Data exit 5·Compliance points of standard contract filing for personal information exit
Author Jie Hou team Jieyue Ran
The Introduction
With the vigorous development of digital economy, cross-border data circulation has become a trend. Cross-border data flow can promote the efficient, convenient and intelligent development of economic activities, and play an increasingly important role in international trade, global economy and other fields. At the same time, China continues to improve the data exit legislation, supervision continues to strengthen. Enterprises urgently need to establish a cross-border data compliance system to adapt to the development of the situation. Based on this, Hou Jie's team has written a series of articles aimed at helping enterprises build feasible and guiding cross-border data compliance programs to meet business needs and regulatory requirements.
01
Abstract
The six-month rectification period set by the Standard Contract Measures for Outbound Personal Information has ended on November 30, 2023. Enterprises engaged in cross-border transmission of Personal Information shall complete the corresponding rectification work in accordance with the provisions of the Standard Contract Measures for Outbound Personal Information. This paper will deeply analyze the impact of the latest Regulations on Regulating and Promoting Cross-border Data Flow (Draft for Public Comments) on the scope of application of standard contracts and the uniqueness of standard contract terms. At the same time, the rights and obligations of the personal information processor, the overseas recipient and the personal information subject are analyzed in detail. Then, the process of signing and filing standard contracts is introduced to ensure compliance operations. Finally, this paper briefly discusses the particularity of standard contract termination, and provides guidance for enterprises in practice. Through comprehensive interpretation and analysis, this paper aims to provide practical and targeted reference for enterprises to implement the Standard Contract Measures for Personal Information Outbound.
02
Scope of application and characteristics of standard contracts
(一)Scope of application
(1)Non-critical information infrastructure operators;
(2)handling personal information of less than 1 million people;
(3)providing personal information to less than 100,000 people overseas since January 1 of last year;
(4)providing sensitive personal information overseas to less than 10,000 people in total since January 1 of last year; Where laws, administrative regulations or the State network and information department provide otherwise, such provisions shall prevail.
It can be seen from the above provisions that the scope of application of standard contract filing is mainly related to the number of personal information outbound carried out by personal information processors, and the scope can be adjusted by laws, administrative regulations and the state network and information department.
The Measures for Data Exit Security Assessment will come into effect on September 1, 2022, the Notice on the Implementation of Personal Information Protection Certification will come into effect on November 4, 2022, and the Standard Contract Measures will come into effect on June 1, 2023. The formulation level of cross-border data transmission in China has been gradually improved, but many problems have also emerged after more than a year of practice. On September 28, 2023, the Provisions on Regulating and Promoting Cross-border Data Flow (Draft) (hereinafter referred to as the "Provisions") issued by the Cyberspace Administration of China exempted some personal information from the obligations of conducting security assessment, concluding standard contracts for personal information export, and passing personal information protection certification. The Provisions adjust the number of standard contracts applicable, raising the lower limit of application of standard contract filing to more than 10,000 personal information expected to be provided overseas within one year. However, the Provisions are still a draft for comments, and the rectification period stipulated in the Standard Contract Measures has expired on November 30. Many enterprises are faced with the problem that if according to the provisions of the Standard Contract Measures, standard contract filing should be carried out, but the standard contract filing requirement can be exempted according to the Provisions.
The author believes that according to the current practice, as well as the Opinions of The State Council on Further optimizing the environment for Foreign Investment and Increasing Efforts to Attract foreign investment, "explore a convenient data cross-border flow security management mechanism. We will implement the requirements of the Cyber Security Law, the Data Security Law and the Personal Information Protection Law, establish a green channel for qualified foreign-invested enterprises, efficiently carry out outbound security assessment of important data and personal information, and promote the safe, orderly and free flow of data. Support Beijing, Tianjin, Shanghai, the Guangdong-Hong Kong-Macao Greater Bay Area and other places to pilot and explore the formation of a freely flowing general data list, build service platforms, and provide compliance services for cross-border data flow in the process of implementing systems such as data exit security assessment, personal information protection certification, and standard contract filing for personal information exit. Optimizing the environment for foreign investment and facilitating the cross-border flow of personal information is a trend. Enterprises can actively communicate with local network and information departments to understand the latest regulatory developments. At the same time, enterprises can also do a good job in the preliminary preparation of standard contract filing, such as personal information protection impact assessment, etc. If received the filing requirements of the network information department, they can complete the filing in a relatively short time.
(二) Characteristics
1、Compulsory contract terms for supervision
The Standard Contract for Outbound Personal Information formulated by the Cyberspace Administration of China should not be understood as a separate contract, but as part of the business contract for cross-border transmission of personal information between domestic personal information processors and overseas recipients. The Standard Contract Measures clearly stipulates that the contract shall be concluded in strict accordance with the text formulated by the Cyberspace Administration of China. Other contract terms concluded by the personal information processor and the overseas recipient shall not conflict with the standard contract terms, and the conflict shall not include two aspects. On the one hand, the supplementary terms of the standard contract shall not conflict with the standard contract terms. Another aspect is that other legal documents signed by both parties shall not conflict with standard contract terms. Therefore, standard contract terms have state coercive power, mainly to impose obligations on personal information processors and overseas recipients, and have regulatory functions.
