Personal data processors that handle the information of up to one million Chinese individuals will be subject to the standard contract.
China will officially impose a standard contract for Chinese personal information data leaving the country from June, adding a major compliance requirement for multinational companies operating in the country.
New rules drafted by the Cyberspace Administration of China (CAC) will take effect June 1, 2023, the regulator said Friday.
Under the new regulations, personal information processors sending data overseas by means of this standard contract must meet the following conditions:
- be considered as non-critical information infrastructure operators;
- handle the personal data of less than one million people;
- have sent the personal data abroad of less than 100,000 people since January 1 of the previous year;
- have provided the sensitive personal data overseas of less than 10,000 people since January 1 of the previous year.
Under China’s existing personal data export management regime, key information infrastructure operators such as banks and mobile operators, and those that process the data of over 1 million Chinese individuals, are required to go through a case-by-case “security assessment” by the internet regulator.
The so-called standard contract issued by the Cyberspace Administration of China (CAC) on Friday, Feb. 24, looks to cover organizations with smaller user bases.
The standard contract will affect Chinese branches of international companies sending client data to overseas headquarters. Personal data exporters will have to provide CAC with the necessary information on receipt of the data and what it will be potentially used for.
Companies will be required to rectify any non-compliant outbound data transfers within six months after the rule becomes effective on June 1, 2023, or face penalties, according to the regulator.
International companies with operations in China are worried about Beijing’s tighter grip on cross-border data transfers. In particular, companies expect an increase in compliance costs and fear that the rules may be changed again in future.