The Cyberspace Administration of China (CAC) released the long-awaited Regulation on the Standard Contract for the Export of Personal Information (China SCC Regulation) on 24 February 2023, as well as the annexed Standard Contract (China SCCs). This marks that the Standard Contract mechanism proposed under the Personal Information Protection Law of China (PIPL) effective from November 2021 is now finally a reality.
The Regulation will take effect from 1 June 2023 and market players have an additional 6-month grace period to enter into the China SCCs for existing cross-border data transfers (ie by 30 November 2023).
The China SCCs share a fair amount of similarities with the EU’s Standard Contractual Clauses for international data transfer (EU SCCs), whereas maintaining significant unique features, which international entities should note when implementing them and coordinating multi-jurisdictional data compliance.
Similarities
Fixed form
Article 46 of EU’s General Data Protection Regulation (GDPR) provides that data exporter may adopt various appropriate safeguards to transfer personal data out of the EEA, among which include the EU SCCs. Clause 2 of the EU SCCs spells out that the clauses are deemed appropriate safeguards pursuant to the GDPR provided that they are not modified, except that the parties may select the appropriate module, include the EU SCCs in a wider contract, or add additional safeguards, etc.
Article 6 of the China SCC Regulation requires that the China SCCs must be executed strictly in accordance with the annex of the China SCC Regulation. Data exporters and data importers may agree upon additional clauses, provided that they are not in conflict with the China SCCs. Such additional clauses shall be set out in the appendix of the China SCCs and constitute a part of the entire agreement.
On one hand, both the EU SCCs and the China SCCs are invariable; on the other hand, there are some irreconcilable differences between the two sets of terms (eg the governing law and dispute resolution clauses). Therefore it is impossible for an international entity to modify one of them (eg by adding additional clauses) to cover the requirements under the other. If an international group is transferring personal data from within EU to be out of the EEA and from within mainland China to be outside of mainland China, it must have signed both the EU SCCs and the China SCCs. In practice we often see international groups using Intra-Group Data Transfer Agreement (IGDTA) to facilitate data sharing among group entities. Now they need to incorporate both the EU SCCs and the China SCCs into their IGDTA.
Hierarchy of effect
Clause 5 of the EU SCCs provides that in the event of a contradiction between the EU SCCs and the provisions of related agreements between the parties, the EU SCCs shall prevail. Clause 9 of the China SCCs sets out a similar provision.
The agreement adopted by market players (for example the IGDTA mentioned above) must clarify the hierarchy of effects of different model clauses, ie the China SCCs shall prevail when it involves transferring personal information out of mainland China, while the EU SCCs shall prevail when personal data is transferred out of the EEA.
Impact assessment
Both the EU SCCs and China SCCs are accompanied with the requirement of conducting impact / risk assessments on the proposed data transfers, which may be a challenging task to complete in practice.
In GDPR context, this requirement originates from the Schrems II decision made by the Court of Justice of European Union (CJEU) in 2020. It requires that organisations relying on the EU SCCs must undertake additional due diligence and have additional controls in place to ensure that personal data transferred out of the EEA is subject to adequate protection. The subsequent regulatory guidance issued by the European Data Protection Board (EDPB) and updated EU SCCs underscore the need to carry out transfer risk assessments (TRAs).
Under Chinese law, Article 5 of the China SCC Regulation and Clause 2 of the China SCCs provide that data exporters shall perform a personal information protection impact assessment (PIPIA) prior to transferring personal information out of mainland China, and list out the key factors that should be taken into account when conducting the PIPIA, including:
(i) whether the data exporter and data importer’s purpose, scope and manner of processing are lawful, legitimate and necessary;
(ii) the risks to the relevant individuals’ rights and interests, taken into account the scale, scope, types and sensitivity of the data to be transferred;
(iii) the obligations undertaken by the data importer and whether it has sufficient managerial and technical measures and capabilities to perform such obligations and ensure the security of the data to be transferred;
(iv) the risks of the transferred data being altered, destroyed, leaked, lost or illegally used, and whether the data subjects have convenient channels to safeguard their rights and interest; and
(v) the impact of the destination jurisdiction’s data protection policies, laws and regulations on the enforceability of the China SCCs.
Although the impact assessments under EU and Chinese laws have slightly different focuses, they share a very similar methodology, which makes it possible for international players which have established their group TRA process to further leverage such existing resource to suit for PIPIA purposes. For entities without any TRA experience or process in place, they are recommended to take actions quickly given experience shows that it takes good time to educate employees on such PIPIA process and perform the assessments.
