China: Dissecting the SCC Measures
Great news from the Cyberspace Administration of China ('CAC') - China's Standard Contract Measures for Exporting Personal Information ('the SCC Measures') have been officially adopted by the CAC on 22 February 2023. Since this date, there officially are three approaches for data transfers under the Personal Information Protection Law ('PIPL') of the People's Republic of China ('PRC'). Without a doubt, the Chinese Standard Contractual Clauses ('SCCs') will be a great choice for small and medium-sized organisations to comply with the requirements for data transfers.
Dehao Zhang, Counsel at Fieldfisher China, discusses the SCC Measures, including requirements around Personal Information Protection Impact Assessments ('PIPIAs') and practical considerations for businesses.
Who can rely on the SCCs for data transfers outside of China?
At first, to avoid misunderstandings, not all organisations will encounter the problem of data transfer obligations under the PIPL. Article 38 of the PIPL indicates that the data exporter should be a personal information processor (similar to the role of a controller under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')), rather than an entrusted party (similar to the role of a processor under the GDPR). This means that, according to the law, the data flow from an entrusted party to a personal information processor will not be deemed as the entrusted party's data transfer outside of China. Although local authorities may not be clear about this, the entrusted party is not obliged to enter into a SCC as a data exporter, which might sound surprising for entrusted parties. Thus, if your organisation acts as the entrusted party, although your organisation does not decide the purpose or means of the processing, the obligation to enter into a SCC is weaker.
Not all personal information processors can rely on the SCC mechanism to solve the problem of data transfers. Personal information processors are classified into two different types: some of them are hugely important, and some of them are less important. Please find below a comparison between the Measures for Security Assessment of Data Exports and the SCC Measures:
The Measures for Security Assessment of Data Exports apply to the following organisations:
The SCC Measures apply to the following organisations:
Organisations who transfer important data outside of China
Critical Information Infrastructure Operators ('CIIOs')
Non-Critical Information Infrastructure Operators
Personal information processors who process one million, or more than one million, data subjects' personal information
Personal information processors who process less than one million individuals' personal information
Personal information processors who have transferred 100,000, or more than 100,000, data subjects' personal information outside of China since 1 January of the previous year
Personal information processors who transfer less than 100,000 individuals' personal information to overseas recipients since 1 January of the previous year
Personal information processors who have transferred 10,000, or more than 10,000, data subjects' sensitive personal information outside of China since 1 January of the previous year
Personal information processors who transfer less than 10,000 individuals' sensitive personal information to overseas recipients since 1 January of the previous year
The personal information processors who do not reach the thresholds of the data transfer security assessment, can choose to go through the SCC approach, or can try to get the certification which has not been implemented yet.
According to Article 55 of the PIPL, before transferring data outside of China, the personal information processor must conduct a PIPIA for the data transfer to assess whether the data transfer is lawful, fair, and necessary and consider the risk and impact on the rights or legal interest of the data subjects.
To enforce this requirement, the SCC Measures provide for the content of the PIPIA. Compared to the content required by Article 56 of the PIPL, the SCC Measures stipulate more requirements for PIPIAs:
PIPIA under the Article 56 of the PIPL
PIPIA under the the SCC Measures
Whether the purpose and means of processing personal information are lawful, fair, and necessary
The lawfulness, fairness, and necessity of the purpose, scope, and means of the personal information processing by the personal information processor and the overseas recipient
The impact on personal rights and security risks
The quantity, scope, type, and sensitivity of personal information to be transferred overseas and risks that the outbound cross-border transfer may pose to personal information rights and interests
The risk of the personal information being tampered with, sabotaged, disclosed, lost, or misused after it is transferred overseas, and whether there is a smooth channel for individuals to protect their personal information rights and interests
Whether the security measures to be taken are lawful, effective, and appropriate to the degree of risk
The responsibilities and obligations that the overseas recipient undertakes to afford, and whether the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations are sufficient to ensure the security of personal information to be transferred
The impact of personal information protection policies and regulations in the country or region where the overseas recipient is located on the performance of the SCC
Other matters that may affect the security of personal information to be transferred overseas
An additional point required by the SCC Measures concerns the impact of the personal information protection policies and regulations of the country or region where the overseas recipient is located on the performance of the SCC. This seems to be attributed to the impact on individual rights and interests, and risks, but the theory behind it remains unclear as of yet.
From a practical perspective, we can find the relevant terms in the SCC to determine how to assess the above-mentioned point:
"Article 4 The Impact of Policies and Regulations on the Personal Information Protection in the Country or Region of the Overseas Recipient on the Contract Performance
The Parties hereby warrant that they have exercised reasonable care when entering into the contract and are not aware of that the Personal Information protection policies and regulations of the country or region where the overseas recipient is located (including any requirements to provide personal information or to authorise public authorities to access personal information) affect the overseas recipient's performance of its obligations under the contract. The parties declare that, when making the guarantee in Article 4.1, they have assessed the following circumstances:
1) The specific circumstances of the cross-border transfer, including the purpose of processing the Personal Information, the category, scale, scope, and sensitivity of the personal information transferred, the scale and frequency of the transfer, the period for which the personal information will be transferred overseas and the retention period of the overseas recipient, the previous experience of the overseas recipient with respect to cross-border transfer and processing of similar personal information, whether any data security-related incidents have occurred to the overseas recipient and whether they have been dealt with in a timely and effective manner, whether the overseas recipient has received requests to provide personal information to the public authorities in the country or region where it is located and the overseas recipient’s response.
