On Feb 27, 2023, the Cyberspace Administration of China (CAC) finalized its Standard Contractual Clauses (SCCs), along with the measures on the SCCs. The SCCs have been designed to regulate the transfer of personal information out of the People’s Republic of China (PRC) in line with the Personal Information Protection Law (PIPL) that entered into force late last year.
The SCCs include a number of provisions including an application threshold for organizations looking to use SCCs to transfer personal information out of the PRC, requirements for privacy impact assessments (PIAs) relating to the use of the SCCs, and the required information that the SCCs must contain.
These SCCs aim to protect the rights and interests of personal information, promote cross-border security, and encourage the free flow of personal information. Currently, organizations looking to transfer personal information outside of the PRC based on one of the following conditions outlined by Article 38 of the PIPL:
- Conducting a security assessment organized by the CAC
- Obtaining personal information protection certification from a specialized institution according to the provisions issued by the CAC
- Concluding a contract stipulating both parties’ rights and obligations with the overseas recipient in accordance with a standard contract established by the CAC
- Meeting other conditions set forth by laws and administrative regulations and by the CAC
While the new SCCs look to have strict conditions for their use, they would enable greater opportunities for cross-border collaboration and data mobility.
Organizational thresholds for signing SCCs
Article 4 of the SCC document outlines the specific conditions that a personal information processor in the PRC, the equivalent of a Data Controller under the GDPR, would need to meet in order to sign a standard contract.
In order to be able to sign a standard contract, a personal information processor must meet the following criteria:
- They must be an operator of non-critical information infrastructure
- They must handle the personal information of fewer than one million people
- They must not have transferred the personal information of over 100,000 people internationally since January 1 of the preceding year
- They must not have transferred the sensitive personal information of more than 10,000 people internationally since January 1 of the previous year
Personal information protection impact assessments for standard contracts
The SCCs include requirements for conducting a personal information impact assessment ahead of transferring personal information internationally using a standard contract.
Article 5 states that personal information processors should focus on the following areas when performing an impact assessment:
- The purpose, scope, and method of processing personal information by both the personal information processor and the data importer
- The quantity, scope, type, and degree of sensitivity of the personal information and the associated risks to the rights and interests of the individual
- The responsibilities of the data importer
- The risk of unauthorized access and the impact on the rights and interests of the individual
- The impact of local data protection law of the importing country on the performance of the standard contract
- Other security considerations for transferring personal information internationally
The performance of a personal information protection impact assessment is already a requirement for transferring personal information outside of the PRC under Article 55 of the PIPL. However, Article 5 clarifies the nature and contents of assessments specifically for the use of standard contracts.
What should a standard contract include?
Article 6 of the SCCs outlines the proposed contents of a standard contract for the international transfer of personal information.
Standard contracts will be required to include:
- Information relating to the personal information processor and the data importer, such as:
- Name
- Address
- Contact information
- Information relating to the personal information subject to transfer. This includes:
- Purpose and scope of the processing activity
- Quantity, type, and sensitivity of personal information
- Applicable retention period
- Storage location
- Responsibilities of the personal information processors and data importer to protect personal information
- The technical security measures taken to prevent risk to personal information
- The impact of data protection law in the import country on the validity of the contract
- The rights of personal information subjects
- Remedies, availability to rescind contracts, liability for breach of contract, and dispute resolution, among other things
Once a standard contract has been developed and agreed upon, the personal information processors will be required to submit the contract alongside the personal information protection impact assessment to the cybersecurity department of the local government within 10 working days from the effective date.
Significant updates from the draft SCCs
Although there are no substantial changes to the SCCs from the previous draft version, which was released for public comment on June 30, 2022, there are two key updates.
1. Separate consent requirements for cross-border transfers
This change states that companies only need to obtain separate consent from customers during international transfers when consent is the legal basis of the transfer. In cases where consent is not the legal basis for cross-border transfers under PIPL, companies are not required to obtain separate consent to move forward with the onward data transfer. There is currently some confusion as to whether this item applies only to onward data transfers (from the data importer to other non-Chinese entities), or if CAC is in fact waiving the requirement for separate transfer consent between the data exporter and the individual in cases where the processing legal basis isn’t consent. We expect more clarification on this topic coming from the CAC soon.
2. Data access requests from local governments
This requirement states that the overseas recipient of the data from a cross-border transfer must notify the processor in case any data access request is submitted from a local government department (or judicial body). This obligation could lead to possible confusion stemming from differences between the regulations in the recipient country and China – e.g. local regulations preventing notification to the company in China, while SCCs require notification to the Chinese company.
Operational impact
Firstly, businesses will still need to provide the individual with information about the processing and transfer along with (in most cases) obtaining separate consent from the individual to export this data out of the PRC.
On the practical side, China SCCs present more administrative burdens to businesses in comparison to the EU SCCs. Aside from the obligation to coduct corresponding PIIA, every signed SCCs will need to be filed with the local CAC branch within 10 business days of signature/effective date. The SCCs are meant to be accompanied by the completed PIIA. There is also a related obligation to share update filings for any changes to the transfer.
Further distinguishing factor towards the EU SCCs is that the Chinese PIPL SCCs are stricter with their requirements for onwards data transfers which include (among others) quite broad obligations to inform the individuals about the particulars of the onward data transfers. Measures will come into force on 1 June 2023, and organizations then have until December 1st to put the SCCs into place.
Organizations should understand the application threshold of the SCCs to understand whether these are applicable for use when planning to transfer personal information out of the PRC. Requirements for personal information protection impact assessments and developing the contents of the standard contracts should not present any major challenges for organizations to contend with, especially those who have already developed contracts with the European Commission’s revised SCCs.
The SCCs also contain requirements relating to record-keeping and confidentiality requirements as well as further information on how standard contracts and potential violations will be enforced.
To stay up to date on China’s SCCs and other regulatory news, join OneTrust DataGuidance today.