Eight months after the issuance of the draft Measures on the Standard Contract for the Export of Personal Information (“SCC Regulations”), on February 24, 2023, the Cyberspace Administration of China (“CAC”) released the final version of the SCCs Regulations, along with the Standard Contractual Clauses (“SCCs”). The SCCs set a baseline for cross-border data transfer agreements. This can impact any business that relies on the sharing of information between China and third countries, like the United States.
The SCCs will come into effect on June 1, 2023, and companies have an additional six months (until November 30, 2023) to comply with the SCCs’ requirements for the transfer of data outside of China.
China’s Three Data Transfer Mechanisms are Now Settled
The PRC Personal Information Protection Law (“PIPL”) requires personal information processors (similar to the concept of data controllers under the General Data Protection Regulation) to implement one of the following three data transfer mechanisms, if personal information is transferred outside of China:
- Complete a Security Assessment by the CAC;
- Complete a Security Certification by a certification institution designated by the CAC; or
- Adopt the SCCs.
Prior to the release of the final SCCs, the CAC had already released the Measures on Security Assessment of Cross-Border Data Transfer and Specifications on Security Certification for Cross-Border Personal Information Processing Activities in the summer of 2022. These measures include detailed guidance on the security assessment and security certification process necessary for the transfer of data outside of China.
The issuance of the SCCs indicates that the final piece of the puzzle of China’s cross-border data transfer regime is now settled. Previously, many companies that were not required to go through the security assessment process took a “wait-and-see approach” pending the finalization of the SCCs. Now, with the final piece of China’s cross-border data transfer regime in place, a full assessment of the available data transfer mechanisms is required.
Application Scope of the SCCs
The SCCs may be a more user-friendly approach to qualify a data transfer, as the SCCsdo not require a review by the CAC or certification by a third-party institution. In addition, they provide for more definite contractual terms. However, the SCCs may be adopted only if all of the following conditions are met:
- The data exporter is not a critical information infrastructure operator (“CIIO”), which is broadly defined as an operator of critical network facilities or information systems in important industries (such as finance, energy, or transportation), where destruction, loss of function, or data leakage may seriously endanger China’s national security, peoples’ livelihood, or the public interest;
- The data exporter has not processed personal information of more than one million individuals (“Mass Processor”); AND
- Since January 1 of the previous year, the data exporter has not made aggregated transfers of:
- personal information of more than 100,000 individuals; or
- sensitive personal information of more than 10,000 individuals.
If any of the above conditions are not met, a CAC security assessment will be required instead, and the SCCs would not be an option. Notably, a CAC security assessment will also be triggered if any important data is transferred out of China, even if the SCCs are used to transfer data. Important data are broadly defined as any data that – if tampered with, destroyed, leaked, illegally accessed, or used – may endanger China’s national security, economic operation, social stability, or public health and safety.
Are Modifications to the SCCs Permissible?
According to the SCC Regulations, the parties are not allowed to make any modifications to the SCCs. The parties, however, may add terms, to the extent they do not conflict with the SCCs.
For companies who have already entered into a data processing agreement (“DPA”), questions abound regarding how the SCCs would interact and integrate with these existing agreements. Where corporations are considering combining the two through the use of exhibits, the SCCs may need to be the main body of an agreement, with any additional terms, including those in an existing DPA, placed into an exhibit.
Governing Law and Liability
Notably, the governing law of a DPA transferring data outside of China must be PRC law. However, the parties are granted some flexibility to submit their disputes under the SCCs to a PRC court or, if arbitration is preferred, to a PRC or international arbitration tribunal in a member state of the New York Convention.
Under the SCCs, the data exporter and the data importer assume joint and several liability to the data subjects. As such, data subjects can enforce their rights against both such parties as a third-party beneficiary under the SCCs.
Are There Different Modules Available for Different Transfer Scenarios?
