Understanding Cross-Border Data Transfers Under China’s Personal Information Protection Law (PIPL): A Guide to China’s Standard Contractual Clauses (SCCs)
In China, the Personal Information Protection Law (PIPL) regulates how personal information is processed. This guide focuses on the PIPL’s requirements for cross-border data transfers, specifically through China’s Standard Contractual Clauses (SCCs or Chinese SCCs).
Under the PIPL, a regulated data controller (a “personal information handler” or “personal information processor”) is not authorized to simply transfer personal information of individuals to a third party outside of China. Instead, the controller must adhere to certain requirements, which may include information provision obligations as well as obtaining consent from the individual whose personal information is the subject of the cross-border transfer. Additionally, the controller must use an adequate data transfer mechanism to transfer personal information overseas.
PIPL recognizes three transfer mechanisms to transfer personal information outside of China:
- Undergoing a security assessment organized by the Cyberspace Administration of China (CAC);
- Obtaining a third-party personal information protection certification from a specialized body in line with the requirements of the CAC; or
- Using the Chinese SCCs.
The latter two methods are applicable only to companies handling a relatively small volume of sensitive1 or general personal information, while larger volumes necessitate the CAC security assessment.
This post will primarily focus on the third mechanism – the SCCs, which are attached to China’s Standard Contract Measures for Personal Information Export Abroad (referred to as the “Measures” or “Regulations”). These Measures have been in effect since June 1, 2023.
Eligibility Criteria: Who Can Use the Chinese SCCs?
A controller can use the Chinese SCCs if it fulfills all of these conditions:
- It is a non-critical information infrastructure operator (Non-CIIO);
- It processes the personal information of less than one million people;
- It provided the personal information abroad of less than 100,000 people since 1 January of the previous year; and
- It provided the sensitive personal information abroad of less than 10,000 people since 1 January of the previous year.
What Are Non-Critical Information Infrastructure Operators (Non-CIIOs)?
To understand what a non-CIIO is, and therefore whether a controller can use the SCCs, let’s first understand what China considers as “critical information infrastructure”.
China’s Critical Information Infrastructure Security Protection Regulations (Article 2) define “critical information infrastructure” as: “important network infrastructure, information systems, etc., in important industries and sectors such as public telecommunications and information services, energy, transportation, water, finance, public services, e-government, national defense science, technology, and industry, etc., as well as where their destruction, loss of functionality, or data leakage may gravely harm national security, the national economy and people’s livelihood, or the public interest.” (English translation courtesy of Stanford University.)
Therefore, a non-CIIO is an entity that does not operate within these critical information infrastructures (such as the financial, energy, telecommunications, public utility, healthcare, transportation sectors and industries). Relevant regulators in charge of various key industries and sectors in China have the power to set out rules for identifying what constitutes critical information infrastructure. This means their decisions significantly influence which entities are deemed critical information infrastructure operators.
SCCs Are Not Available for Organizations Subject to the CAC Security Assessment Requirement
If a controller is obliged to undergo the CAC assessment, they cannot utilize the Chinese SCCs. This applies to cases where the controller is a CIIO, exports “important data” outside of China2, or exceeds the SCCs’ volume thresholds we mentioned above. The CAC assessment involves submitting various documents and information to the CAC and takes approximately 60 days to complete. It is valid for two years, with the possibility of renewal if certain changes occur.
It must be noted that according to Article 4 of the Regulations, a controller who is obliged to undergo a CAC assessment or third-party certification cannot circumvent those requirements by dividing the volume of personal information into smaller subsets in order to rely on the SCCs instead. In those circumstances, the controller will need to comply with the onerous procedures associated with a CAC assessment or third-party certification.
Chinese SCCs vs. Third-Party Certification
The Chinese SCCs are an option for controllers that do not meet the criteria for the mandatory security assessment and do not wish to pursue a third-party certification. The third-party certification is a more involved process, authorized by the CAC and currently conducted by the China Cybersecurity Review Technology and Certification Center. Third-party certification is suitable for multinational companies with offices in China that frequently transfer personal information to their subsidiaries or affiliated companies outside China. The certification, valid for three years, requires compliance with national standards outlined in the Personal Information Security Specification and Regulations on Personal Information Cross-border Processing Certification. Post-certification monitoring by the certification agency is also implemented during the certification period.
Compared to the rigorous procedures associated with third-party certifications, implementing the Chinese SCCs can be a more streamlined and straightforward approach for controllers. The SCCs offer a standardized contract template that can help simplify the compliance process.
Essential Elements of the Chinese SCCs
The Chinese SCCs include many typical provisions seen in standard contractual clauses from other jurisdictions, such as:
- Identification of the parties.
- Information about the personal data covered by the clauses and the reasons for its processing.
- Responsibilities of each of the parties.
- Guidelines related to further data transfers by the data importer, known as the “Overseas Recipient”.
- Rights of the data subjects: Information about the rights of individuals whose data is being processed.
- Procedures for dispute resolution and potential remedies.
- Provisions concerning the termination of the contract and accountability for any breach.
Comparing the Chinese SCCs with the EU 2021 SCCs
Although the Chinese SCCs share some common ground with the European Union’s 2021 standard contractual clauses (EU SCCs), they do stand apart in a few key areas:
- Structure: Unlike the EU’s modular approach, the Chinese SCCs are based on a standard template.
