China: SCCs and their implementation
Since the Personal Information Protection Law ('PIPL') came into force on 1 November 2021, the Standard Contractual Clauses ('SCCs') for cross-border data transfers as referred to in Article 38 of the PIPL have been pending. This puts companies in a very tricky position, wherein they have the statutory obligation to follow the SCCs while no such SCCs are available. Fortunately, this will be changed soon. On 30 June 2022, the Cyberspace Administration of China ('CAC') presented to the public a draft of the prescribed format for SCCs under the PIPL1. The deadline for public comments is 29 July 2022, meaning that the SCCs are likely to be officially launched very soon. Dr. Michael Tan, Julian Sun, and Kyle Tong, from Taylor Wessing LLP, discuss the draft SCCs and their importance.
Scope of use
The SCCs come with a set of rules on how to use the SCCs, i.e. the draft Personal Information Export Standard Contract Provisions ('the Draft Provisions'). The Draft Provisions explicitly refer to Article 38 of the PIPL, which means the SCCs are supposed to be used only for personal information protection under such law. According to Article 4 of the Draft Provisions, the SCCs may be used as a legal basis for a domestic company to transmit personal information outside of China, if the following preconditions apply:
- the organisation is not a so-called critical information infrastructure operator;
- the organisation processes the personal information of fewer than one million data subjects;
- starting from 1 January of the preceding year, personal information transferred overseas by the organisation concerns fewer than 100,000 data subjects on an annual basis; and
- starting from 1 January of the preceding year, sensitive accrual transferred overseas by the organisation concerns fewer than 10,000 data subjects on an annual basis.
It should be noted that under the Chinese data protection legal framework, there is also a separate important concept of 'important data', the export of which is also regulated while the implementation of this is however unclear. Whether or not the Draft SCCs may be further extended to cover important data in practice remains to be seen.
It is also worth noting that the wording of the Draft Provisions seems to indicate that any personal information export not satisfying the above preconditions will not be allowed to use the SCCs as the legal basis. If so interpreted, this means that the CAC deviates from Article 38 of the PIPL, which does not impose similar prerequisites for the legal adoption of the SCCs.
The Draft Provisions repeat the statutory requirement for a Personal Information Impact Assessment ('PIIA') under Article 55 of the PIPL before personal information is transmitted out of China. In the context of using the SCCs, the Draft Provisions further substantiate the focus of PIIAs, which shall include:
- the legitimacy, justifiability, and necessity of the personal information processing by both the personal information exporter and the foreign personal information recipients (e.g. purpose, scope, and method);
- the quantity, scope, category, and sensitivity of personal information to be exported, and respective risks;
- the responsibilities and obligations that foreign recipients have committed to, and their management/technical competence to perform their commitments and ensure personal information security;
- the risk of leakage, sabotage, alteration, and abuse of personal information if exported, and the availability of remedies for data subjects;
- the impact of data protection laws and policies in the jurisdiction of foreign recipients on the performance of the SCCs; and
- other factors jeopardising PI security.
According to the SCCs, an PIIA report shall be kept for at least three years.
Compared with the requirements already established under the PIPL, the Draft Provisions raise a new procedural requirement that the SCCs shall be filed with the local provincial counterparts of the CAC within ten working days upon their effectiveness, during which the respective PIIA report shall also be submitted. Such filing is not a statutory prerequisite for the export of personal information, which may take place upon the effectiveness of the concluded SCCs.
New SCCs shall be concluded and filed again if:
- the purpose, scope, category, sensitivity, quantity, method, retention period, or storage location (including the purpose or method of processing by the foreign recipients) for the export of personal information changes, or the period of personal information being stored outside China is prolonged;
- the data protection laws and policies in the jurisdiction of foreign recipients change, which 'may' have an impact on data subjects' rights and interest; or
- where 'other scenarios' occur.
GDPR SCCs vs. Chinese SCCs
The concept of SCCs was first introduced under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') to regulate the export of personal data from the EU, which has now been taken up by Chinese regulators. One critical question will arise as to how will the SCCs from both regions operate together? This is not a purely hypothetical question but a quite practical one, since data exchange between the EU and China happens quite often, particularly for those international companies headquartered in Europe and operating in China.
In this aspect, Article 2 of the Draft Provisions stipulates that any other contract concluded between a domestic personal information handler and a foreign recipient shall not conflict with the SCCs. The general structure of the SCCs is outlined under the Draft Provisions, which largely mirrors the focus of the PIIA, namely:
- the details of the parties;
- the purpose, scope, category, sensitivity, quantity, method, retention period, and storage location of the personal information export;
- the responsibilities and obligations of the personal information handler as well as the foreign recipients, and the technical and management measures taken to prevent respective security risks;
- the impact of personal information protection laws and policies in the locality of the foreign recipients on the performance of the Chinese SCCs;
- the rights and interests of data subjects, including the ways and methods to protect such rights and interests; and
- legal remedies, termination, liability for breach, dispute resolution etc.
An analysis of the Chinese SCCs leads to the impression that the SCCs aim at regulating personal information exports and protecting the interests of Chinese data subjects. The SCCs do not touch upon import of personal information from other jurisdictions such as the EU. Although the Chinese SCCs regulate data flow in a direction different from that under the GDPR SCCs, technically speaking it is possible for the two different sets of SCCs to co-exist even if they are two different contracts concluded between the same parties.
However, the real picture in practice could be much more complicated and issues may still arise, since to clearly split data exchanges between the two sides by adopting a simple import/export methodology may quite often be difficult, if not impossible. As opposed to the GDPR SCCs, which offer different versions of clauses for different data transfer scenarios, the Chinese SCCs take a one-size-fit-all approach. This is closely linked with the fact that the PIPL does not draw a clearly define line on the different liabilities of a data controller and a data processor as the GDPR does. A data controller and a data processor may both be caught by the broad concept of personal information handler under the PIPL and be exposed to liability. Article 2 of the Draft Provisions also seems to limit the possibility of 'ad hoc clauses' which are explicitly allowed under the GDPR.
The lack of flexibility could also be seen from the fact that the Chinese SCCs only accept the governance of Chinese laws. Such an arrangement goes beyond the Chinese Civil Code, where only three types of joint venture related contracts are mandatorily required to be subject to Chinese laws. Although the dispute resolution clause under the Chinese SCCs shows a certain flexibility by allowing the parties to choose, besides the three Chinese arbitration institutions as explicitly named options, an arbitration institution that falls under the roof of the 1958 Convention on the Recognition and Enforcement of Foreign Arbitral Awards, the fact that Chinese laws must apply as the governing law will make foreign arbitration a difficult solution for the parties in practice.
Irrespective of all these limitations and challenges and considering the tendency of tightened data export control, it is very likely that the draft SCCs will be officially launched without substantial changes. It is recommendable that companies start preparing for the implementation of the Chinese SCCs, including aligning with existing GDPR SCCs where necessary.
1. Only available in Chinese at: http://www.cac.gov.cn/2022-06/30/c_1658205969531631.htm