Language

The Clock is Ticking: 3 Months Left to Adopt the China SCCs for Cross-border Data Transfer

Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRM

Email: zhu.yingying@mdlaw.cn

Date: August 30, 2023


Introduction

 

The China Standard Contractual Clauses (hereinafter the “China SCCs”) as well as the application rules have been promulgated by the Cyberspace Administration of China (hereinafter the “CAC”) on February, 24, 2023, and have become effective on June 1, 2023.

The CAC offers a six-month grace period for personal information handlers [1](hereinafter the “PI Handlers”) to take necessary measures to comply with the requirements for their cross-border transfer of Personal Information (hereinafter the “PI”), which will end on November 30, 2023, therefore only three months are left to incorporate the China SCCs into the current data transfer provisions, and the clock is ticking.

 

“The Trio”

According to Article 38 of the Personal Information Protection Law of the People’s Republic of China (hereinafter the “PIPL[2]), effective on November 1st, 2021, for PI Handler (i.e., the “Data Exporter”) who is to transfer PI to an entity located outside of China (i.e., the “Overseas Recipient”), the first thing should be made sure is that they have adopted one of the following three mechanisms:

1. Pass a security assessment administered by CAC, which is compulsory if the PI Handlers’ data processing activities are falling into one of the following four categories:

 

(1) Processing PI as a Critical Information Infrastructure Operators[3] (hereinafter the “CIIO”);

(2) Processing PI of more than 1 million PRC residents;

(3) Transferring PI of more than 100,000 PRC residents abroad in the preceding year; or

(4) Transferring sensitive PI of more than 10,000 PRC residents abroad in the preceding year.

 

For all the other PI Handlers not falling into one of the above four categories, they can choose one of the measures prescribed in the below:

 2. Obtain a PI protection certification issued by professional institutions pursuant to CAC regulations, or

 3. Conclude an agreement with the Overseas Recipient based on the China SCCs for the PI transfers.

The release of the China SCCs as well as the application rules completes the last missing piece for “the Trio” and it provides a meaningful and time efficient mechanism for PI Handlers to transfer PI outside of China, if, of course, they are neither the CIIOs nor entities processing a certain threshold amount of PI as listed in the above.

 

Akin to the EU SCCs under the GDPR?

While sharing some similarities with the EU SCCs in setting forth the rights and obligations of the Data Exporter and the Overseas Recipient and requiring the Overseas Recipient to apply security measures (both technical and organizational) to safeguard the PI transferred, the China SCCs demonstrate some of the unique Chinese characteristics:

1. One Template Fits all

While the EU SCCs have a modular approach, include general clauses applicable to all cases and four modules tailored to the capacity in which the parties will be using the personal data and the parties have to choose the module that reflects their situation (i.e., if they are a controller, processor or a sub-processor) and whether they are a data exporter or a data importer[4],  the China SCCs generally describe the obligations of the Data Exporter and the Overseas Recipient in one uniformed template.

In a nutshell, the reason could be explained as follows: the GDPR distinguishes the roles of the data controller and data processor, while the PIPL only defines the role of the PI handler (which is akin to “data controller” under the GDPR) but not data processor (which is referred to under Article 59 of the PIPL as the “Entrusted Party”). Under the PIPL, most direct obligations apply to PI Handlers, while obligations on Entrusted Parties are not clearly prescribed by the law. As commonly understood, the obligations of the Entrusted Parties largely arise based on contractual obligations imposed on these entities by the PI Handlers. This explains that as an extension of the PIPL, the China SCCs only have one uniformed template, without distinguishing the obligations of the parties based on their relationship or their roles and functions in the transfers of PI.

2. The Governing Law

Under the China SCCs, the establishment, validity, performance,  and the interpretation of the contract and any disputes arising from the contract shall be governed by the relevant laws and regulations of China, while in the EU SCCs, under the data transfer scenarios of controller-to-controller, controller-to-processor, and processor-to-processor, the governing law could be the law of one of the EU Member States allowing for third-party beneficiary rights, chosen by the parties, and under the scenario of processor-to-controller, the governing law could be the law of any country allowing for third-party beneficiary rights, chosen by the parties.

3. Filing Obligation

The China SCCs shall be filed with the provincial CAC for recordation within 10 working days upon their execution. At the same time, a PI protection impact assessment report shall be submitted as part of the recordation documents. Nevertheless, whether or not the recordation is filed with the provincial CAC will not affect the validity of the China SCCs executed between the parties.

In the case of the EU SCCs, they can be used by Data Exporters, without the need to obtain a prior authorization (for the data transfer or the clauses used) from a data protection authority.[5]

4. Onward Transfers of PI

Under the China SCCs, PI can only be further transferred to third parties by the Overseas Recipient if the following requirements are all well met:

1) There are true commercial needs for the PI’s onward transfers;

2) The PI subjects have been duly informed;

3) Where the processing of PI is based on individual consent, the individual’s separate consent should be obtained;

4) The third parties have been obligated by a contract offering an adequate level of PI protection as the China SCCs;

5) The prior consent of the PI Handler should be secured; and

6) The PI processing activities of the third parties should be supervised.

