The Cyberspace Administration of China (CAC), the key government authority empowered to enforce the PRC Personal Information Protection Law (PIPL), released a Draft Standard Contractual Clauses on Cross-border Transfer of Personal Information (the Draft SCCs) along with a Draft Regulations on the SCCs (the Draft SCCs Regulations) on June 30, 2022, seeking public comments by July 29, 2022.
The PIPL, effective since November 1, 2021, generally prohibits cross-border data transfer, except where such transfer is necessary for the purpose of data collection and data processing. Under the PIPL, companies who wish to transfer personal data out of China must choose one of the following three compliant options: (i) going through a security assessment conducted by CAC (if the volume of personal information is large), (ii) applying for a certification made by institutions who are appointed by the government (if the cross-border transfer is frequent and regular practice), or (iii) reaching a cross-border data transfer agreement with the overseas data recipient by using the standard contractual terms published by the authority.
- For option (i) – security assessment – CAC has released a draft Measures on Security Assessment of the Cross-border Data Transfer in November 2021 (click here to read our summary and comments on it), while it has not been finalized by CAC.
- For option (ii) – certification – while some quasi-governmental industrial organizations have published certain guideline standards, no binding regulations have been promulgated yet.
- The Draft SCC Regulations offer clues on how the regulators would implement the above option (iii) – standard contractual clauses (SCCs).
Below are some key takeaways from our reading of the Draft SCCs, primarily from the perspective of multi-national companies (MNCs) who have subsidiaries or operations in China.
CAC has proposed the following requirements in the Draft SCCs Regulations. Some of them appear to be hard to be satisfied in practice, in particular for MNCs who directly serve Chinese individual consumers through their Chinese subsidiaries or JVs. MNCs or industrial associations may consider submitting their comments by the deadline of July 29, 2022.
- Transfer of personal information from Chinese subsidiaries of an MNC to its headquarters or other affiliates (or inter-company transfers) would amount to “cross-border transfer” under the PRC law, and so far, there is no equivalence of the “Binding Corporate Rules” (BCRs) under the GDPR to be an alternative of the SCCs.
- Not all cross-border data transfers can be legalized through the SCCs – If any of the following thresholds are met, then signing a contract using SCCs would not suffice: (a) the volume of the involved individuals (whose data will be transferred out of China) exceeds 1 million, (b) during one calendar year, the volume of the involved individuals exceeds 100,000, or (c) the volume of the involved individuals for transferring sensitive personal information exceeds 10,000.
- Data protection impact assessments (DPIA) are required for all cross-border data transfer activities, without a waiver or threshold.
- The contracts between a data sender and overseas data recipient(s) must use the languages of the SCCs, and such contracts must be filed with the competent provincial level subordinate of CAC for their records, along with the DPIA report, within 10 workdays of the date of the contract.
- If any of the following items changes after a contract is filed, a new contract must be reached and re-filed with the authority: purpose, scope category, amount, methods, or the duration or location of data retention. Also, if the personal data protection law of the recipient party’s jurisdiction changes to the effect of “affecting individual’s interest”.
Key Clauses under the Draft SCCs
Certain clauses under the Draft SCCs are indeed additional regulatory requirements rather than traditional contractual obligations to the other side of the contracts:
- The data sender shall respond to the Chinese authority’s inquiries on the overseas data recipient’s manner of data processing. (Draft SCCs 2(6))
- If there is a data breach, the overseas data recipient shall notify the data sender in China and report to the Chinese authority. (Draft SCCs 3(6))
- The personal data transferred from China shall not be further provided to a third party again unless all the following conditions are met: (Draft SCCs 3(7))
(a) such further provision is based on a genuine business need,
(b) the data subjects have given their informed consent to such further provision of personal data, and
(c) a written contract with the third-party recipient must be reached and such contract must require the third-party recipient to provide a level of protection not lower than that of the PIPL.
- If the data recipient were to engage a third-party data processor to process data, the data recipient shall inform data subjects with various details of the engaged data processor. (Draft SCCs 3(8))
- The data recipient shall keep the records of data processing for at least 3 years, and shall submit such records to Chinese authority when a PRC regulation requires so. (Draft SCCs 3(11))
- The overseas data recipient shall make reasonable efforts to cooperate with the Chinese authority’s investigation (Draft SCCs 3(12))
- Where there is any conflict between other clauses and the SCCs, the SCCs prevail. (Draft SCCs 9(1))
- The governing law of the data transfer contract must be PRC law. (Draft SCCs 9(2))
* * * * *
Author: Dr. Donnie Dong: Admitted to practice in China and New York State, the author is a Certified Information Privacy Manager (CIPM) by the International Association of Privacy Professionals (IAPP). Dr. Dong is a member of the steering committee for Digital Asia Hub, a non-profit think tank collaborating with leading scholars and practitioners of digital society in Asia.