On 24th February 2023, the Cyberspace Administration of China ("CAC") released the Measures on the Standard Contract for Outbound Transfer of Personal Information (the "SCC Measure"), which will become effective on 1 June 2023. Being the "last piece of the puzzle", the China SCCs are rolled out to implement the existing mechanism for cross-border transfer of personal information ("PI") out of Chinese mainland ("PI Export") under the Personal Information Protection Law (the "PIPL"). This frontline provides a deep analysis based on the wording of the text, experts’ observations, and statements by the CAC.

• How Should Enterprises Comply with Standard Contract Measures [Maggie Meng, Guosheng Xu, Jierui Dong, Zheng Pan, Global Law Office]
  
  
  Diagram 1 – Prerequisites and regulations for the cross-border transfer of personal information
  
  
  Diagram 2 – Applicable Rules for Prerequisites for cross-border transfer of personal information
  
  I. Applicability
  II. Personal Information Protection Impact Assessment
  III. Specific Content of the Standard Contract
  IV. Filing Requirements
  V. Remedies, Penalties and Others
  


• The Dust Finally Settles- Are You Ready to Sign the China SCCs? [Mark Fu, Yuan Jiaqi, King & Wood Mallesons]
  
  I. Background
  
  II. General Overview of China SCCs
  ● Scenarios Triggering the Application of China SCCs
  ● Filing Requirements and PI PIA
  ● Formality Requirements and Variation of the Standard Contract
  ● Legal Consequence
  ● Transitional Period for Previous PI Export
  
  III. Next Step
  ● review the existing data practice, including the type, nature and quantity of the data generated in Chinese mainland and subject to export (if not yet done so), and choose an appropriate route for PI Export;
  ● collect information to be filled out in the Standard Contracts and prepare the PI PIA reports;
  ● consider adopting the Standard Contract directly for new contracts involving PI Export (even before the China SCCs take effect) to avoid amending them subsequently;
  ● revisit the existing contracts involving PI Export to identify potential conflict between the Standard Contract and the prior signed terms.
  


• China's Long-awaited Standard Contract Released [DONG Xiao (Marissa), LU Sipei (Ryo), JUNHE LLP]
  
  I. Which organizations should focus on the Standard Contract pathway?
  
  II. What data export scenarios are covered by the Standard Contract?
  
  III. Can the Standard Contract be modified?
  
  IV. What are the main differences between the final version of the Standard Contract and the former draft Standard Contract?
  a) Emphasis on means such as splitting cross-border transfer scenarios must not be used to circumvent the security assessment path
  b) Clarification on the separate consent requirement
  c) The requirement for overseas recipients to provide audit reports proving the deletion of personal information has been removed
  d) Notification obligations on government access requests
  e) The obligation to notify personal information breaches has been enhanced
  
  V. What are the processes to complete the Standard Contract path?
  a) pre-assessment: completing a personal information protection impact assessment ("PIPIA") before providing personal information abroad;
  b) contract signing: entering into a Standard Contract for personal information exports with overseas recipients;
  c) post filing: filing an executed Standard Contract along with a PIPIA report with the local cybersecurity administration within 10 working days from the effective date of the Standard Contract;
  d) re-assessment, contracting and filing: If a re-assessment is required during the term of the Standard Contract, the organization must re-conduct the PIPIA, supplement or re-sign the Standard Contract and complete the filing procedures.
  
  VI. What else do organizations need to do after the filing of a Standard Contract and a PIPIA report?
  a) organizations should monitor any further guidance or clarifications from the CAC regarding cross-border data transfers and pay attention to further adjustments or updates of the Standard Contract made by the CAC.
  b) organizations should monitor the purpose, scope and type of personal information, the sensitivity of the personal information, the methods for processing and the storage location of personal information provided to overseas recipients. If any changes occur, it is necessary to consider whether it is required to re-assess the cross-border data transfer, or supplement or re-sign, and re-file the Standard Contract. It is also necessary to monitor any updates of personal information protection laws and regulations as well as law enforcement in the country or region where the overseas recipient is located.
  c) organizations need to pay close attention to the requirements for the exercise of the rights of the personal information subjects, form a legal and reasonable processing process, and at the request of the personal information subject, provide them with the contract signed with the overseas recipients after removing trade secrets, confidential business information or other sensitive information.
  d) organizations should pay attention to personal information breach incidents and government access requests, and handle these in accordance with the Chinese laws and regulations.
  


• A Practical Guide: How to really make China's SCC work for your business [Peng Cai, Pulingling Xiao, Yunlang Hu, ZHONG LUN LAW FIRM]
  
  I. CHARACTERISTICS OF THE STANDARD CONTRACT
  (1) Standard Terms Recognized by the State
  (2) Administrative Record-filing
  (3) Contract for the Third-party Beneficiary
  
  II. SCENARIOS FOR THE APPLICATION OF THE STANDARD CONTRACT
  (1) Cross-border transfer of personal information for small and medium-sized enterprises
  (2) Cross-border Investment and M&A Transactions
  (3) Inapplicable Scenarios
  
  III. COMPLIANCE ADVICE ON THE APPLICATION OF THE STANDARD CONTRACT
  (1) Clarifying Data Assets and the Number of Personal Information Subjects as Early as Possible
  (2) Pushing the Negotiation and Execution of the Standard Contract Forward as Early as Possible
  (3) Deploying the Enterprises' Internal Control Measures Required for the Standard Contract as Soon as Possible
  
  With the promulgation of the Provisions on the Procedures for Administrative Law Enforcement by the Cyberspace Administration Authority of Various Levels and other regulations, 2023 has become the "first year of law enforcement". The administrative enforcement procedures on which CAC is acting as the main body of law enforcement will be implemented, and CAC will reinforce administrative enforcement against illegal data activities. In the official version of the Measures and Standard Contract, the penalties against non-compliant activities have been amended by replacing the term "prohibiting cross-border activities" originally provided in the draft for public comments with "interview or rectification". Nevertheless, we believe that this amendment is only made to comply with the legislative rules stipulated in the Administrative Penalty Law, rather than a "mitigation measure" for relevant violations.
  
  The official promulgation of the Measures and the Standard Contract means that no "missing puzzles" are left to the regulations governing the cross-border transfer of personal information activities. Enterprises with different cross-border volumes should follow the applicable compliance path to fulfill the declaration or record-filing obligation. Enterprises with needs or scenarios of cross-border data transfer shall not suffer from an "Achilles' heel" in data compliance due to their failure or delay in rectifications.


• China Issues Measures for Standard Contracts [Samuel Yang, Chris Fung, Monika Zhang, AnJie Law Firm]
  
  The Measures add another layer of compliance obligations for businesses to deal with. We believe that many businesses' most difficult compliance obligation will be conducting PIPIA and monitoring conditions at the PI destination. While we are inclined to believe that external service providers can meet such needs, this will add costs for businesses that need to transfer PI overseas.
  
  Considering the nature of obligations that need to be implemented under the Measures, we believe that the early issuance of the Measures plus a 6-month grace period is sufficient for many enterprises to make a transition to the Standard Contract. However, to avoid unexpected events, we suggest that PI processors contact their overseas recipients as soon as possible to implement new arrangements between them that comply with the Standard Contract.


• Six Highlights MNCS Need to Know about China SCC Route [Xun Yang, Yuwei Xia, Llinks Law Offices]
  
  I. Application of SCC Route
  II. Performance of PIA
  III. Filing of SCC
  IV. Deviation from SCC
  V. Dispute Resolution
  VI. Implementation of SCC Route