On February 22, 2023, the Cyberspace Administration of China issued the “Measures for the Standard Contract for the Outbound Transfer of Personal Information”, which will take effect on June 1, 2023 (the “Measures”). Per the Measures, it is required for the data processor in China and the overseas recipient to enter into a Standard Contract for the Outbound Transfer of Personal Information before transferring any personal information out of China.
The data processor shall also file the executed Standard Contract as well as a Personal Information Protection Impact Assessment Report to the Cyberspace the Administration within 10 days of the Standard Contract’s effective date.
Finally, all ongoing outbound transfers of personal information shall be brought into compliance within six months from the effective date of the Measures (i.e. by November 30 2023).
It is important that foreign invested companies in China take the time to review their internal data compliance activities and policies before the effective date of the Measures to avoid inadveretdly running afoul of the Measures. For example, email address are deemed as personal information in the Personal Data Protection Law, therefore introducing a party in China to a party overseas via email could be deemed as an outbound transfer of personal information.
We have prepared a China Data Protection FAQ to help you get started with this analysis, and regularly help clients audit and amend their data compliance practices and policies for compliance with all applicable laws in China.