until December 1, 2023.
Katherine Fan also contributed to this article.