 

5. No Alteration

 

Except for the optional choices left to the parties under the specific clauses, such as the choices for the place of arbitration, the China SCCs shall be accepted as a whole when being incorporated by the parties as part of their agreement who could only decide supplementary terms of their agreement, provided that those supplemented terms are not conflicting with the China SCCs.

While under the EU SCCs, if the parties change the text of the SCCs themselves (i.e. beyond choosing the relevant modules and/or options and filling in square brackets and annexes), the modified clauses may no longer be used as a basis for data transfers to third countries, unless they are approved by a national data protection authority as “ad hoc clauses” (pursuant to Article 46(3)(a) of the GDPR).[6]

 

Conclusion

 

With specific PI protection safeguards to ensure that PI are adequately protected when transferring outside of China, the China SCCs could be well utilized as a convenient tool for cross-border PI transfers, if the PI Handler, i.e., the Data Exporter, is not falling within the four prescribed categories where the use of the China SCCs would not be an option.

Given the significance and timeline (only three months left) for mandatory adoption of the China SCCs, if not already done so, businesses with data flows in and outside of China are advised to immediately take actions to 1) obtain a proper English translation of the China SCCs from a trustworthy source; 2) comprehend the China SCCs and understand their differences with the EU SCCs; 3) determine whether any existing technical and organizational practices will be impacted; 4) find out whether the important business partners in China belong to the four prescribed categories and whether they understand the application rules of the China SCCs; and 5) review, re-negotiate, draft, and update agreements, protocols, policies and procedures where and if necessary.



[1]PI Handlers determine the purpose and means of processing of PI and operate in a way similar to “data controllers” under other privacy and data protection laws (e.g., the European Union’s General Data Protection Regulation (2016/679) (“GDPR”).

[2] On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users or have other legitimate basis in order to collect/process the users’ PI.

[3] Critical information infrastructure operators or entities processing a certain threshold amount of PI, will be required store PI domestically. If it is necessary for they to transfer such PI overseas, the data processor must pass a security assessment administered by CAC. “Critical information infrastructure” (normally referred to as “CII”) means any of network facilities and information systems in important industries and fields—such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, and science, technology and industry for national defense.

[4]See https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en.

[5] Ibid.

[6] Ibid.


  • Related information More
  • 点击次数: 1000015
    2024 - 02 - 23
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnDate: February 21, 2024Introduction There is a motto that you might be told as a kid: no one is born a winner; everyone is born a chooser-making choices as to who you want to be. However, when you grow up, you find that, sometimes with great frustration, this motto might not be true because some people are born with a sliver spoon in mouth while others are not as lucky. In the commercial world, there are products who are born winners-those with a Geographical Indication (hereinafter, the “GI”) which is a sign that identifies products that originate from a specific geographic location and possess certain qualities or reputation due to their origin. Some examples of domestic GIs in China are Kweichow Mo...
  • 点击次数: 1000018
    2024 - 01 - 18
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnPublished: January 17, 2024China has a multiagency system for protecting geographical indication (GI) products. GIs can be registered as collective or certification trademarks before the China National Intellectual Property Administration (CNIPA). GI products can also gain protection from the former General Administration of Quality Supervision, Inspection and Quarantine. Primary products produced through farming can be protected as GIs of agricultural products before the Ministry of Agriculture and Rural Affairs. This multiagency system has proven to be burdensome, inconvenient, and sometimes confusing, especially to foreign GIs.To address resounding calls for reform, on September 18, 2023, CNIPA released...
  • 点击次数: 1000018
    2024 - 01 - 10
    Author: James LiuMain Trademark Legislation in China in 2023 1. The Standard for the Circumstances for Suspension of Review cases 2. Pre-filing of administrative litigation cases against review of refusals grant the plaintiff 12 months (not extendable)3. Measures for the Implementation of the Provisions on the Administration of Enterprise Name Registration 4. Convention on the Abolishment of the Legalization Requirements for Foreign Public Documents will come into effective in China5. Notice on comprehensively implementing online filing for opposition cases6. Draft Amendments to Chinese Trademark Law in 2023  1. On June 13, 2023, the Trademark Office under the CNIPA published the Interpretation on the Standard for the Circumstances for Suspension of Revie...
  • 点击次数: 9
    2023 - 10 - 20
    Author: jia chang ZhangIntroductionWith the development of science and technology, the patentability of biotechnology, especially human genes, has always been in dispute. Proponents argue that human genes should be patented without restriction, and that any possible challenges and concerns can be addressed by patent standards. This article will first analyz patent systems in the United States and Europe to examine the patentability of genes, and the role of patent standards in protecting human genetic development. Then focus on evaluating the legitimate concerns raised by opponents about human gene patents and assesses whether the three criteria for patents can fully solve existing problems. Finally, by introducing the unique licensing system in Canada, a new solution to the problem of hum...
× WeChat official account
Beijing Mingdun Law Firm www.mdlaw.cn
Copyright 2008 - 2020 Beijing Mingdun Law FirmRhino Cloud Provides Enterprise Cloud Services
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开