Share This Article
The long-awaited final version of the Standard Contractual Clauses for the Cross-Border Data Transfers from China (the “Chinese SCCs“) was finally published on February 24, 2023, by the Cyberspace Administration of China (“CAC“) through the Measures for Standard Contracts for Transferring Personal Information Overseas (the “Measures“) forcing companies to act promptly.
This article is based on the post published on the DLA Piper Privacy Matters blog by my Chinese colleagues, available here.
On the adoption of the Chinese SCCs, there is a grace period until December 1, 2023, for data controllers to:
- Sign new Chinese Standard Contractual Clauses with overseas recipients of their personal information; and
- File with the local CAC office a copy of the signed Chinese SCCs and the corresponding personal data impact assessment (“PIIA,” the Chinese version of the GDPR’s DPIA) completed by the organization.
The measures will go into effect on June 1, 2023, and organizations will have six months until December 1, 2023, to adopt these measures.
Who must execute the Standard Contractual Clauses to transfer personal data from China?
Personal data controllers who do not meet the thresholds for the CAC assessment/approval pathway or for CAC certification for personal data controllers who do not reside in China must follow the China SCC pathway to legitimize their personal data transfers outside mainland China.
As a reminder
- Organizations that must follow the CAC assessment/approval route are (1) organizations designated as a Critical Information Infrastructure Operator; (2) organizations that export “big data”; (3) organizations that process personal information of more than one million people and intend to export some of it; or (4) personal data controllers that transfer abroad (i) personal information of more than 100,000 persons in the aggregate, or (ii) sensitive personal information of more than 10,000 persons in the aggregate, where “in aggregate” means the period from January 1 of the previous year; and
- Non-Chinese personal data controllers must instead follow the alternative CAC certification route (details still need to be published).
Data controllers who follow the CAC assessment/approval route or the CAC certification route do not have to sign and file Chinese SCCs. The Chinese SCCs are drafted assuming the personal data controller is a mainland Chinese company. That said, it would be reasonable for such organizations to still sign Chinese SCCs with overseas recipients of Chinese personal information as proof of good practice, even if they do not need to do so within the grace period or file them.
Chinese SCCs apply to both C2C and C2P transfers
Unlike the GDPR, the SCCs do not distinguish between data transfers from a data controller to a data controller from China or from a data controller to a data processor. The Chinese data controller is obligated to sign and file Chinese SCCs. In a C2C situation, both personal data controllers (assuming both are Chinese entities and subject to the Chinese SCC route) should file signed Chinese SCCs (along with each of their independent PIIAs conducted for transfer).
The Measures do not clarify whether data controllers must sign and file Chinese SCCs with their sub-processors. Pending guidance on this issue, it is advisable to forward the Chinese SCCs to such sub-processors as a matter of good practice.
Like GDPR SCCs, Chinese SCCs should be executed “as is.” This obligation is good news for data controllers seeking to sign Chinese SCCs with large technology providers, as it should speed up the signing process. On the other hand, unlike the GDPR SCCs, organizations can negotiate additional (i.e., improved) terms with overseas data recipients as long as they do not conflict with the Chinese SCCs. However, in practice, many data controllers will be reluctant to sign additional conditions to the Chinese SCCs.
How to go about filing SCCs on data transfer from China?
Organizations must submit documentation to the local CAC office that includes:
- executed Chinese SCCs – in the Chinese language; it is unclear whether bilingual versions will be accepted; and
- the corresponding PIIA,
within ten working days of the entry into force of the Chinese SCCs (i.e., from the date of signing or entry into force of the Chinese SCCs indicated in the signed version). Therefore, a deposit will be required for each overseas transfer/recipient.
Details of the in-person or online filing procedure have yet to be published.
It is unclear whether “any other agreements” related to transfers must also be filed. Previously it seemed that only signed Chinese SCCs would need to be filed, meaning that it would be reasonable to include the Chinese SCCs in an addendum to the overall DPA or underlying agreement, to manage the risk of unnecessarily disclosing additional or commercial terms to the CAC. It is still being determined whether this approach is sustainable or whether CAC expects the entire agreement or a partially drafted version of the whole agreement to be disclosed as well. Given the potential impact on confidentiality clauses and contract structuring, CAC will issue guidance on this as soon as possible.
Need to update the archive in case of changes to personal data transfers
Unlike the CAC evaluation/approval route, there are no time limits on the validity or legitimacy of Chinese SCCs once signed and filed. However, organizations must sign a supplement or a new set of Chinese SCCs and re-file them with the local CAC branch with an updated PIIA if:
- There is a change in the purpose, scope, category, degree of sensitivity, method, storage location, or duration of personal information transferred abroad; or
- There is a change in the purpose or method of processing personal information by the foreign recipient; or
- There is a change in the personal information protection policies or regulations of the foreign recipient’s jurisdiction that may affect the rights and interests of personal information-which means that organizations should monitor changes in data protection laws abroad and undertake mini-TIAs within their PIIAs to assess whether the regulatory changes abroad could have such an effect; or
- Other circumstances that may affect the rights and interests of the data subject occur.
This circumstance means that active monitoring of processing activities, overseas recipients, and laws in the jurisdictions in which they operate is necessary. We anticipate that many local and Chinese data protection teams will need to increase existing resources or the number of employees to incorporate this into their data protection compliance programs.
Chinese SCCs are not the only compliance measures required for data transfers
Submitting Chinese SCCs alone does not legitimize cross-border transfers of personal data. One should not forget the following:
- Explicit and separate consent for cross-border data transfers (in addition to general consent for data processing and other separate consents for processing (among other things) sensitive personal information);
- Conducting a PIIA is compulsory; and
- It is necessary to take technical and organizational measures to ensure that data is processed according to standards similar to those under China’s data protection laws (e.g., due diligence, ongoing monitoring of vendors, etc.).
The Measures specifically mention the requirement for separate consent when transferring personal information abroad for processing activities that rely on the legal basis of consent. We await clarification from the CAC on whether the separate consent requirement will be waived for processing activities based on the (limited) alternative legal bases under the PIPL.
Clarification on the CAC assessment/approval pathway
For organizations that have already considered whether or not to follow the CAC assessment/approval pathway, the CAC clarified that organizations could not try to circumvent the CAC assessment pathway by falsely structuring the volume of personal data processed by dividing it among multiple organizations or legal entities. Organizations that still need to submit their CAC assessment applications before March 1, 2023, deadline are strongly urged to reconsider their internal assessments of whether or not they meet the relevant thresholds.
Next steps for personal data transfers from China
Organizations must sign SCCs for China as a priority or risk having to stop cross-border transfers of personal data from China. DLA Piper is creating a template addendum for China SCCs for organizations to use, so contact us for assistance.
If you are interested instead in transferring personal data under the GDPR, you can read this article “Do you have a methodology for evaluating non-EEA data transfers after the Schrems II ruling?“