Businesses are required to have a contract with any third parties accessing their data, under the China Personal Information Protection Act. These contracts can be decisive if you are sued. For example, in Guangzhou Internet Court Case 0192-cv-44778 (2021) an SMS marketing API provider was sued for data rights infringement. In its defense, the company claimed it merely sent marketing text messages to consumers using data from an ecommerce site and filled with message content by the ecommerce site and only provides technical support. Nonetheless, the court held that the SMS service was a personal information processor acting on behalf of the other party and therefore subject to liability. A central feature in the China court’s reasoning is the pivotal role played by the service’s failure to provide a copy of a Data Processing Agreement executed with the e-commerce site or other evidence about the characterization of its service.
As this case shows, a Data Processing Agreement (DPA) will need to include clear terms about the responsibility of each party for personal data processing and how liability is apportioned in the event of a dispute. An important first step is to determine whether you even need a DPA for China at all, which CBL covers in this article, because the answer depends on a complex statutory analysis of whether a third party has a regulated data processing or sharing role involving your data. In this article, we will look at the mandatory and recommended DPA clauses that can be used for different service structures. The specific agreement will need to be tailored to your business model, but this article will not describe customization in depth as this should be done by a professional.
Contents
Data Processing Agreement Terms for Every Agreement
Provisions Specific to Processor Roles
Data Processing Agreement Provisions for Every Agreement
A number of specific DPA provisions are required by a national China regulation, Personal Information Security Standards. Data Processing agreements require the following provisions for parties processing on behalf of another, sharing, or joint processing data. Defining Party Relationships. The DPA must identify the personal data controller and who is processing on behalf of them or provide if the arrangement involves joint processing. Clear identification of the parties makes it clear what their obligations will be. Some use cases are very complex, and you may wonder if signing a single DPA without clearly defining party roles is better.
For example, Company A and Company B work together as fully separate entities despite partnering in many areas. Their data processing roles are characterized as Company B runs an e-commerce site for Party A, providing shipping, operational functions, and customer service. Here, Company B is processing on behalf of Party A for its operational and customer support, but for shipping, Company A and Company B are each independent processors that cannot determine what personal information the other party will collect from users or how they will use that data. Given the complexity of this case, entering into a separate Data Processing Agreement for each role is more prudent.
Language Barrier Issues. Lawyers in China describing DPAs often use a variety of bizarre, opaque made up words like “entrusted processing” and “entrusted party.” The reason they do so is, according to the legislative history, these three term were taken from the US/UK/EU data protection statutes and given localized Chinese names by putting prefixes. Localizing with prefixes was necessary because the Chinese word translated as “processor” (chulizhe) ambiguously means processor/controller (处理:处置;安排;料理), so the way one ambiguous word was split into the three different roles was to add prefixes.
CBL recommends using native English, not China English, when making strategic legal decisions, and below we will explain this law using plain English.
Nature of Processing Provisions
The contract should describe the parties’ business relationship, transactions, and data subjects, specifically characterizing whether the persons are employees or customers, and if minors under 14 years of age are included. Determine whether sensitive personal information about Chinese consumers or employees is processed. List data types being processed at the field level of detail, for example phone number, address, geolocation data, avoiding using broad types such as personal identity, financial information, and biometric data.
Describe what personal information processing activities occur and in which context, avoiding vagueness in the phrasing, as there are numerous relevant processing activities that can be described.
- Collection
- Storage
- Use
- Processing
- Transmission
- Provision
- Disclosure
- Deletion
Provide for whether data will be stored in Mainland China or will be sent outside Mainland China, as cross-border transmission requires the exporting party to comply with numerous data protection laws specifically addressing export, and a separate consent must be obtained specifically for export. The personal information must be retained until the processing purpose provided by the Data Processing Agreement is achieved, but a specific date may be used if it is the same as the actual date on which the purpose is achieved.
