Chinese regulator publishes the draft China SCC
By Jingyuan Shi; Yuchen Lai; Jenny Liu, Simmons & Simmons
Published: 20 September 2022
The Cyberspace Administration of China published the long-awaited standard contract for cross-border data transfer on 30 June for public comment.
The Cyberspace Administration of China (CAC) published the long-awaited standard contract for cross-border data transfer on 30 June for public comment, which supplements the requirements under China’s Personal Information Protection Law (PIPL) that came into effect since 1 November 2021. Among others, data exporters are required to assess the impact of data protection laws and policies of the destination jurisdiction on the enforceability of the standard contract.
Cross-border data transfer regime under Chinese law
Pursuant to PIPL, personal information processors (ie equivalent to data controllers under GDPR) may transfer personal information out of mainland China by satisfying one of the following different routes, including: (i) clearing a security assessment organised by the CAC (this is also the only option applicable to operators of critical information infrastructure (CIIO) and personal information processors that process personal information exceeding the volume threshold determined by the CAC); (ii) obtaining a personal information protection certification from a professional institution designated by the CAC (Certification); or (iii) entering into a standard format data transfer agreement with the overseas recipient (Standard Contract).
The Standard Contract route is similar to the provision of standard contractual clauses (SCC) under EU’s General Data Protection Regulation (GDPR) and is often referred to as the China version SCC for simplicity.
The CAC published the Draft Provisions on the Standard Contract for Personal Information Cross-border Transfer (in Chinese language, Draft Provisions) on 30 June, including the draft form Standard Contract, and sought public comment until 29 July 2022. It is anticipated that the Standard Contract will be finalised soon following the consultation. The Draft Provisions, same as the PIPL, have not provided a transitional period mechanism for adopting the Standard Contract. As such it is recommended to get ready to implement the relevant compliance actions as early as practical.
Key takeaways from the draft provisions include the following.
- Under the PIPL, the Draft Provisions and two other draft regulations (not finalised), if the data exporter is a CIIO, or processes personal information of more than one million individuals, or has transferred personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals out of mainland China in a set period of time, it must complete the security assessment organised by the CAC (essentially an approval) before cross-border data transfer. In other words, signing the standard contract alone will not be sufficient for such data exporters to transfer personal information out of mainland China.
- For other data exporters, the standard contract applies to both intra-group transfers and transfers to external third parties.
- Most clauses of the draft standard contract are restatements of the PIPL’s requirements on the responsibilities and liabilities of the data exporters and data recipients.
- The draft standard contract provides some flexibility for the signing parties. For example, although the governing law is mandated to be Chinese law, the parties may choose a foreign arbitral venue to resolve disputes arising in connection with the Standard Contract, as long as the venue is located in a New York Convention signatory. The parties may also agree on supplemental clauses as long as they do not contradict with the mandatory provisions of the Standard Contract.
- In addition to signing the standard contract, the data exporter is required to perform a personal information protection impact assessment prior to the transfer, which should cover several aspects including an assessment of the impact of data protection laws and policies of the destination jurisdiction on the enforceability of the standard contract. For those who are familiar with the EU GDPR, this is very similar to the transfer risk assessment, a requirement in GDPR context after the Schrems II ruling, and may turn out to be a practical challenge for many market players.
- The executed standard contract along with the personal information protection impact assessment report shall be filed with provincial counterparts of the CAC within 10 working days from the effective date. The copy of the executed standard contract should also be provided to the data subjects upon request. Based on the current draft form, the standard contract is a standalone contract from the commercial contract between the parties, which means the commercial contract is not required to be filed with the local CAC.
- It remains unclear whether and how the standard contract applies where the data exporter is an entrusted party (i.e. equivalent to data processor under the GDPR) and the allocation of responsibilities and liabilities between such data exporter and the relevant overseas recipient.
Certification: An alternative to the standard contract
China’s national standard authority recently published the Specification for the Security Certification of Cross-Border Processing of Personal Information (in Chinese language, Specification), which relates to the Certification route paralleled to the standard contract. This Specification is a non-binding technical document aiming to provide practical guidance on obtaining the Certification and introduces stricter compliance requirements than the PIPL. The key provisions therein include the following.
- The Specification applies to the cross-border transfer of personal information among affiliates/subsidiaries within a multinational group, and overseas processing subject to the extra-territorial effect of the PIPL. In other words, the certification approach may not be applicable for China-based entities which transfer personal information to non-affiliated parties located outside of mainland China.
- The group company applying for the certification must adhere to the principle that personal information being processed outside of mainland China shall be protected in a manner that is equivalent to the standard provided under China data protection laws and regulations, including but not limited to the PIPL.
- The certification will be granted on several conditions: (i) the existence of a binding agreement between the data exporter and the data recipient; (ii) the appointment of an officer and designated body for personal information protection by both the data exporter and the data recipient; (iii) compliance with a set of unified rules on cross-border data processing by both the data exporter and the data recipient; (iv) completion of the personal information protection impact assessment prior to the cross-border transfer; and (v) compliance with data subject rights. The overseas recipient must undertake to be subject to Chinese personal information protection laws and regulations and the supervision of the Certification institution, including responding to inquiries and routine inspections.
The Specification does not provide the application and approval procedures for the certification, the valid period of such Certification or which professional institutions are authorised to grant the certification.
Implications and next steps
Comparatively the standard contract may seem more straightforward and applies to wider scope data transfers than the certification. Despite that the Draft Provisions and the standard contract are still pending finalisation and key issues relating to the Certification (as mentioned above) also await further clarification, we recommend weighing the pros and cons of the two approaches and decide which one better suits your needs, taking into account the relevant obligations, your current data practice and business needs, as well as the compliance costs. In the meanwhile, we recommend starting the relevant preparation, such as mapping out your current cross-border data transfer flows and performing the personal information protection impact assessment, which is required under both options.