The Basic Contract Measures for Exporting Personal Information, which were adopted at the beginning of the year, have now been published, according to the Cyberspace Administration of China (CAC).
The CAC specifically emphasised that the procedures apply to personal information processors that share personal information with overseas recipients after signing a regular personal information export contract with them.
Specifically, the measures require the following standards to be met by personal information processors who transmit information overseas via standard contract: a) Be regarded as operators of non-critical information infrastructure; b) Process the personal data of fewer than one million individuals; c) Have transmitted the personal information of less than one hundred thousand people abroad since January 1 of the preceding year; and d) Have sent less than 10,000 individuals’ sensitive personal information abroad since 1 January of the prior year.
In addition, the provisions stipulate that personal information processors are required to complete a personal information impact assessment prior to sending personal information abroad, with assessments focusing on:
- The legality, legitimacy, and need of the purpose, extent, and manner of personal data processing by the personal data processor and abroad recipient;
- The extent, breadth, kind, and sensitivity of the personal data exported overseas, as well as the dangers the export of personal data poses to the rights and interests of data subjects;
- If the overseas receiver has agreed to fulfil the responsibilities, and if the management and technical measures and capacities to fulfil the obligations can guarantee the security of outgoing personal information;
- The possibility of personal data being tampered with, destroyed, leaked, lost, or illegally utilised in the third nation;
- The effect on the standard contract’s execution of the personal information protection laws and policies in the nation or region where the overseas receiver is situated;
- Other factors that may influence the protection of personal data.
In addition, the measures stipulate that personal information processors must reevaluate the security of personal information and augment or renegotiate the standard contract in the following circumstances:
- The purpose, scope, category, degree of sensitivity, technique, storage location, or purpose and method of processing personal information by an overseas recipient change, or the retention time is prolonged;
- The rights and interests of personal information may be impacted by modifications to the laws and regulations governing the protection of personal information in the nation or region where the overseas receiver is located;
- Other conditions impact the rights and interests of personal data.
The measure also stipulated that the cybersecurity and information technology department and its employees must maintain the confidentiality of, among other things, customer information, corporate secrets, and personal information. They must keep the information private and not divulge, provide, or use it in an unauthorised manner to anybody else while carrying out their legal obligations.
Additionally, any organisation or person who learns that personal information processors have violated these Measures by sending personal information abroad may file a complaint with the provincial-level or higher cybersecurity and information technology department.
Therefore, the cybersecurity and information technology department at or above the provincial level may conduct interviews with personal information processors in accordance with the law if it finds that there are relatively high risks in personal information export activities or personal information security incidents happen.
On the other hand, personal information processors should correct errors as needed to get rid of any potential threats.
Whoever breaches the conditions of these measures will be punished in accordance with the “Personal Information Protection Law of the People’s Republic of China” and other applicable laws and regulations; if a crime is committed, criminal responsibility will be examined in accordance with the law.
The CAC further specified that the measures take effect on 1 June 2023.