Authors: Carolyn Bigg, Amanda Ge, Venus Cheung, and Gwyneth To
Summary: The final version of the China SCCs has now been published, meaning those organisations that haven’t had to apply for CAC approval for their cross-border transfers of personal information now have until 1 December 2023 to:
- sign the China SCCs with overseas recipients of personal information; and
- file a copy of the signed China SCCs and accompanying PIIA with the local branch of the CAC.
Otherwise, cross-border data transfers must stop until these steps are taken for those organisations that must follow the China SCCs route).
Additional guidance has been given to support those organisations assessing whether they must follow the CAC assessment/approval or China SCCs routes.
Background: The long-awaited final version of the China standard contractual clauses for cross-border transfers of personal information (“China SCCs”) were finally published on 24 February 2023 by the Cyberspace Administration of China (“CAC”) via the Measures for Standard Contracts for Transferring Personal Information Overseas (“Measures”).
Timing: There is a grace period until 1 December 2023 for personal information controllers to:
- sign the new China SCCs with overseas recipients of their personal information; and
- file a copy of the signed China SCCs, together with the corresponding personal information impact assessment (“PIIA”, China’s version of the GDPR DPIA) completed by the organisation, with the local branch of the CAC.
The Measures will come into force on 1 June 2023, and organisations then have six months from this date to take these steps.
Who must put in place the China SCCs: personal information controllers that do not meet the thresholds for the CAC assessment/approval route, or the CAC certification for non-China personal information controllers, must follow this China SCCs route to legitimise their transfers of personal information outside of Mainland China.
By way of reminder:
- those organisations that must follow the CAC assessment/approval route are: (1) organisations designated as a Critical Information Infrastructure Operator; (2) organisations that export “important data”; (3) organisations that process personal information of more than one million individuals and intend to export some of it; or (4) personal information controllers that transfer overseas (i) personal information of no more than 100,000 individuals in aggregate, or (ii) sensitive personal information of no more than 10,000 individuals in aggregate, where “in aggregate” means in the period from 1 January of the preceding year; and
- non-China personal information controllers should instead follow the alternative CAC certification route (details not yet published).
Strictly personal information controllers that must follow the CAC assessment/approval route or the CAC certification route need not sign and file the China SCCs. Indeed, as noted below, the China SCCs are drafted assuming that the personal information controller is a Mainland China entity. That said, it would be sensible for such organisations nonetheless to sign the China SCCs with overseas recipients of China personal information as evidence of good practice, even if they don’t need to do so within the grace period or to file them.
China SCCs apply to C2C and C2P transfers: Unlike the GDPR, the SCCs do not differentiate between controller-to-controller or controller-to-processor transfers.
The obligation to sign and file the China SCCs is on the Chinese personal information controller. It appears that, in a C2C situation, both personal information controllers (assuming both are Chinese entities and are subject to the China SCCs route) have their own obligation to file the signed China SCCs (together with each of their independent PIIAs conducted for the transfer).
It is unclear from the Measures whether personal information processors must sign and file the China SCCs with their sub-processors. While we await guidance on this, it is advisable as a matter of good practice to flow down the China SCCs to those sub-processors.
China SCCs cannot be negotiated but can be added to: Similar to the GDPR SCCs, the China SCCs must be executed “as is”. This is good news for personal information controllers who will be seeking to sign the China SCCs with the big technology vendors, as it should expedite the signing process.
On the other hand, unlike the GDPR SCCs, organisations may negotiate additional (i.e., enhanced) terms with overseas data recipients, provided that these do not conflict with the China SCCs. However, in practice, we anticipate many data processors will be reluctant to sign terms over and above the China SCCs.
Filing practicalities: Organisations must submit a filing to the local CAC branch, including:
- the signed China SCCs – Chinese language; it is unclear whether bilingual versions will be accepted; and
- the corresponding PIIA,
within 10 business days of the China SCCs taking effect (i.e., from the signing or effective date of the China SCCs stated on the signed version).
So effectively a filing will be needed for each overseas transfer/recipient.
Details of the in person or online filing procedure have not yet been published.
It is unclear whether “any other agreements” related to the transfers must be filed. We had previously understood that just the signed China SCCs would need to be filed, meaning that including the China SCCs in a standalone supplement to the global DPA or underlying agreement would be sensible, to manage risks of disclosing additional or commercial terms unnecessarily to the CAC. It is unclear whether that approach is sustainable, or whether the CAC will expect the full agreement, or a partially redacted version of the full agreement, to be disclosed as well. We hope the CAC will publish guidance on this sooner rather than later, given the potential impact on confidentiality clauses and contract structuring.
Updated filing if transfers change: Unlike the CAC assessment/approval route, there is no time limit on the validity or legitimacy of the China SCCs once signed and filed. However, organisations must sign a supplemental or new set of China SCCs, and refile them with the local CAC branch with a refreshed PIIA, if there:
- is a change in purpose, scope, category, degree of sensitivity, method, storage location or term of the personal information transferred overseas; or
- is a change in the processing purpose or method of the personal information by the overseas recipient; or
- is a change in the personal information protection policies or regulations of the jurisdiction of the overseas recipient that may affect the rights and interests of personal information – effectively meaning organisations must monitor changes to overseas data protection laws, and undertake mini-TIAs within their PIIAs, to assess whether regulatory changes overseas might have such an effect; or
- other circumstances which may affect the rights and interests of data subject.
This effectively means active monitoring of processing activities, overseas recipients, and the laws in the jurisdictions they operate, is necessary. We anticipate many local and China data protection teams will need to add to existing resources or head count to incorporate this into their data protection compliance programmes.
China SCCs are not the only compliance steps: signing and filing the China SCCs alone do not legitimise the cross-border transfers of personal information. Do not forget:
- separate, explicit consent for the cross-border data transfer (on top of general consent to data processing and other separate consents for processing of (inter alia) sensitive personal information);
- undertaking a PIIA; and
- putting in place technical, organisational measures to ensure the data is processed to standards akin to China data protection laws (such as due diligence, ongoing vendor monitoring etc,).
The Measures specifically mentions the requirement for separate consent when transferring personal information overseas for processing activities which rely on the legal basis of consent. We await clarification from the CAC as to whether or not the separate consent requirement will be exempted for processing activities based on (the limited) alternative legal bases in the PIPL.
CAC assessment/approval route clarification: For those organisations that have already considered whether or not they must follow the CAC assessment/approval route, the CAC has clarified that organisations may not seek to circumvent the CAC assessment route by falsely structuring the volume of personal information processed, splitting across multiple organisations or legal entities. Organisations that have not yet submitted their CAC assessment applications before the 1 March 2023 deadline are, therefore, strongly advised to reconsider their internal assessments as to whether or not they meet the relevant thresholds.
Organisations must execute the China SCCs as a priority, or risk having to stop cross-border transfers of China personal information. We are creating a template China SCCs addendum for organisations to use, so please contact us for support.