2) The personal information protection policies and regulations of the country or region where the overseas recipient is located, including the following elements:
(a) Information on the laws and regulations and generally applicable standards for personal information protection then in force in that country or region;
(b) regional or global organisations and binding international commitments entered into by such country or region in terms of personal information protection;
(c) the mechanism for implementing personal information protection in the country or region, such as whether there are supervision and law enforcement authorities and relevant judicial authorities to protect personal information, etc.
3) The ability of the overseas recipient to guarantee the security management system and technical means.
The overseas recipient warrants that, at the time of the assessment under Article 4.2, it has made its best efforts to provide the personal information handler with the necessary and relevant information.
The Parties shall document the process and results of the assessment conducted under article 4.2.
If the overseas recipient is unable to perform the contract due to any change in the policies of personal information protection and regulations of the overseas recipient's country or region (including any change in the laws of the overseas recipient's country or region, or the adoption of mandatory measures), the overseas recipient must notify the personal information handler of the aforesaid change as soon as it becomes aware of them.
If the overseas recipient receives a request from a government authority or judicial authority of the country or region where it is located to provide personal information under the contract, it must immediately notify the personal information handler.”
Arguably, the SCCs do not seek to require the overseas recipient to violate their local laws to protect the personal information to be transferred from China in accordance with the PIPL, but aim to make it clear whether:
- the country or region the overseas recipient is located in have any data protection laws, regulations, or commitment, including the international regulations they have joined;
- whether such laws or regulations have any conflicts with the PIPL; and
- whether the overseas recipient is able to take security measures when the local applicable laws and regulations change, including notifying the data exporter and taking measures to protect the personal information transferred from China.
The SCCs and filing procedures
Regarding the updated version of the SCCs, the CAC only provides a Chinese version. It is not clear whether the CAC can provide an English version or not. From the CAC's previous style, we understand that it will not release an English version, but allow the bilingual version in practice; however, the English version cannot conflict with the Chinese version.
It is good to find out that in the SCCs finally the CAC has clarified that 'standalone consent' should be obtained only for data transfers which are based on consent, rather than for all data transfers. It is reasonable and practical, and meets the requirements of Article 13 of the PIPL. Article 13(2) clarifies that if data processing relies on non-consent bases (Articles 13(2) to 13(7)), the individual's consent is not necessary. It must be noted that a data transfers are only one kind of processing according to Article 4 of the PIPL, and standalone consent is only one kind of consent, but with a higher standard. Thus, when relying on non-consent bases (e.g. performance of contract or compliance with legal obligations), a personal information processor is not able to provide options to the individuals; if it chooses to obtain consent in these cases, the consent may be invalid as it is not freely given by individuals. It is mandatorily obtained. Therefore, now the SCCs clarify that, in those cases, standalone consent is not needed; it is only necessary when the data transfer is really based on consent.
It also must be noted that, even if your company can use the SCC approach to solve the problem of data transfers under the PIPL, the SCC approach has a validity period rather than being valid forever once you sign the SCC.
According to Article 8 of the SCC Measures, in case of any of the following circumstances within the validity of the SCC, the personal information processor shall re-evaluate the impact of personal information protection, supplement or re-establish the standard contract, and perform the corresponding filing procedures:
- when the purpose, scope, type, sensitivity, method, storage place of providing personal information overseas, or the purpose and method of processing personal information by overseas recipients has changed, or the overseas storage period of personal information has been extended;
- when changes in personal information protection policies and regulations of the country or region where the overseas recipient is located may affect the rights and interests of personal information; and
- with other circumstances that may affect the rights and interests of personal information.
Regarding the filing work, the personal information processor shall file with the local provincial CAC within ten working days from the effective date of the SCC the following material:
- the standard contract; and
- the PIPIA report.
Thereby, the personal information processor shall be responsible for the truth of the materials above.
As filing work can follow different methods, we hope that the CAC can provide guidance for how to do this (such as contact details, as well as templates of PIPIA reports, if applicable). It should also be noted that the filing work needs to be done after the SCC is signed, instead of before it.
Whether there is any enforcement or punishment for violations of the above requirements, is an important point and depends on the case.
According to Article 11 of the SCC Measures, if the CAC finds that there is a great risk in personal information outbound activities or personal information security incidents occur, it may interview the personal information processor according to the law. The personal information processor shall rectify as required to eliminate hidden dangers.
In most of the cases, at a very early stage, the CAC will communicate with the non-compliance organisations to correct their wrongdoings. But if the cases are really serious, such as the organisation refuses to comply, these cases might reach the serious threshold of Article 66 of the PIPL, which will then constitute serious violations of the PIPL. However, most of organisations will not adopt such an approach, especially after receiving the correction order/intention of the CAC.
The Chinese data transfer approaches have become more clear and practical due to the SCCs. Even the security assessment approach references the SCC's wording so that the organisations can pass the assessment procedure easier, although there will still be some problems with the procedures of filing and PIPIAs. However, we expect the problems to be solved in the process and in practice going forward.
Dehao Zhang Counsel
Fieldfisher China, Beijing