On Feb 27, 2023, the Cyberspace Administration of China (CAC) finalized its Standard Contractual Clauses (SCCs), along with the measures on the SCCs. The SCCs have been designed to regulate the transfer of personal information out of the People’s Republic of China (PRC) in line with the Personal Information Protection Law (PIPL) that entered into force late last year.
The SCCs include a number of provisions including an application threshold for organizations looking to use SCCs to transfer personal information out of the PRC, requirements for privacy impact assessments (PIAs) relating to the use of the SCCs, and the required information that the SCCs must contain.
These SCCs aim to protect the rights and interests of personal information, promote cross-border security, and encourage the free flow of personal information. Currently, organizations looking to transfer personal information outside of the PRC based on one of the following conditions outlined by Article 38 of the PIPL:
While the new SCCs look to have strict conditions for their use, they would enable greater opportunities for cross-border collaboration and data mobility.
Article 4 of the SCC document outlines the specific conditions that a personal information processor in the PRC, the equivalent of a Data Controller under the GDPR, would need to meet in order to sign a standard contract.
In order to be able to sign a standard contract, a personal information processor must meet the following criteria:
The SCCs include requirements for conducting a personal information impact assessment ahead of transferring personal information internationally using a standard contract.
Article 5 states that personal information processors should focus on the following areas when performing an impact assessment:
The performance of a personal information protection impact assessment is already a requirement for transferring personal information outside of the PRC under Article 55 of the PIPL. However, Article 5 clarifies the nature and contents of assessments specifically for the use of standard contracts.
Article 6 of the SCCs outlines the proposed contents of a standard contract for the international transfer of personal information.
Standard contracts will be required to include:
Once a standard contract has been developed and agreed upon, the personal information processors will be required to submit the contract alongside the personal information protection impact assessment to the cybersecurity department of the local government within 10 working days from the effective date.
Although there are no substantial changes to the SCCs from the previous draft version, which was released for public comment on June 30, 2022, there are two key updates.
1. Separate consent requirements for cross-border transfers
This change states that companies only need to obtain separate consent from customers during international transfers when consent is the legal basis of the transfer. In cases where consent is not the legal basis for cross-border transfers under PIPL, companies are not required to obtain separate consent to move forward with the onward data transfer. There is currently some confusion as to whether this item applies only to onward data transfers (from the data importer to other non-Chinese entities), or if CAC is in fact waiving the requirement for separate transfer consent between the data exporter and the individual in cases where the processing legal basis isn’t consent. We expect more clarification on this topic coming from the CAC soon.
2. Data access requests from local governments
This requirement states that the overseas recipient of the data from a cross-border transfer must notify the processor in case any data access request is submitted from a local government department (or judicial body). This obligation could lead to possible confusion stemming from differences between the regulations in the recipient country and China – e.g. local regulations preventing notification to the company in China, while SCCs require notification to the Chinese company.
Firstly, businesses will still need to provide the individual with information about the processing and transfer along with (in most cases) obtaining separate consent from the individual to export this data out of the PRC.
On the practical side, China SCCs present more administrative burdens to businesses in comparison to the EU SCCs. Aside from the obligation to coduct corresponding PIIA, every signed SCCs will need to be filed with the local CAC branch within 10 business days of signature/effective date. The SCCs are meant to be accompanied by the completed PIIA. There is also a related obligation to share update filings for any changes to the transfer.
Further distinguishing factor towards the EU SCCs is that the Chinese PIPL SCCs are stricter with their requirements for onwards data transfers which include (among others) quite broad obligations to inform the individuals about the particulars of the onward data transfers. Measures will come into force on 1 June 2023, and organizations then have until December 1st to put the SCCs into place.
Organizations should understand the application threshold of the SCCs to understand whether these are applicable for use when planning to transfer personal information out of the PRC. Requirements for personal information protection impact assessments and developing the contents of the standard contracts should not present any major challenges for organizations to contend with, especially those who have already developed contracts with the European Commission’s revised SCCs.
The SCCs also contain requirements relating to record-keeping and confidentiality requirements as well as further information on how standard contracts and potential violations will be enforced.
To stay up to date on China’s SCCs and other regulatory news, join OneTrust DataGuidance today.