2、Third party of interest
The personal information subject is not the subject of the standard contract terms, and the personal information processor and the overseas recipient as the subject of the contract have no incentive to take the initiative to protect the rights of the personal information subject from infringement, so the rights of the personal information subject are extremely vulnerable to infringement. Once the infringement occurs, if the personal information subject wants to demand judicial relief, there are difficulties in providing evidence and other rights protection costs. Therefore, the state supervision needs to intervene in advance and stipulate the content of the subject of interest personal information in the contract signed by both parties.
3、The personal information processor shall not be exempted from other legal liabilities
Although the standard contract terms do not allow the contract subject to modify at will, they are finally signed by the civil subject, which stipulates the rights and obligations of each party at the level of civil contract. The party who violates the contract shall bear civil liability. Since the Personal Information Protection Law and other laws also stipulate that personal information processors shall bear administrative or criminal liabilities if they violate legal provisions, signing a standard contract cannot relieve or exempt personal information processors from other administrative or criminal liabilities stipulated by laws and regulations.
03
Rights and obligations of the parties under the standard contract
(一)Obligations of personal information processors
Article 2 of the standard contract clause stipulates the obligations of personal information processors, including obligations to personal information subjects and obligations to regulatory authorities. The obligations of personal information processors can be roughly divided into the following categories:
(1)Obligation to carry out impact assessment of personal information protection: It mainly refers to the necessity of going abroad, possible risks, obligations promised by the overseas recipient, etc. The impact assessment report of personal information protection shall be kept for at least three years.
(2)Purpose limitation obligation: The personal information provided overseas is limited to the minimum scope required to achieve the purpose of processing.
(3)Obligation of notification and consent: it is necessary to inform the personal information subject of the name or name and contact information of the overseas recipient, obtain the separate consent of the personal information subject, and provide the personal information subject with a copy of the contract, etc.
(4)Personal information security obligation: strive to ensure that the overseas recipient takes technical and management measures, etc.
(5)Obligations to regulatory authorities: mainly to allow compliance audit and provide compliance audit results.
(二)Obligations of the overseas receiving party
Article 3 of the standard contract terms stipulates the obligations of the overseas recipient, and part of the obligations of the overseas recipient correspond to the obligations of the personal information processor, such as the obligations of personal information security; In addition, some obligations are the same, such as notification and consent obligations, purpose limitation obligations, etc. Special obligations to overseas recipients include:
(1)Deletion obligation: The retention period must be the minimum time necessary to achieve the purpose of processing, and the retention period shall be deleted upon expiration. The personal information shall be returned or deleted if the entrustment contract is not effective, invalid, revoked or terminated, and the storage or other security measures shall be stopped if it cannot be deleted.
(2)Providing personal information to overseas third parties: The overseas receiving party inevitably has the need to provide personal information to overseas third parties. If it needs to provide personal information, it needs to meet the conditions for providing personal information to third parties stipulated in the standard contract.
(3)Record processing activities: Personal information processing activities need to be objectively recorded and kept for at least 3 years.
(4)for individual information processing's obligation: to allow personal information processing to consult, to carry out the necessary data file and document of compliance audit or provide convenience for the compliance audit.
(5)Obligations to the regulatory authorities: mainly include answering the inquiries of the regulatory authorities, cooperating with the regulatory authorities for inspection, complying with the regulatory authorities to take measures or make decisions, and providing written proof that necessary actions have been taken, etc.
(三)Rights of personal information subjects
Article 5 of the standard contract terms clearly stipulates that "both parties agree that the personal information subject shall enjoy the following rights as the third party beneficiary of this contract". Although the personal information subject is not the subject of the contract, it enjoys many rights. For example, the personal information subject is in a weak position in the cross-border activities of personal information as discussed above, which will not be repeated here. The obligations of the personal information processor and the overseas recipient to the personal information subject are also the rights enjoyed by the personal information subject. In addition, personal information subjects also enjoy the right to know and decide on the processing of their personal information, the right to restrict or refuse others to process their personal information, the right to request access, copy, correct, supplement or delete their personal information, and the right to request explanation of their personal information processing rules. When realizing their rights, the personal information subject may request the personal information processor to take appropriate measures, or directly make a request to the overseas recipient.
When the rights of the personal information subject are infringed, the personal information subject may inquire or complain to the overseas recipient, complain to the regulatory authority, or file a lawsuit with the competent court. At the same time, the rights protection made by the personal information subject will not impair the right of the personal information subject to seek relief according to other laws and regulations.
