On February 24, 2023, the Cyberspace Administration of China (CAC) released the much-awaited Measures for the Standard Contract for Outbound Transfer of Personal Information (China SCC Measures) together with the issuance of finalized version of the standard contract for outbound transfer of personal information (China SCC), which will officially come into effect on June 1, 2023. For outbound transfers of personal information which have already been carried out before that date, the China SCC Measures require that the rectification shall be completed within six months from its effective date, i.e, before December 1, 2023.
As one of the three “legitimate grounds” for outbound personal information transfer of personal information under the Personal Information Protection Law of China (PIPL), the China SCC shares quite a number of similarities with the EU Standard Contractual Clauses (EU SCCs) under the GDPR, such as the protection of the data subject’s third-party beneficiary rights, the establishment of a “long-arm” jurisdiction for the exporting country through the execution of SCC-based contractual and other mandatory security requirements for the exported personal information. However, the China SCC Measures still vary significantly from the concept of SCCs under the GDPR. Rather than the four-module approach (controller – controller, controller – processor, processor – processor and processor – controller) under the EU SCCs, the China SCC adopts a one-size-fits-all approach towards exporting personal information by the personal information processor (PIP, a concept similar to the “data controller” under the GDPR) to the overseas recipient. There is no differentiation according to the role of the overseas recipient as a controller, processor or sub-processor. This article offers some key highlights of the newly released China SCC Measures.
The Application Scope of the China SCC
The China SCC applies to outbound transfers of personal information which falls below the statutory threshold for higher level of scrutiny and outside of the category of Important Data as defined by the Chinese law. Pursuant to Article 4 of the China SCC Measures, China SCC applies if the PIP meets each of the following requirements:
- Is not a critical information infrastructure operator (CIIO); and
- Processes personal information of fewer than one million individuals; and
- Since January 1 of the previous year, exports the personal information of less than 100,000 individuals cumulatively, and
- Since January 1 of the previous year, exports the sensitive personal information of less than 10,000 individuals cumulatively.
Therefore, the China SCC appears to be a more suitable path for small and medium sized companies which are not CIIOs and deal with personal information not exceeding the above quantitative thresholds.
Compliance Actions Under the China SCC Measures
If the transfers do not meet the criteria set out above, data exporters must undertake a CAC security assessment or obtain a personal information protection certification. Compared with these other two legitimate grounds for exporting personal information outside of China, the China SCC approach appears to be an easier and more straightforward option. However, a PIP is required to take extra steps in order to export personal information outside of China in compliance with the Chinese data privacy laws:
1. Conducting a PIPIA
According to Article 55 of the PIPL, a PIP must conduct personal information protection impact assessment (PIPIA) in advance of, among others, exporting personal information outside of China. This is also emphasized in Article 5 of the China SCC Measures. A PIP shall follow the Guidelines for Personal Information Impact Assessment to prepare its PIPIA report to assess the risks to the personal information exported, including the regulatory risks of the offshore recipient country. It is unclear to what degree the PIP is required to provide the assessment of the regulatory risks of the offshore recipient country. If it is similar to the Transfer Impact Assessments undertaken by data exporters under the GDPR, the assessment of the legal regime relating to personal information in the recipient country would be the most costly and time-consuming part. Moreover, it could be subject to unpredictable regulatory risks should the political tension between China and the recipient country get worse and data privacy become a focus of dispute, such as banning TikTok in the U.S.
2. Filing of SCC
Under Article 7 of the China SCC Measures, a PIP must file its SCC with the local CAC (at the provincial level) within 10 working days after its SCC takes effect, together with its PIPIA report. Filing is not a prerequisite for a SCC to become valid, so strictly speaking a PIP is allowed to export personal information to the offshore recipient, if it has completed its PIPIA and its SCC has already taken effect, despite the fact that PIP may not have completed its SCC filing process.
Article 6 of the China SCC Measures stipulates that a SCC must strictly follow the template of China SCC, and any supplementary terms agreed by a PIP and its offshore recipient must not be in conflict with the provisions of the China SCC. Therefore, it is foreseeable that the local CAC will conduct substantive reviews during the filing process, at least to determine whether there exists any conflict between the filing SCC and the China SCC. It is unclear, at this stage, what level of scrutiny will be applied by the local CAC to the signed SCC and the PIPIA reports. Under the EU SCCs, while where are no general requirements to file the SCCs with local supervisory authorities (unless the exporter intends to continue transferring personal data where it cannot implement supplementary measures), the SCCs do require the transfer impact assessments to be documented and made available to supervisory authorities upon request. The prospect of future scrutiny therefore acts as an incentive to ensure that the appropriate procedural steps have been taken. From a practical perspective, where transfers from China form part of an international data transfer agreement, the parties may want to keep the China SCCs separate (or in a separate exhibit to the main data transfer agreement) to allow them to be filed separately.