The European Union’s Standard Contractual Clauses cover four different modules: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller. China’s SCCs do not draw any distinction among such transfers. China’s SCCs, however, do set out different obligations where the overseas data recipient is an “entrusted processor.” An entrusted processor is a processor who does not determine the purpose or method of the processing, but instead only processes personal information based on a data transfer agreement with the personal information processor and/or the instructions from the personal information processor.
Liabilities for Violating the SCC Regulations
Companies violating the SCCs Regulations may be subject to:
- civil claims by data subjects for any damages caused;
- administrative penalties, including a fine up to RMB 50 million (approximately USD 7.3 million) or 5% of the last year’s turnover (whichever is higher), suspension of relevant business and revocation of business license or other licenses/approvals; and/or
- criminal liabilities in worst cases.
The SCC Regulations create a whistle-blowing mechanism for individuals or organizations to report any non-compliance or violations to the CAC. The CAC may also request a meeting with a company and may issue an order to a company to take corrective measures, if any significant risks or any data breach are identified.
What Steps Should Companies Take to Comply with the SCC Regulations?
Complying with China’s SCCs requires more than just signing the SCCs provided by the CAC. We set forth below some of the key steps that companies would take to comply with the requirements under the SCC Regulations.
Data Inventory: The first step toward compliance is often to conduct a data inventory to understand the type and volume of data transferred outside of China, the entities and jurisdictions involved, the purpose(s) and method of the processing, and the IT systems involved. The SCC Regulations specifically prohibit companies from dividing data among their subsidiaries in order to avoid volume thresholds that trigger the applicability of the security assessment.
Adopt an Appropriate Data Transfer Mechanism: Based on the findings of the data inventory, companies would then determine whether the data transfer triggers the security assessment by the CAC. If the security assessment is not triggered, the next step would be to determine the most appropriate data transfer mechanism. Generally, for intra-company data transfers, companies may choose to use security certifications or SCCs to qualify their data transfers out of China if the security assessment is not triggered. For data processing that is subject to the extraterritorial effect of the PIPL (i.e., direct collection of personal information from individuals in China by a foreign personal information processor), it appears that the only option is a security certification, given the SCCs are generally used for transfers between a Chinese personal information processor and a foreign recipient. For other transfers below the security assessment threshold, the SCCs may be adopted.
Personal Information Protection Impact Assessment (“PIA”): Data exporters are required to undertake a PIA before transferring any personal information outside of China. The PIA report is a required document for the subsequent filing with the local CAC (as explained below), in conjunction with a filing of a data processing agreement. There is no standard format yet for a PIA in the context of SCCs.
Implement Appropriate Internal Policies and Processes: The SCCs impose a series of obligations on data exporters and recipients, such as notifying the data subjects and obtaining their consent (or separate consent), where necessary; taking technical and organizational measures to protect the security of the personal information involved (e.g., encryption, de-identification, or access controls); establishing a process for responding to data subjects’ requests or complaints; and formulating an incident response plan. Companies should take steps to ensure that their internal policies and processes accommodate the requirements of the SCCs, and keep detailed records demonstrating their compliance in case of any audits, inspections, or investigations.
Execute the SCCs: Because data exporters are required to file the SCCs (or related DPA) with the local CAC within ten working days (as of the effective date of the SCCs), it is advisable for companies to complete the above preparatory work before execution of the SCCs. Otherwise, the filing may be rejected by the local CAC (if a PIA is not conducted and filed with the DPA, for example), or additional corrective measures may be required to mitigate any risks involved in the transfer.
Filing with the Local CAC: Data exporters must file the executed SCCs along with the PIA report with the provincial CAC where they are located within ten working days. All documents filed with the local CAC must be written in Chinese or translated into Chinese.
Although the SCCs Regulations provide a six-month grace period, given the amount of preparatory work involved in the implementation of the SCCs, companies should act as soon as practical to take necessary steps to implement the appropriate transfer mechanisms. Doing so will help avoid any disruption to their data transfer activities outside of China.