04
Signing and filing of standard contracts
(一) Impact assessment of personal information protection
Article 7 of the Standard Contract Measures stipulates that the standard contract and personal information protection impact assessment report (PIA) shall be submitted for filing. According to Article 56 of the Personal Information Protection Law, the impact assessment of personal information protection shall include the following three contents:
(1)Whether the purpose and method of processing personal information are legal, legitimate and necessary;
(2) The impact on personal rights and interests and security risks;
(3)Whether the protection measures taken are legal, effective and appropriate to the degree of risk. The impact assessment report and processing record of personal information protection shall be kept for at least three years.
In addition, "Information security technology personal information security impact assessment Guide", "information security technology personal information security Specification" and other national standards for personal information protection impact assessment have detailed provisions. Since the impact assessment of personal information protection is very important and has many contents, the author plans to write a special article to discuss it later.
(二)Signing a contract through negotiation
State Internet information office standards set by the terms of the contract, do not allow the contract subject to modify and make a conflict with the convention, but personal information main body and receiver outside or in other terms stipulated in appendix 2. Before signing the contract, the personal information subject shall negotiate with the overseas receiving subject, explain the content of standard contract terms to it, improve the contract text, and reach consensus on other terms. In addition, personal information can be exported when the standard contract becomes effective, and outbound activities can be carried out only after going through the record.
(三)Record keeping
The personal information processor shall, within 10 working days from the effective date of the standard contract, file with the local provincial Cyberspace Administration of China by serving written materials and attaching electronic materials. Arising during the term of the standard contract:
(1)to provide personal information outside of the purpose, scope, type, sensitive degree, way, save the location or overseas receiver processing personal information way of use, change, or shelf life extension of the personal information overseas;
(2)the recipient country or region outside the territory of the people's personal information protection policy and the change of laws and regulations may affect the rights and interests of personal information. Personal information processors shall re-conduct the impact assessment of personal information protection, supplement or re-conclude standard contracts, and go through the corresponding filing procedures.
05
Termination of a standard contract
(一) Circumstances of termination of the contract
The standard contract terms stipulate that both the personal information processor and the overseas recipient have the right to terminate the contract. The personal information processor shall have the right to rescission under the following circumstances:
(1) The overseas recipient breaches its obligations under the Contract, or there are changes in the personal information protection policies and regulations of the country or region where the overseas recipient is located, resulting in the inability of the overseas recipient to perform this Contract;
(2)The personal information processor temporarily provides personal information to the overseas recipient for more than one month;
(3)The overseas receiving party's compliance with this contract will violate the laws and provisions of the country or region where it is located;
(4)According to the final decision made by the competent court or regulatory authority of the overseas receiving party, the overseas receiving party or the personal information processor is in breach of the obligations agreed herein.
(5) The overseas recipient is in serious or persistent breach of its obligations under this Contract.
The overseas recipient also has the right of rescission in two to four of the above cases. From the perspective of the circumstances under which both parties enjoy the right of termination, the main circumstances under which the personal information processor enjoys the right of termination are that the overseas receiving party fails to perform the contract for various reasons. If the overseas receiving party fails to perform the standard contract due to the regulations and decisions of the laws, judicial organs and regulatory authorities of the country or region where it is located, the contract may also be terminated.
(二) Consequences of termination of the contract
The termination of the standard contract cannot exempt the personal information processor and the overseas recipient from the obligation of personal information protection in the process of personal information processing. In particular, for the overseas receiving party, it shall timely return or delete the personal information (including all backups) received under this Contract upon termination of the Contract, and provide written explanations to the personal information processor. If it is technically difficult to delete personal information, processing other than storage and necessary security protection measures shall be stopped.
06
Conclusion
Standard contract terms constrain both the personal information processor and the overseas recipient, and benefit the subject of personal information. In form, they are contract terms and have the function of national supervision. They are one of the important paths of cross-border transmission of personal information. For enterprises, standard contract filing is also feasible at present, and there are many cases in practice. Before filing, it is necessary to conduct an impact assessment of personal information protection, reach consensus with the overseas recipient, and pay attention to the content that does not conflict with the standard contract terms. After any change in the Standard Contract Measures occurs within the term of the contract, the impact assessment of personal information protection shall be carried out again, the standard contract shall be supplemented or concluded again, and the corresponding filing procedures shall be performed.
Recommended Information
-
ArticlesThe formation time of creditor's rights shall not affect the shareholders of defective capital increase to bear supplementary compensation liability2024-02-01
-
ArticlesFruit of the poisonous tree, the influence of non-competition forensics on personal information protection2024-02-01
-
ArticlesFocusing on the revision of civil procedure law -- the evolution and practical prospect of "Inconvenient Court" principle2024-02-01
-
ArticlesEvergrande's filing for "bankruptcy protection" in the US is not related to bankruptcy liquidation?2024-02-01
-
ArticlesContractual energy management project dispute series · Loss of available benefits under new judicial interpretation2023-12-04