3. Follow-Up Supervision
A PIP is obligated to re-conduct PIPIA and filing formalities during the term of its SCC if any of the following circumstances occur:
- The purpose, scope, category, degree of sensitivity, method or place of storage of the personal information provided overseas or the purpose or method of personal information processing by the overseas recipient is changed, or the overseas storage period of the personal information is extended;
- Changes in personal information protection policies and regulations in the country or region where the overseas recipient is located may affect the rights and interests of personal information; or
- Other circumstances that may affect the personal information and interests. This is likely to be more structured and onerous than equivalent procedures under the GDPR (where there are obligations to re-evaluate transfers at appropriate intervals, but no requirements to re-submit to supervisory authorities).
The PIPL prohibits a PIP from providing personal information to foreign judicial or law enforcement authorities without prior approval from the relevant Chinese authorities. Interestingly, Article IV.6 of the China SCC requires the offshore recipient to notify the PIP immediately if any government agency or judicial authority in the offshore recipient’s country requests the offshore recipient to provide personal information exported pursuant to the SCC. This provision does not directly address the issue of whether the offshore recipient may disclose the exported personal information to a government agency if such government agency does not fall into the category of a judicial or law enforcement authority to which the offshore recipient is strictly prohibited from providing personal information under the PIPL.
Onward Transfers of Personal Information to Offshore Third Parties
In respect of onward transfers to third parties outside of China, Article III.8 of the China SCC imposes strict requirements which are much less flexible than the EU SCCs and seems to provide very limited exception for dealing with certain business-related reporting obligations such as clinical trial information, while it closes the door to other compliance related reporting obligations if such reporting is not an integrated process for running the business. Under Article III.8. any onward transfers must satisfy the following conditions and must be:
- Necessary for the business;
- Accompanied by full disclosure to the data subjects of the name and contact information of the offshore third-party recipient, purposes and means of processing personal information, type of personal information to be transferred, storage period, rights and procedure of protecting personal information, necessity and impacts for disclosing sensitive personal information, etc., unless such disclosure is waived by the Chinese laws;
- Subject to separate written consent as mandated by the PIPL;
- Subject to a re-transfer agreement signed with the third-party recipient, under which the third-party recipient undertakes to protect the personal information at a level no lower than those offered by Chinese data privacy laws and agrees to assume liabilities for any potential damages to the subject individual caused by such transfer; and
- Subject to providing the data subjects with a copy of the re-transfer agreement upon request after redacting trade secrets information (if any).
Remedies and Dispute Resolution
The China SCC grants individual data subjects the status of a third-party beneficiary of the contract, so that the individual data subjects may assert their rights or claims against either or both the PIP and the offshore recipient. While the China SCC does not adopt the position of its early draft that the PIP and its offshore recipient assume joint and several liability for any harms or damages to the individual data subjects caused by the breach of the China SCC, dispute resolution remains to be the most challenging issue for the PIP and its offshore recipients under the China SCC. Under the China SCC, parties to the China SCC may choose the following options to settle disputes: 1) arbitration in China, 2) arbitration in a country which is a member of the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards, or 3) litigation in China. However, under Article VI.3 and VI.5 of the China SCC, both the PIP and its offshore recipient agree that individual data subjects have the right to file a lawsuit to assert their rights or claims against the PIP and or its offshore recipient in a Chinese court. Therefore, even if both the PIP and its offshore recipient agree that the dispute resolution of the SCC is arbitration in a New York Convention country, this dispute resolution mechanism could be easily derailed by an individual data subject filing a lawsuit in a PRC court, resulting in unpredictable risks especially for the offshore recipients adopting the China SCC. The governing law must be the laws of the PRC, unlike the EU SCCs which give the parties some flexibility to choose from among the laws of EU member states (provided that the data subjects can exercise their third-party beneficiary rights).
Next Steps and Timeline
Companies involved in outbound transfers of personal information from China must immediately start the process of preparing the PIPIA and signing a SCC with supplementary terms to minimize the risks and challenges imposed by the new China data privacy law landscape. The six-month period for the rectification process or moving to the new SCC terms is relatively short (compared to timeframes for moving to revised versions of the EU SCCs) particularly bearing in mind that there may be requirements for translating documents and the inevitable delays in managing teams working across multiple jurisdictions. Please consult our China data privacy team if you have any questions or need any assistance.