July 1, 2022
Cyberspace Administration of China Publishes Draft SCCs for Public Comment
5 Min Read
On June 30, 2022, the Cyberspace Administration of China (CAC) published its draft Standard Contractual Clauses (SCCs) for public comment. The SCCs have been designed to regulate the transfer of personal information out of the People’s Republic of China (PRC) in line with the Personal Information Protection Law (PIPL) that entered into force late last year.
The draft SCCs include a number of provisions including an application threshold for organizations looking to use SCCs to transfer personal information out of the PRC, requirements for privacy impact assessments (PIAs) relating to the use of the SCCs, and the required information that the SCCs must contain.
According to the draft document, these SCCs aim to protect the rights and interests of personal information, promote cross-border security, and encourage the free flow of personal information. Currently, organizations looking to transfer personal information outside of the PRC based on one of the following conditions outlined by Article 38 of the PIPL:
- Conducting a security assessment organized by the CAC
- Obtaining personal information protection certification from a specialized institution according to the provisions issued by the CAC
- Concluding a contract stipulating both parties’ rights and obligations with the overseas recipient in accordance with a standard contract established by the CAC
- Meeting other conditions set forth by laws and administrative regulations and by the CAC
While the new draft SCCs look to have strict conditions for their use, they would enable greater opportunities for cross-border collaboration and data mobility.
Organizational thresholds for signing draft SCCs
Article 4 of the draft SCC document outlines the specific conditions that a personal information processor in the PRC, the equivalent of a Data Controller under the GDPR, would need to meet in order to sign a standard contract.
In order to be able to sign a standard contract, a personal information processor must meet the following criteria:
- They must be an operator of non-critical information infrastructure
- They must handle the personal information of fewer than one million people
- They must not have transferred the personal information of over 100,000 people internationally since January 1 of the preceding year
- They must not have transferred the sensitive personal information of more than 10,000 people internationally since January 1 of the previous year
Personal information protection impact assessments for standard contracts
The draft SCCs include requirements for conducting a personal information impact assessment ahead of transferring personal information internationally using a standard contract.
Article 5 of the draft states that personal information processors should focus on the following areas when performing an impact assessment:
- The purpose, scope, and method of processing personal information by both the personal information processor and the data importer
- The quantity, scope, type, and degree of sensitivity of the personal information and the associated risks to the rights and interests of the individual
- The responsibilities of the data importer
- The risk of unauthorized access and the impact on the rights and interests of the individual
- The impact of local data protection law of the importing country on the performance of the standard contract
- Other security considerations for transferring personal information internationally
The performance of a personal information protection impact assessment is already a requirement for transferring personal information outside of the PRC under Article 55 of the PIPL. However, Article 5 of the draft document clarifies the nature and contents of assessments specifically for the use of standard contracts.
What should a standard contract include?
Article 6 of the draft SCCs outlines the proposed contents of a standard contract for the international transfer of personal information.
Under this proposal, standard contracts will be required to include:
- Information relating to the personal information processor and the data importer, such as:
- Contact information
- Information relating to the personal information subject to transfer. This includes:
- Purpose and scope of the processing activity
- Quantity, type, and sensitivity of personal information
- Applicable retention period
- Storage location
- Responsibilities of the personal information processors and data importer to protect personal information
- The technical security measures taken to prevent risk to personal information
- The impact of data protection law in the import country on the validity of the contract
- The rights of personal information subjects
- Remedies, availability to rescind contracts, liability for breach of contract, and dispute resolution, among other things
Under the draft proposals, once a standard contract has been developed and agreed upon, the personal information processors will be required to submit the contract alongside the personal information protection impact assessment to the cybersecurity department of the local government within 10 working days from the effective date.
Firstly, businesses will still need to provide the individual with information about the processing and transfer along with obtaining separate consent from the individual to export this data out of the PRC.
Organizations should understand the application threshold of the draft SCCs to understand whether these are applicable for use when planning to transfer personal information out of the PRC. Requirements for personal information protection impact assessments and developing the contents of the standard contracts should not present any major challenges for organizations to contend with, especially those who have already developed contracts with the European Commission’s revised SCCs.
The draft document also contains requirements relating to record-keeping and confidentiality requirements as well as further information of how standard contracts and potential violations will be enforced.
The public consultation is open on July 29, 2022, and public comments on the draft can be submitted to [email protected]