The long-awaited Chinese standard contractual clauses and SCC Regulations were finally released by the Cyberspace Administration of China Feb. 24, effective June 1. This indicates that all three major legal mechanisms under China's Personal Information Protection Law, namely CAC-led security assessment, certification by licensed professional institutions, and Chinese SCCs, are all fully established with the necessary details for implementation.
Application scope
According to the SCC Regulations, business organizations are only allowed to adopt the SCCs for transferring China data abroad if ALL of the following conditions are satisfied:
- The data exporter is not a critical information infrastructure operator — CIIO, which is broadly defined to cover business entities in financial, energy, telecom, public utility, health care, transportation, e-government and other sectors that have a concern on national security and public interest of China.
- The data exporter has not processed personal data exceeding 1 million individuals.
- The data exporter has not made aggregated transfers of personal data exceeding 100,000 individuals since Jan. 1 of the preceding year.
- The data exporter has not made aggregated transfers of sensitive personal data exceeding 10,000 individuals since Jan. 1 of the preceding year.
It is worth noting the above thresholds for China's SCCs are neatly aligned with the cross-border data transfers, which are subject to the CAC-led security assessment. Under the Measures on Security Assessment for Outward Data Transfer, issued by the CAC in August 2022 and effective Sept. 1, 2022, an international data transfer from China is required to go through the CAC-led security assessment if it falls into the opposite of any of the above four conditions.
The SCC Regulations explicitly prohibit businesses from transferring China data abroad by breaking down the data volume to circumvent the CAC security assessment mechanism.
Specific requirements for Chinese SCCs
Unlike the EU General Data Protection Regulation SCCs, which cover four different models of controller-to-controller, controller-to-processor, processor-to-processor and processor-to-controller, China's SCCs only have one universal template, regardless of the role and function of the parties.
Before entering into the cross-border data transfer agreement, the data exporter is required to conduct an impact assessment and prepare an impact assessment report by considering multiple factors, including:
- Validity, necessity and appropriateness for the cross-border data transfer.
- Scope, category, volume and sensitivity of the data transferred.
- Obligations to be undertaken by the foreign data recipient.
- What technical and organizational measures are to be adopted by the foreign recipient.
- Potential risk of personal data being breached, leaked or damaged after the transfer and what remedy channels are available to data subjects.
- Data protection laws and policies of the foreign destination countries.
- Other aspects which may affect the cross-border data transfer.
The cross-border data transfer agreement must be prepared based on the SCC standard terms. The parties are not allowed to make changes to the standard SCC terms, although they can add supplementary terms without conflicting with the standard terms in the appendix of the agreement.
A considerable amount of terms in China's SCCs mirror the GDPR SCCs in relation to the obligations of the transferor, the responsibilities of the foreign data recipient, and the right entitled by the data subjects. However, there are notable clauses with significant Chinese characteristics, for example:
- The Chinese SCCs impose stricter requirements on onward data transfer than the GDPR SCCs. Under the Chinese SCCs, the foreign data recipient is only allowed to make further transfer upon satisfaction of certain conditions, such as giving required notification to data subjects, adopting sufficient technical measures, and signing the agreement by the onward transferee to ensure data protection.
- Data subjects can enjoy the contractual right under the Chinese SCC terms as a third-party beneficiary and make a claim against both the data transferor and foreign data recipient. Both the data transferor and foreign data recipient shall assume the joint and several liabilities to the data subjects.
- The Chinese SCCs provide that the cross-border data transfer agreement must be governed by Chinese law, while the GDPR SCCs allows more flexibility to choose either an EU country law or non-EU country law as the governing law.
- In terms of dispute resolution, the parties to the Chinese SCCs can choose to either litigate at a Chinese court or refer the disputes to a Chinese arbitration tribunal or an international arbitration tribunal according to the 1958 New York Convention on the Recognition and Enforcement of Foreign Arbitration Awards.