Compliance Covenants
The DPA should require parties to comply with all applicable personal information protection statutes, regulations, and industry standards, deploying the appropriate data security technology methods to protect data from unauthorized access, breach, alteration, exfiltration or loss, doing at a minimum the following:
- Having detailed controls covering internal policies, operating procedures, and incident response plans
- Categorizing data
- Implementing technical security measures that include encryption and deidentification
- Providing staff with reasonable systems access and giving them security training
- The information systems processing personal data under the agreement have passed the MLPS evaluation or ISO 27001 and have other appropriate domestic qualifications
Cybersecurity Incident Containment and Mitigation
A cybersecurity incident will generally affect both parties to a DPA regardless of how the relationship is structured, for example if your agreement provides for data sharing and hackers attack the data recipient to steal user logins, they will then use those credentials to attack other data processors throughout China, stealing even more data about individuals, which will rapidly magnify the scale of the threat. Therefore, the DPA should include provisions requiring rapid notification to the other party whenever a party discovers the occurrence of any data incident such as loss, destruction, damage, or unauthorized processing. The notification requirement should apply even when the harm merely may have occurred, and address the specific steps, mode, and content of notifications, and describe what costs may be implicated.
Boilerplate Provisions
Non-Disclosure. Generally, parties should agree to use confidential information solely as needed to perform the agreement, and to not disclose information to any third parties, which should be defined to include the recipient’s affiliates and business partners. Local China staff who access confidential information must also be bound by a non-disclosure agreement.
Breach. Generally, the agreement should include detailed provisions that entitle a non-breaching party to demand the party in violation of data protection laws or the contract to cure such violation by a specified deadline, or in the alternative the non-breaching party can immediately terminate the Data Processing Agreement.
Indemnification. The non-breaching party should be entitled to indemnification from a party that violates China data protection laws, the DPA, or infringes on personal privacy rights, as to any of the following:
- Regulatory fines
- Financial compensation
- Damages
- Settlement payments
- Loss of goodwill
- Attorney’s fees
- Court costs
- Travel expenses
- Other reasonable costs
Miscellaneous Provisions. The applicable law of agreement should be the People’s Republic of China, but the forum can be any arbitration organization or court convenient for the parties.
The DPA should have an effective date and term that is tailored to your business model. Most agreements can enter into force on the date of execution, but if you are exporting data and need a personal information export security assessment, consider using the following kind of provision in order to ensure it is possible to perform the agreement:
“This Agreement enters into force on the date it is executed, but applicable law requires this agreement obtain regulatory agency approval to export personal information, then this Agreement enters into force on the date upon which such regulatory agency grants approval.”
Role-Specific DPA Provisions
The standard Data Processing Agreement provisions should be supplemented by provisions specific to the role played by a data processor. Which role applies is determined by the China Personal Information Protection Act, which is a complicated topic covered by CBL in this article.
Cooperation and Assistance. Where a party processes data on a controller’s behalf, the Act requires that the contracted processor acting on behalf of the controller must assist the controller to perform their obligations under the Act, thus, the Data Processing Agreement should include terms that the party processing on behalf of the controller cooperate with and assist the controller in discharging the compliance obligations. In this respect, consider including the following terms that impose obligations on the party processing data on your behalf:
“The Contracted Processor shall process personal information pursuant to the Data Processing Agreement and any written instructions of Party A. If activities exceed the scope of the Agreement, the Contractor Processor shall be deemed an independent personal information controller and shall process personal information only to the extent it has a lawful basis to do so. Without written approval, the Contracted Processor shall not disclose the personal information subject to this Agreement and shall not provide or sell such personal information to any third party, including the Contracted Processor’s affiliates or business partners. The Contractor Processor shall proactively cooperate and assist the Controller by to carry out its statutory obligations. Such assistance includes without limitation promptly reporting data security incidents to the lead agency and assisting with responding to data subjects’ requests and complaints.”
Subcontracting and Sub-processing
Under the China Personal Information Protection Act, a controller must provide specific authorization whenever its contracted processor delegates its obligations to a third party. The DPA should include the following relevant provisions:
- The contracted processor may not delegate its DPA obligations to a third party without written authorization.
- The contracted processor must enter into a DPA with its own sub-processor that has requirements no less stringent than the controller’s DPA for purposes of protecting personal information.
- The contracted processor must monitor and control sub-processor activities and assume liability for losses resulting from sub-processors’ acts and omissions.
Subcontracting provisions should incorporate the types of provisions described above.
Monitoring and Auditing. The Act requires that China personal data controllers monitor their contracted processor, and the Personal Information Security Standards recommend audits as the best practice for achieving this. Thus, the Data Processing Agreement should give the data controller the right to do randomized or periodic inspections or for a designated third party to do so on their behalf so as to ensure the contracted processor is handling data correctly.
