China issued filing guidance for the Standard Contract

The Cyberspace Administration of China (CAC) issued the Filing Guidance for the Standard Contract for Personal Information Outbound Transfer (first edition) (Filing Guidance) in the evening of 30 May, right before the “standard contract” regime for cross-border data transfer officially come into effect on 1 June.

Under China’s data protection laws, a personal information processor (ie equivalent to a “data controller” under the GDPR) may transfer personal information out of mainland China following different routes, depending on the nature of the processor and the volume of data processed. One of such routes appliable to many market players is entering into the Standard Contract for Personal Information Outbound Transfer as published by the CAC with the overseas recipients (China SCCs).

The China SCCs share a fair amount of similarities with the EU’s Standard Contractual Clauses for international data transfer, whereas maintaining significant unique features (for more details please refer to What’s in China SCCs – a comparative review against the EU SCCs). One key divergence is that the executed China SCCs must be filed with the cyberspace authority, and the Filing Guidance reveals to market players what is expected during the filing process (official Chinese version available here).

Key takeaways of Filing Guidance:

• Procedure and timeline – The whole filing process may include the below steps and the filing may be rejected and have to be re-submitted, if the documents do not satisfy the CAC’s requirements at the upfront:

  • documents submission: initial submission shall be made within 10 business days after the executed China SCCs take effect. The data exporter shall submit the filing documents, in both hardcopies and electronic copies, to the relevant provincial-level cyberspace administration (PCA). Some PCAs may later launch online platforms for data exporters to file their documents;

  • initial review: the PCA shall complete initial document review within 15 business days and notify the data exporter its decision. If the filing is accepted, the data exporter will be issued a filing number and the filing process is complete. If the filing is rejected, the data exporter will receive a notice setting out reasons for the rejection and documents to be revised and/or supplemented (if any);

  • re-submission: the data exporter shall re-submit the revised and/or supplemented documents within 10 business days following receipt of the PCA’s notice.

While it’s still too early to tell, if the regulator takes the same high standard in its review as in the security assessment (another route to transfer data out of mainland China), then based on our experience it is very likely that the data exporters will be required to revise and supplement their filing documents.

• Consequence of filing rejection – In theory and according to several policy documents issued by China’s State Council in the recent years, “administrative filing” is not the same as “approval”. In other words, the filing itself should not be a pre-condition for the executed China SCCs to take effect or to transfer personal information out of mainland China. However, depending on the specific reasons for the rejection, there may be two different scenarios:

  • if the filing is rejected for formality reasons (for example, certain requested information is not provided), the data exporter is likely to complete the filing once the documents are revised and supplemented in accordance with the PCA’s notice. In this case, the rejection shall have little impact on the data exporter’s business activity; or

  • if the filing is rejected for substantial reasons (for example the PCA, when reviewing the filing documents, identifies compliance gaps in the data exporter’s practice), the data exporter may be required to suspend transferring personal information out of mainland China, carry out certain remediation actions, and restart the filing after the compliance gaps are remediated. In this case, the data exporter’s business continuity may be affected, if the data transfer in question is essential to its business operation. It is still unclear to what extent the PCAs will conduct such “substantive examination” of the data exporters’ actual practices. In any case, we recommend taking proactive actions to address any identified compliance gaps prior to the filing to avoid this situation.

• Document list – In addition to the executed China SCCs and the personal information protection impact assessment (PIPIA) report, the below documents shall also be included in the filing pack:

  • a photocopy of the data exporter’s business license;

  • a photocopy of the identification document of the data exporter’s legal representative;

  • a photocopy of the identification document of the data exporter’s authorised person to perform the filing. The authorised person must be an employee of the data exporter;

  • the power of attorney of the data exporter’s authorised person (in designated format), chopped by the data exporter and signed by its legal representative and authorised person; and

  • the letter of undertaking (in designated format), chopped by the data exporter and signed by its legal representative. The data exporter is required to undertake that its collection and use of personal information comply with Chinese data laws, the filing documents are true, complete, accurate, valid and up to date, and that it shall cooperate with the regulator during the filing process.

• Enhanced requirements for the PIPIA – The Filing Guidance includes a PIPIA report template, which sets out the specific information expected by the CAC. On top of the high-level assessment items set out under China’s Personal Information Protection Law and the regulation on the China SCCs, the data exporters are required to provide detailed elaboration on some other aspects, such as their corporate structure, investments, information systems / cloud solutions / data centres deployed, etc. The PIPIA must be conducted within three months prior to the filing date, to ensure that it reflects the current practice of the data exporter. For those market players which have established privacy impact assessment procedures based on GDPR standard or Chinese national standard, they’ll need to cross-check and make sure their procedures cover the items in the PIPIA template.

• Combined filing – The Filing Guidance has not clarified whether affiliates in the same group and sharing combined databases may submit one combined filing. If the affiliates are located in different provinces, our view is that they must file with the relevant PCAs separately. While the affiliates are located within the same province, it may be possible to apply for one combined filing, subject to the views of the relevant PCA.

• Pre-filing communication – Based on our experience, the PCAs are likely to publish inquiry hotlines to take questions from data exporters. We recommend keeping an eye on the follow-up notices to be published by the relevant PCAs and communicate with them in advance if there are any particular questions or concerns around the filing (for example, where it is practically difficult to submit the filing documents in 10 business days and an extension is desired).

The implementation of the China SCCs involves internal data mapping (to determine whether the data exporter is eligible to adopt the China SCCs), conducting the PIPIA, negotiating with data importers, execution and filing. Given the 30 November 2023 deadline, we recommend international entities to kick off preparation as soon as practicable.

If you would like an English translation of the PIPIA report template for reference, please contact Yang. More questions on the China SCCs or broader topics about data compliance in China? Simple! Just contact us.