Within 10 working days of effectiveness, the SCC-based data transfer agreement and the impact assessment report must be filed with the provincial CAC. The coming into force of the Chinese SCC-based cross-border data transfer agreement is not conditional upon the filing with the CAC authorities.
The parties are required to redo the impact assessment, review/update the cross-border agreement and make further filings with provincial CAC in case of certain circumstances such as the extension of data retention period, changes to the purpose, scope, category, volume, storage location and sensitivity of personal data to be processed outside China, changes of the personal data protection laws and policies in foreign destination countries affecting the rights and benefits of data subjects, and other situations which may affect data subjects.
Liability and enforcement
The SCC Regulations provide for "teeth" to regulate noncompliance. If the provincial CAC thinks the cross-border data transfer poses substantial risk or major data incidents, the CAC officials will request interviews and meetings with the data exporter and order rectifications. They also set up a whistle-blowing mechanism where individuals or organizations can report to provincial CAC authorities on noncompliant cross-border data transfer activities.
The SCC Regulations further provide that if any of those irregularities constitute noncompliance with China's Personal Information Protection Law, the violator will face administrative, civil and even criminal liabilities, where the maximum penalties to reach RMB50 million, approximately USD7.8 million, or 5% of the last year's turnover, whichever is higher, under the PIPL.
Key takeaways
- The SCC Regulations and the Chinese SCCs will come into force June 1, and have significant implications for multinational corporations which transfer employee data, customer data and other personal data outside China during their business operations.
- Compared to other data export mechanisms under the PIPL — CAC security assessment and certification by licensed professional institutions — the Chinese SCCs regime is expected to have apparent advantages because of more foreseeability of contract terms and time/cost efficiency.
- On the other hand, if the data transfer has triggered the CAC-led security assessment scenario, the business organization must follow the CAC procedures, and the SCC structure would not be an option in that case. In practice, the transfer of important data and a large volume of personal data will generally fall within the scope of CAC security assessment and the Chinese SCCs tend to apply to the transfer of relatively small-scale of personal data.
- It is worth noting that the SCC Regulations expressly prohibit splitting or breaking down the volume of the data to avoid the CAC security assessment. Therefore, companies must map out China-related data flows and perform a proper assessment to determine the permissible and appropriate cross-border data transfer mechanism according to the relevant laws.
- Where it is possible to rely on the Chinese SCCs for transferring data outside China, organizations should take necessary compliance actions as soon as possible. After June 1, all new cross-border data transfer agreements must be entered into based on China's SCCs. Organizations that have transferred personal data from China before June 1 have a grace period of six months ending Nov. 30 to take remedial actions for their international data transfer activities and revise their data transfer agreement based on the Chinese SCCs.
- From a practical perspective, the SCC Regulations and the Chinese SCCs provide a considerable amount of work to be done before the cross-border data transfer and enhance the best practices. Data handlers are required to exercise due diligence over the foreign data recipient, compile and put together information and documents for performing the impact assessment, send notifications to the data subjects according to the SCC terms, and review, negotiate and enter into the data transfer agreement.
- The impact assessment report and signed SCC-based data transfer agreement must be filed with the provincial CAC within the required time frame, and all documents filed with CAC authorities must be written in Chinese. Failure to comply with the filing will expose the companies to potential legal liability and penalties under the SCC Regulations and the PIPL. The active investigations and sky-high penalties, e.g., approx. USD1.2 billion imposed on a major online company in 2022 show Chinese regulators will remain active in vigorous enforcement actions in the coming months and years.
- Given the amount of information expected to be collected both in China and outside China, data flow mapping to be done, the assessment report to be prepared and the agreement to be updated and finalized, it is advisable to put necessary steps in action as soon as possible, rather than leaving things to the last minute.
- The compliance steps are not one-time work. Companies should monitor and track the life-cycle performance of the China SCCs, secure legal advice and take required measures in case of any changes to the China SCCs for continued compliance.