Written by Haim Ravia and Dotan Hammer
The head of China’s Cyberspace Administration (CAC) announced the completion of the uniform contract for transferring information from China. The contract will serve as the basis for organizations in the country desiring to export the personal data of Chinese residents for processing by organizations outside of China. Organizations are required to adopt the contract in its entirety, and it is intended to supplement the rules established in the Information Security Law, the Personal Information Protection Law for Network Users, and the Guidelines for the Cross-Border Transfer of Personal Information, which were enacted in 2021.
The uniform contract is one of four legal bases for transferring data outside of China. Organizations may alternatively transfer the data after undergoing a security assessment process by China’s Cyberspace Administration, or by contracting with an authorized entity approved by the administration. Organizations are required to sign the unified contract in several cases, including in cases where the organization operates critical infrastructure or processes information of more than one million data subjects, and the organization transfers information of more than 100,000 individuals outside of China. This requirement will take effect in June 2023.
The uniform contract defines the obligations of the parties regarding the data. Among other things, it requires the data organization to take reasonable measures to ensure that the data recipient complies with its obligations under the contract, respond to requests from authorities, take immediate measures to deal with data breaches and document data processing activities, and keep the documentation for at least three years. The contract also includes penalties for non-compliance.
Click here to read the final version of the Measures on the Standard Contract for the Cross-border Transfer of Personal Information (in Chinese).