Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRM
Email: zhu.yingying@mdlaw.cn
Date: August 30, 2023
Introduction
The China Standard Contractual Clauses (hereinafter the “China SCCs”) as well as the application rules have been promulgated by the Cyberspace Administration of China (hereinafter the “CAC”) on February, 24, 2023, and have become effective on June 1, 2023.
The CAC offers a six-month grace period for personal information handlers [1](hereinafter the “PI Handlers”) to take necessary measures to comply with the requirements for their cross-border transfer of Personal Information (hereinafter the “PI”), which will end on November 30, 2023, therefore only three months are left to incorporate the China SCCs into the current data transfer provisions, and the clock is ticking.
“The Trio”
According to Article 38 of the Personal Information Protection Law of the People’s Republic of China (hereinafter the “PIPL”[2]), effective on November 1st, 2021, for PI Handler (i.e., the “Data Exporter”) who is to transfer PI to an entity located outside of China (i.e., the “Overseas Recipient”), the first thing should be made sure is that they have adopted one of the following three mechanisms:
1. Pass a security assessment administered by CAC, which is compulsory if the PI Handlers’ data processing activities are falling into one of the following four categories:
(1) Processing PI as a Critical Information Infrastructure Operators[3] (hereinafter the “CIIO”);
(2) Processing PI of more than 1 million PRC residents;
(3) Transferring PI of more than 100,000 PRC residents abroad in the preceding year; or
(4) Transferring sensitive PI of more than 10,000 PRC residents abroad in the preceding year.
For all the other PI Handlers not falling into one of the above four categories, they can choose one of the measures prescribed in the below:
2. Obtain a PI protection certification issued by professional institutions pursuant to CAC regulations, or
3. Conclude an agreement with the Overseas Recipient based on the China SCCs for the PI transfers.
The release of the China SCCs as well as the application rules completes the last missing piece for “the Trio” and it provides a meaningful and time efficient mechanism for PI Handlers to transfer PI outside of China, if, of course, they are neither the CIIOs nor entities processing a certain threshold amount of PI as listed in the above.
Akin to the EU SCCs under the GDPR?
While sharing some similarities with the EU SCCs in setting forth the rights and obligations of the Data Exporter and the Overseas Recipient and requiring the Overseas Recipient to apply security measures (both technical and organizational) to safeguard the PI transferred, the China SCCs demonstrate some of the unique Chinese characteristics:
1. One Template Fits all
While the EU SCCs have a modular approach, include general clauses applicable to all cases and four modules tailored to the capacity in which the parties will be using the personal data and the parties have to choose the module that reflects their situation (i.e., if they are a controller, processor or a sub-processor) and whether they are a data exporter or a data importer[4], the China SCCs generally describe the obligations of the Data Exporter and the Overseas Recipient in one uniformed template.
In a nutshell, the reason could be explained as follows: the GDPR distinguishes the roles of the data controller and data processor, while the PIPL only defines the role of the PI handler (which is akin to “data controller” under the GDPR) but not data processor (which is referred to under Article 59 of the PIPL as the “Entrusted Party”). Under the PIPL, most direct obligations apply to PI Handlers, while obligations on Entrusted Parties are not clearly prescribed by the law. As commonly understood, the obligations of the Entrusted Parties largely arise based on contractual obligations imposed on these entities by the PI Handlers. This explains that as an extension of the PIPL, the China SCCs only have one uniformed template, without distinguishing the obligations of the parties based on their relationship or their roles and functions in the transfers of PI.
2. The Governing Law
Under the China SCCs, the establishment, validity, performance, and the interpretation of the contract and any disputes arising from the contract shall be governed by the relevant laws and regulations of China, while in the EU SCCs, under the data transfer scenarios of controller-to-controller, controller-to-processor, and processor-to-processor, the governing law could be the law of one of the EU Member States allowing for third-party beneficiary rights, chosen by the parties, and under the scenario of processor-to-controller, the governing law could be the law of any country allowing for third-party beneficiary rights, chosen by the parties.
3. Filing Obligation
The China SCCs shall be filed with the provincial CAC for recordation within 10 working days upon their execution. At the same time, a PI protection impact assessment report shall be submitted as part of the recordation documents. Nevertheless, whether or not the recordation is filed with the provincial CAC will not affect the validity of the China SCCs executed between the parties.
In the case of the EU SCCs, they can be used by Data Exporters, without the need to obtain a prior authorization (for the data transfer or the clauses used) from a data protection authority.[5]
4. Onward Transfers of PI
Under the China SCCs, PI can only be further transferred to third parties by the Overseas Recipient if the following requirements are all well met:
1) There are true commercial needs for the PI’s onward transfers;
2) The PI subjects have been duly informed;
3) Where the processing of PI is based on individual consent, the individual’s separate consent should be obtained;
4) The third parties have been obligated by a contract offering an adequate level of PI protection as the China SCCs;
5) The prior consent of the PI Handler should be secured; and
6) The PI processing activities of the third parties should be supervised.
5. No Alteration
Except for the optional choices left to the parties under the specific clauses, such as the choices for the place of arbitration, the China SCCs shall be accepted as a whole when being incorporated by the parties as part of their agreement who could only decide supplementary terms of their agreement, provided that those supplemented terms are not conflicting with the China SCCs.
While under the EU SCCs, if the parties change the text of the SCCs themselves (i.e. beyond choosing the relevant modules and/or options and filling in square brackets and annexes), the modified clauses may no longer be used as a basis for data transfers to third countries, unless they are approved by a national data protection authority as “ad hoc clauses” (pursuant to Article 46(3)(a) of the GDPR).[6]
Conclusion
With specific PI protection safeguards to ensure that PI are adequately protected when transferring outside of China, the China SCCs could be well utilized as a convenient tool for cross-border PI transfers, if the PI Handler, i.e., the Data Exporter, is not falling within the four prescribed categories where the use of the China SCCs would not be an option.
Given the significance and timeline (only three months left) for mandatory adoption of the China SCCs, if not already done so, businesses with data flows in and outside of China are advised to immediately take actions to 1) obtain a proper English translation of the China SCCs from a trustworthy source; 2) comprehend the China SCCs and understand their differences with the EU SCCs; 3) determine whether any existing technical and organizational practices will be impacted; 4) find out whether the important business partners in China belong to the four prescribed categories and whether they understand the application rules of the China SCCs; and 5) review, re-negotiate, draft, and update agreements, protocols, policies and procedures where and if necessary.
[1]PI Handlers determine the purpose and means of processing of PI and operate in a way similar to “data controllers” under other privacy and data protection laws (e.g., the European Union’s General Data Protection Regulation (2016/679) (“GDPR”).
[2] On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users or have other legitimate basis in order to collect/process the users’ PI.
[3] Critical information infrastructure operators or entities processing a certain threshold amount of PI, will be required store PI domestically. If it is necessary for they to transfer such PI overseas, the data processor must pass a security assessment administered by CAC. “Critical information infrastructure” (normally referred to as “CII”) means any of network facilities and information systems in important industries and fields—such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, and science, technology and industry for national defense.
[4]See https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en.
[5] Ibid.
[6] Ibid.