Return or Destruction of Data. The Data Processing Agreement should include provisions to ensure the minimization principle for data retention periods is followed. Obligate the contracted processor and any sub-processor to destroy or anonymize the personal data as quickly as reasonable once the contracted processing purpose has been achieved or alternatively return the data to the controller. Unauthorized backups of data may not be made. Moreover, at the controller’s request, the contracted must issue a written certification this has been done. The controller must have the right to audit the contracted processor in order to verify the data has been deleted.
Data Sharing
Legal and legitimate grounds for sourcing personal information. The personal information controller is responsible for ensuring the data shared with a recipient is sourced legally and ensuring that third party systems are protected from intrusion, data theft or similar illegal activities. The controller must describe for the recipient what the actual processing purpose of the personal information is and ensure that Chinese data subjects have provided their consent. The parties also should agree that the recipient is entitled to request the data controller issue documents that certify data subjects have provided to consent to use their personal information.
No payment for shared personal information. There is a significant risk of liability in data sharing arrangements that you can be found to be illegally selling personal information. Mitigate that risk by making sure that all contracts covering use cases where personal information is shared never set a price per person or per record. Include terms providing the data controller assumes no liability for the recipient’s personal information processing activities affecting data it has shared, and that the recipient assumes no liability for having received or used the shared personal information.
Include the following provisions in your Data Processing Agreement for use cases requiring data sharing:
- The data recipient must disclose to the controller the actual purpose for obtaining the shared personal information so that the controller can provide notice to the data subject.
- The data recipient may only process personal information in a manner that falls under the agreed processing purpose and for those types of personal information; if anything changes, the recipient must obtain new consent from the data subject.
- In cross-border use cases, the data recipient outside of China will proactively assist the controller in completing any required Personal Information Export Security Assessment, especially by providing required information and answering questions for regulatory officials.
Joint Processing by Joint Controllers DPA Terms
The Act has few provisions on joint processing as compared to when a processor is contracted to work on behalf of a controller, so the rights and obligations of parties can be customized under the terms of a Joint Data Processing Agreement. Most personal information joint processing is actually done by affiliates within the same enterprise, where one affiliate does technical support and another provides customer service, and sometimes where some affiliates are in Mainland China and some outside. Among data privacy professionals, this is known as a joint controller relationship, and China characterizes this activity as joint processing, meaning there can be joint liability which is different from what happens in some other countries.
Thus, the contractual terms should be tailored to the parties’ business model and involve a high degree of customization. There are a number of terms that are essential in most contexts which are worth your consideration.
Personal Data Processing Policy and Explanations. The Act requires controllers to provide truthful, accurate, and complete notice to individuals containing their contact information before collecting information. Upon request by individuals, the controller must explain the personal data processing policy. Therefore, in the joint processing context, controllers must provide a Personal Data Processing Policy that discloses the identify of all joint data controllers. The parties can also consider adding provisions in their contract on responding to data subjects who ask the controller to provide an explanation of their policy, usually after the parties have reached a consensus about how to respond.
Responding to Data Subjects’ Requests, Complaints, and Suggestions. The parties should include provisions that describe the division of labor, deliberative process, and joint responses to data subjects’ requests, complaints, and suggestions, in a similar manner to how the personal data processing policy is explained.
Data Export Cooperation. Where one of the joint processing parties is a recipient outside of China, the law may require a personal information export security assessment or authentication. In this event, that party should be obligated to cooperate with the other joint processor in providing documentation and responding to government agency inquiries.
Apportioning Risk for Data Rights Infringement Liability. Under the Act, individuals may bring claims where the joint data processors or processing activity results in data rights infringement, even though only one of the joint processors is predominantly responsible. For this possibility, the Joint Data Processing Agreement can include provisions apportioning liability where damages have been assessed by a claimant, entitling a party who has paid more than their fair share of damages to collect indemnification payment from the other party.
Conclusion
In this article, we have learned what a China Data Processing Agreement, or clauses in a software service contract, should include. The central stipulation in the contract should be a detailed description as to the nature of the processing under your business model: (1) processor on behalf of a controller; (2) data sharing; (3) joint processing by joint controllers. Specific provisions should also be included based on which processing role you fall within. Including compliance covenants to ensure the law is followed, and indemnification clauses in case the associate breaks the law, are also necessary.