- Flexibility: Unlike the EU SCCs, which allow for some customization, the Chinese SCCs must be used exactly as provided, with no room for changes or selections. While this lack of adaptability could be seen as a disadvantage in some situations, it could also be a benefit. Companies won’t need to spend considerable time or resources negotiating terms or making unique adjustments for individual contracts. However, like the EU SCCs, the Chinese SCCs do permit the inclusion of additional terms, as long as these don’t contradict the standard terms of the Chinese SCCs.
- Onward transfer requirements: The Chinese SCCs place more stringent requirements on the Overseas Recipient when it comes to onward data transfers. For instance, there must be a genuine business necessity for transferring personal information to another entity.
- Filing requirements: While the EU SCCs do not generally have to be submitted to any authority, the Chinese SCCs have to be submitted to the corresponding provincial branch of the CAC. More on this below.
- Governing laws and forum: Unlike the EU SCCs where parties can select the governing law, the Chinese SCCs are strictly regulated by China’s laws. Disputes under the Chinese SCCs must be resolved in the Chinese courts or international tribunals.
Deadlines for Implementation
To ensure compliance with the requirements for transferring personal information outside of China, controllers must adhere to the following deadlines:
- New agreements: From June 1, 2023, onwards, all new cross-border data transfer agreements must be based on the SCCs. Controllers should use the SCCs as the foundation for any new agreements entered into after this date.
- Adjusting pre-existing transfers: For pre-existing data transfers (i.e., transfers of personal data from China made before June 1, 2023), controllers have until December 1, 2023, to make the necessary adjustments and implement the SCCs. This allows controllers a grace period of six months to align their existing data transfers with the requirements of the SCCs.
Filing Requirements and Compliance
A controller is required to file their SCCs with the applicable provincial office of the CAC for inspection. This must be done within ten working days from the effective date of the SCCs.
The CAC has issued Guidelines for Filing the Standard Contract for Cross-border Transfer of Personal Information, which set out the details of how the aforesaid filings are to be made, including, amongst other things, a list of the supporting documentation that must be submitted with the filing.
Personal Information Impact Assessments
The SCC filing must be accompanied by a personal information impact assessment (PIIA). The PIIA must be conducted in accordance with Article 5 of the Measures and Clause 2(8) of the SCCs. The following matters must be evaluated in a PIIA:
- The legality, proportionality, and necessity of the purpose, scope, and method of processing the personal information by the parties;
- The scale, scope, type, and sensitivity of the personal information transferred across the border, as well as the risks that the cross-border data transfer may hold for the rights and interests in the personal information;
- The Overseas Recipient’s obligations, and whether its management and technical measures and capabilities can ensure the security of the relevant personal information;
- The risk of the personal information being tampered with, destroyed, leaked, lost, or illegally used after the cross-border transfer, and whether the channels to protect the rights and interests regarding the Personal Information are readily available;
- The impact of local personal information protection policies and regulations on the performance of the agreement containing the SCCs; and
- Any other matters that may impact the security of the cross-border transfer of the data.
Disadvantages of Using the SCCs
While the new Chinese SCCs aim to streamline the transfer of China out of China, there are some burdens associated with their implementation.
Filing the SCCs with the CAC can present an administrative hurdle, potentially leading to further queries and investigations. Conducting PIIAs can also be a complex and time-consuming task, especially for companies managing multiple transfers.
Under the China SCCs, data subjects are acknowledged as third-party beneficiaries, entitled to directly demand the fulfillment of certain obligations by the parties to the SCCs. This gives them the right to lodge a complaint against the overseas recipient, and have it handled by a regulator or resolved by an applicable court in China.
Two particularly demanding responsibilities fall upon the Overseas Recipients under the SCCs. In case of a data breach, they must notify the controller, data subjects (when necessary), and Chinese regulators. Moreover, Overseas Recipients need to accept supervision by the CAC, agreeing to cooperate with inquiries, inspections, and decision-making processes.
Despite these challenges, it is imperative not to ignore these requirements or underestimate the consequences of non-compliance. Non-compliance could lead to civil, administrative, and criminal liabilities and penalties.
Act Now: Prioritize Compliance
While there is a grace period for companies to implement the SCCs for existing transfers, it’s essential not to underestimate the commitment and resources needed for this process. The grace period expires on November 30, 2023, but initiating the necessary adjustments sooner rather than later can yield significant benefits. Prioritizing this task not only ensures adherence to regulations, but also contributes to the efficient management of cross-border data transfers. Involving experienced professionals can enhance the process by ensuring attention to detail and thorough understanding of the requirements. At VeraSafe, we’re ready to offer our experience in advising companies in complying with data transfer requirements. Contact us at no cost to learn how we can assist in your transition.
You may also like:
- VeraSafe’s Summary of the Requirements of the China PIPL and How It Compares with the GDPR
- DPO Roles in the Philippines: Can an External DPO Be Appointed?
- How to Implement the EU Standard Contractual Clauses (SCCs)
The draft certification requirement defines “sensitive” PI as information that, if leaked, illegally provided, or misused, may jeopardize an individual’s safety, property, personal reputation, mental or physical health, or result in discriminatory treatment. This includes biometric data, data related to religious beliefs or specific identities, medical history, financial accounts, location and whereabouts, and personal information of minors under 14 years old.
Article 19 of the Measures defines “important data” as “data that, once tampered with, destroyed, leaked, illegally obtained, or illegally used, may endanger national security, economic operation, social stability, public health and safety, etc.”