Cyberspace Administration of Chi...
Cyberspace Administration of China Publi...

Cyberspace Administration of China Publishes Draft SCCs for Public Comment

The draft SCCs aim to set additional rules around personal information data transfers out of the People's Republic of China

Robb Hiscock Content Marketing Specialist | CIPP/E, CIPM

clock5 Min Read

Featured Image

On June 30, 2022, the Cyberspace Administration of China (CAC) published its draft Standard Contractual Clauses (SCCs) for public comment. The SCCs have been designed to regulate the transfer of personal information out of the People’s Republic of China (PRC) in line with the Personal Information Protection Law (PIPL) that entered into force late last year.

The draft SCCs include a number of provisions including an application threshold for organizations looking to use SCCs to transfer personal information out of the PRC, requirements for privacy impact assessments (PIAs) relating to the use of the SCCs, and the required information that the SCCs must contain.

According to the draft document, these SCCs aim to protect the rights and interests of personal information, promote cross-border security, and encourage the free flow of personal information. Currently, organizations looking to transfer personal information outside of the PRC based on one of the following conditions outlined by Article 38 of the PIPL:

  • Conducting a security assessment organized by the CAC
  • Obtaining personal information protection certification from a specialized institution according to the provisions issued by the CAC
  • Concluding a contract stipulating both parties’ rights and obligations with the overseas recipient in accordance with a standard contract established by the CAC
  • Meeting other conditions set forth by laws and administrative regulations and by the CAC

While the new draft SCCs look to have strict conditions for their use, they would enable greater opportunities for cross-border collaboration and data mobility.

Organizational thresholds for signing draft SCCs

Article 4 of the draft SCC document outlines the specific conditions that a personal information processor in the PRC, the equivalent of a Data Controller under the GDPR, would need to meet in order to sign a standard contract.

In order to be able to sign a standard contract, a personal information processor must meet the following criteria:

  • They must be an operator of non-critical information infrastructure
  • They must handle the personal information of fewer than one million people
  • They must not have transferred the personal information of over 100,000 people internationally since January 1 of the preceding year
  • They must not have transferred the sensitive personal information of more than 10,000 people internationally since January 1 of the previous year

Personal information protection impact assessments for standard contracts

The draft SCCs include requirements for conducting a personal information impact assessment ahead of transferring personal information internationally using a standard contract.

Article 5 of the draft states that personal information processors should focus on the following areas when performing an impact assessment:

  • The purpose, scope, and method of processing personal information by both the personal information processor and the data importer
  • The quantity, scope, type, and degree of sensitivity of the personal information and the associated risks to the rights and interests of the individual
  • The responsibilities of the data importer
  • The risk of unauthorized access and the impact on the rights and interests of the individual
  • The impact of local data protection law of the importing country on the performance of the standard contract
  • Other security considerations for transferring personal information internationally

The performance of a personal information protection impact assessment is already a requirement for transferring personal information outside of the PRC under Article 55 of the PIPL. However, Article 5 of the draft document clarifies the nature and contents of assessments specifically for the use of standard contracts.

What should a standard contract include?

Article 6 of the draft SCCs outlines the proposed contents of a standard contract for the international transfer of personal information.

Under this proposal, standard contracts will be required to include:

  • Information relating to the personal information processor and the data importer, such as:
    • Name
    • Address
    • Contact information
  • Information relating to the personal information subject to transfer. This includes:
    • Purpose and scope of the processing activity
    • Quantity, type, and sensitivity of personal information
    • Applicable retention period
    • Storage location
  • Responsibilities of the personal information processors and data importer to protect personal information
  • The technical security measures taken to prevent risk to personal information
  • The impact of data protection law in the import country on the validity of the contract
  • The rights of personal information subjects
  • Remedies, availability to rescind contracts, liability for breach of contract, and dispute resolution, among other things

Under the draft proposals, once a standard contract has been developed and agreed upon, the personal information processors will be required to submit the contract alongside the personal information protection impact assessment to the cybersecurity department of the local government within 10 working days from the effective date.

Operational impact

Firstly, businesses will still need to provide the individual with information about the processing and transfer along with obtaining separate consent from the individual to export this data out of the PRC.

Organizations should understand the application threshold of the draft SCCs to understand whether these are applicable for use when planning to transfer personal information out of the PRC. Requirements for personal information protection impact assessments and developing the contents of the standard contracts should not present any major challenges for organizations to contend with, especially those who have already developed contracts with the European Commission’s revised SCCs.

The draft document also contains requirements relating to record-keeping and confidentiality requirements as well as further information of how standard contracts and potential violations will be enforced.

The public consultation is open on July 29, 2022, and public comments on the draft can be submitted to [email protected]

You Might Also Be Interested In

NOVEMBER 28, 2022

From Sapin II to Sapin III: France’s anti-corruption fight

NOVEMBER 25, 2022

7 myths about SOC 2 compliance

NOVEMBER 18, 2022

What every Chief Privacy Officer should know  about third-party risk management

NOVEMBER 17, 2022

The role of disclosures in risk assessment and mitigation 

NOVEMBER 15, 2022

US climate risk rule could affect more than 5,700 federal suppliers

NOVEMBER 14, 2022

The COP27 climate summit: What to expect and why it matters

NOVEMBER 10, 2022

CSRD update: EU approves new ESG disclosure rules

NOVEMBER 9, 2022

SOC 2: Starting your audit process

Onetrust All Rights Reserved