China Finalized Its Standard Contractual Clauses for Cross-border Data Transfer
By Donnie Dong & Amber Huang
Cyberspace Administration of China (CAC), China’s data regulator, has formally promulgated its Measures for the Standard Contract for Outbound Cross-border Transfer of Personal Information (SCC Measures), which enclosed a compulsory set of Standard Contractual Clauses (SCCs).
The SCC Measures will come into force on June 1, 2023. CAC published its draft SCC Measures last June for public comments (See our client alert here). Compared with the 2022 draft, the finalized SCCs refined specific terms but kept the general framework of the draft. In particular, the regulator has held its requirement of submitting each SCC and a privacy impact assessment report to the provincial-level CAC agencies.
When the SCCs Apply
According to the PRC Personal Information Protection Law (PIPL), the data senders need to satisfy one of the following regulatory requirements: (1) seeking CAC approval after its “cross-border data security review; (2) reaching a data transfer agreement with each data recipient by applying CAC’s SCCs, or (3) obtaining certification by a certifier appointed by the CAC.
CAC has yet to formalize a scheme for the certifier approach, so currently, the available options are the above (1) and (2). CAC has confirmed that Option (1) and Option (2) are mutually exclusive. Namely, in the following situations, CAC’s security review is required. Otherwise, the SCCs would apply.
(1) the data sender is an operator of critical information infrastructure or a controller of the “important data” as defined under the PRC Data Security Law;
(2) the data sender controls more than 1 million people’s data; or
(3) the data sender has transmitted over 100,000 people’s personal data, or 10,000 people’s sensitive personal data, during the last calendar year.
(Read our previous client alert on CAC’s cross-border security review regulations here.)
Featured Terms of the PRC SCCs
Among others, the Chinese SCCs contain specific featured clauses.
– If any additional clause/agreement reached by parties conflicts with the SCCs, the SCCs prevail.
– The PRC law is mandated to be the governing law of the SCCs.
– The data subjects (individuals) are entitled to choose the forum and governing law when they wish to challenge the legality of the data transfer agreement or want to subrogate a party to enforce the agreement.
– If the purpose, manner, category, or scope of personal data to be transmitted changes, a new agreement (applying the SCCs) shall be reached and submitted to the authority.
Privacy Impact Assessment (PIA)
According to PIPL, PIA is required before performing a cross-border data transfer. The SCC Measures detailed the scope of the PIA. Namely, the PIA shall review and conclude the following aspects of a proposed cross-border data transfer.
– legality, legitimacy, and necessity of the purpose, scope, and method of personal information processing;
– quantity, scope, type, and sensitivity of personal information;
– risk to personal information rights and interests;
– responsibilities, obligations, management, and technical measures capabilities of both parties;
– the risk of being breached, leaked, lost, or misused after transfer;
– data protection laws and policies of the destination countries;
– Other matters may impact the protection of Chinese personal data.
Key Time & Deadlines
According to the SCC Measures, the PIA and a copy of the executed data transfer agreement (applying SCCs) shall be submitted to CAC before the actual transfer of personal data and within ten work days of the execution of the SCCs.
SCC Measures will come into force on June 1, 2023, meaning the market players have only three months to adjust their cross-border data transfer arrangement.
Please note that the grace time for those cases where a large volume of personal data will be transmitted (and thus, the parties must seek CAC approval instead of using the SCCs) has passed. Starting from March 1, 2023, CAC may enforce the law or launch an investigation into any company who supposed to be transmitting a large volume of personal data.
Penalties & Compliance Talk
Those who violated the SCC Measures may face a fine up to CNY50 million (approximately USD7.5 million) or 5% of the violator’s annual revenue, under CAC’s discretion.
Further to the fine, CAC stressed that they are empowered to “invite” suspected violators to attend CAC for a “compliance talk.” In practice, such “talk” refers to a strong warning, and vital law enforcement actions, such as suspension of business, could follow.
Each multinational company should develop a wise and practical compliance strategy with experienced advisors on the ground. Please contact us to tailor an action plan for your business in China. You will receive an English translation of the finalized SCCs and a thirty-minute call free of charge. Send us an email to email@example.com, stating your name, title, affiliation, your interested question, and your available time slots to book a time.
* * * * *
This communication is intended for informational purposes only and not to create an attorney-client relationship or constitute any form of advertisement.
* * * * *
Author: Donnie Dong is a partner of FuJae Partners and a Certified Information Privacy Manager (IAPP/CIPM). He regularly advises MNCs, unicorns, and start-ups on cross-border intellectual property, data privacy, and related investment and dispute resolution matters.