Divergencies
Applicability scope
The EU GDPR provides several safeguards for international transfer, including adequacy decision, the EU SCCs, and binding corporate rules (BCR). The EU SCCs apply to transfer of personal data to jurisdictions without an adequacy decision, regardless of the data exporter’s business scale or volume of data involved.
China’s PIPL also provides several options for international transfer, including the security assessment (in essence an administrative approval), the China SCCs, and personal information protection certification. The difference is that the PIPL imposes different data protection responsibilities on data exporters in proportion to the importance of their information infrastructure / business scale / volume of data processed or exported. In other words, data exporters operating critical systems or processing / transferring large amount of personal data will be subject to stricter scrutiny. The China SCCs, as a relatively convenient approach, apply to those companies which (i) are not “critical information infrastructure operators”, (ii) do not process the personal information of more than 1 million individuals, and (iii) have not transferred the personal information of 100,000 individuals or sensitive personal information of more than 10,000 individuals out of mainland China since 1 January of the previous year, regardless of the destination of transfer.
Modules for different scenarios
The current version EU SCCs include four modules to cater for different data transfer scenarios, ie controller to controller, controller to processor, processor to processor, and processor to controller. Under certain clauses, the parties may choose an appropriate “module” based on their roles.
The China SCCs in general do not differentiate such “modules”, except that a few clauses have set out different obligations for the data importer, depending on whether it is a personal information processor (ie equivalent to “controller” under the GDPR) or an entrusted party (ie equivalent to “processor” under the GDPR). This is in line with the Article 38 of the PIPL, which regulates the data transfers from personal information processors to any overseas recipients, regardless of their roles. It remains unclear whether and how the China SCCs apply where the data exporter is an entrusted party and the allocation of responsibilities and liabilities between such data exporter and the relevant data importer.
Filing requirement
Article 7 of the China SCC Regulation requires that the executed China SCCs along with the PIPIA report shall be filed with provincial counterparts of the CAC within 10 working days from the effective date of the executed China SCCs. The executed China SCCs do not require an approval from the CAC to take effect. That said, if CAC identifies significant risks in the relevant transfer, it may require the data exporter to rectify and mitigate the risks.
EU SCCs are not subject to similar filing requirement, though Clause 14(d) provides that the parties agree to document the transfer risk assessment and make it available to the competent supervisory authority upon request.
Governing Law and Dispute Resolution
Pursuant to Clause 17 of the EU SCCs, the parties may agree upon the governing law based on different options for the relevant modules, provided that the agreed governing law must allow data subjects to exercise their third party beneficiary rights. Clause 9(2) of the China SCCs provides that the governing law is mandated to be Chinese law.
As for dispute resolution, Clause 18 of the EU SCCs provides that any dispute arising from the EU SCCs shall be resolved by the courts of an EU Member State at the parties’ choice. While Clause 9(4) of the China SCCs provides some flexibility for the parties – they may bring an action before a Chinese court, or submit the dispute to a foreign arbitral venue of their choice, provided that the venue is located in a New York Convention signatory jurisdiction.
Both the EU SCCs and the China SCCs allow data subjects to bring legal proceedings against the data exporter and/or the data importer as a third party beneficiary.
Onward Transfers
The China SCCs provide a set of preconditions for onward transfers from the data importer to other third parties located outside of mainland China. These preconditions include: (i) there is an actual business need; (ii) sufficient disclosure has been made to the data subjects; (iii) a separate consent has been obtained if the relevant processing relies on consent as a legal basis; (iv) the data importer has entered into a written agreement with the third party, ensuring that the third party shall provide personal information protection equivalent to the standard required under Chinese law and assume legal liability for the potential damages suffered by the data subjects; and (v) a copy of such written agreement shall be provided to the data subjects upon request.
By comparison, the EU SCCs offer more flexible options for onward transfers, including the third party being bound by the EU SCCs, the third party’s location in a jurisdiction with adequacy decision or the third party being subject to an approved BCR, etc.
What’s next
The China SCCs have drawn great attention since the PIPL came into effect in November 2021. Some international entities have adopted a proactive strategy by formulating their own data transfer agreements for China and performing the PIPIA by taking references from the EU SCCs and the draft form China SCCs published in June 2022. For such early birds, such prior work needs to be finetuned in light of the China SCCs and the China SCC Regulation, but there won’t be substantial changes required.
Other entities that have taken a “wait-and-see” approach are advised to take actions promptly now. The implementation of the China SCCs involves conducting the PIPIA, negotiating with data importers, execution and filing of the China SCCs and the PIPIA report. For international entities it may also require adjustments to the existing IGDTA, managing international transfer compliance from the group level, and coordinating varied requirements across different jurisdictions. Given the wide range of stakeholders involved and the 30 November 2023 deadline, we recommend international entities to kick off preparation as soon as practicable.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
