China regulator finalises ‘standard contract’ for companies that send personal data overseas, effective June 2023

China will officially impose a standard contract for Chinese personal information data leaving the country from June, adding a major compliance requirement for multinational companies operating in the country.

The Cyberspace Administration of China (CAC), which has been enhancing its oversight of Chinese data under the country’s 2021 personal information protection law, has finalised a “standard contract” regarding data pertaining to Chinese individuals, with the rules coming into effect on June 1, 2023, the regulator said on Friday.

Under the new regulations, personal information processors sending data overseas by means of this standard contract must meet the following conditions: be considered as non-critical information infrastructure operators; handle the personal data of less than one million people; have sent the personal data abroad of less than 100,000 people since January 1 of the previous year; and have provided the sensitive personal data overseas of less than 10,000 people since January 1 of the previous year.

Under China’s existing personal data export management regime, key information infrastructure operators such as banks and mobile operators, and those that process the data of over 1 million Chinese individuals, are required to go through a case-by-case “security assessment” by the internet regulator.

The standard contract will apply to the bulk of cross-border data transfers, which cover day-to-day operations of China branches sending client data to overseas headquarters. It will require the personal data exporter to provide CAC with the necessary information on receipt of the data and what it will be potentially used for.

Companies will be required to rectify any non-compliant outbound data transfers within six months after the rule becomes effective on June 1, 2023, or face penalities, according to the regulator.