Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

International: China's draft Standard Contract for cross-border data transfers - Implications and comparison against EU SCCs

On 30 June 2022, the Cyberspace Administration of China ('CAC') released the long-awaited draft Personal Information Export Standard Contract ('the Standard Contract'), together with the draft Rules on the Standard Contract ('the Rules'). An analysis of the application and requirements of the Standard Contract to a business' cross-border data transfer strategy is critical as signing a Standard Contract is anticipated to be the most popular approach enabling international transfers of personal information out of mainland China. Alex Roberts and Yang Fan, from Linklaters, and Tiantian Ke, from Zhao Sheng Law Firm, look at key aspects of the latest draft of the Standard Contract and draw comparisons with the EU 2021 Standard Contractual Clauses ('the EU SCCs').

Viorika / Signature collection / istockphoto.com

Background

Watching for regulatory developments relating to cross-border transfers of personal information from the Chinese mainland has become a daily affair in the last few weeks, and almost as regularly since the Personal Information Protection Law of the People's Republic of China ('PIPL') took effect on 1 November 2021.

The PIPL adopted three major transfer mechanisms:

  • passing a CAC-led security assessment, which applies only to those organisations which trigger certain thresholds set out under the implementation measures that will become effective from 1 September 2022;
  • obtaining a certification from an authorised institution, with the implementation of the underlying scheme remaining untested as its binding rules are yet to be released; and
  • signing a Standard Contract, which, compared to the other two mechanisms above, appears to be a relatively business-friendly method that in-scope international businesses will likely seek to rely on.

Comparison with the EU SCCs

Perhaps the good news for many multinational corporations that are subject to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and have put in place the EU SCCs is that the Standard Contract is greatly influenced by the EU SCCs regime. Nevertheless, while the Standard Contract resembles the EU SCCs, it appears to differ from the EU SCCs in a number of aspects, such as the scope of application, overall structure, and the additional filing obligations that it carries. Understanding the compliance gaps between the two regimes will be essential for businesses that are seeking to use both the Standard Contract and the EU SCCs as part of their international data transfer strategy.

We set out below a comparison chart highlighting some key issues between the China Standard Contract and the EU SCCs.

Key issue

China Standard Contract

EU SCCs

Comparison

Application scope

The Standard Contract can be used in certain scenarios, i.e. if the personal information processor (which is similar to a controller under the GDPR):

  • is not a critical information infrastructure operator;
  • processes personal information of no more than 1 million individuals;
  • has provided personal information of no more than 100,000 individuals in total to offshore recipients cumulatively since 1 January of the previous year; and
  • has provided sensitive personal information of not more than 10,000 individuals in total to offshore recipients cumulatively since 1 January of the previous year.

The EU SCCs are generally applicable to any transfer to a third country outside of the EU that has not been granted an adequacy decision.

However, they do not apply to scenarios where the data importer is also subject to the GDPR, under which circumstances the European Data Protection Board ('EDPB') will release a separate set of clauses.

Radically different

Overall structure

One-size-fits-all approach

Although we understand that the Chinese authorities first considered a two-module approach like that taken by

Hong Kong (see Insight article here), the draft form of the Standard Contract has been released with one form: to be signed between a personal information processor and an offshore recipient.

Four-module approach:

EU SCCs can be used for transfers:

  • from a controller to another controller ('C2C');
  • from a controller to a processor ('C2P);
  • from a processor to another processor ('P2P'); and
  • from a processor to its appointing controller ('P2C').

Radically different

Flexibility of contract

A certain level of flexibility exists. In particular, there is a blank Appendix II to the Standard Contract where the contracting parties can agree on extra provisions so long as these do not contradict the Standard Contract (in which case the Standard Contract will prevail).

The EU SCCs can be incorporated into a wider contract and supplemented with other clauses or additional safeguards, provided that they do not contradict the EU SCCs or prejudice the fundamental rights or freedoms of data subjects.

Generally aligned

Pre-contract step: transfer impact assessment

Personal information processors must conduct a Personal Information Protection Impact Assessment ('PIPIA'), which is required to be conducted under the PIPL before any data exports, including assessments of the impact of local policies and applicable laws regarding the protection of personal information on compliance with the Standard Contract.

PIPIAs must be retained for three years.

There is no mandatory data protection impact assessment requirement for data exports, but conducting a transfer impact assessment ('TIA') is required under the EDPB guidance.

There is no specific retention requirement for retaining TIA records.

Differences exist, but with a certain similarity

Post-contract step: filing procedure

A filing procedure applies. A personal information processor must file both its Standard Contracts and reports on the PIPIAs with the provincial CACs in the place where it is located within ten days from the effective date of the Standard Contracts.

A Standard Contract must be re-signed and filing must be re-submitted in the case of certain changes that may affect interests in the personal information occurs.

There is no filing obligation, but certain consultation requirements may apply in limited circumstances, e.g. a case-by-case analysis of whether the EU SCCs can be used and, depending on the TIA result, a data exporter may need to implement supplementary measures and consult with the competent supervisory authorities.

Radically different

Compliance with data processing principles and safeguards

Aligned with the PIPL requirements, parties are required to comply with obligations and principles of lawful processing, transparency, minimum necessity, limitation of storage, security, and accountability.

Aligned with the GDPR requirements, parties are required to comply with obligations and principles of lawful processing, transparency, minimum necessity, limitation of storage, security, and accountability.

Generally aligned

Acceptance of oversight from supervisory authorities

The personal information processor warrants to respond to enquiries from the supervisory authority, unless the parties agree that a response will be made by the offshore recipient, in which case, if the offshore recipient fails to respond within the required time limit, the personal information processor must still respond.

The offshore recipient must accept the supervision and management by the supervisory authority in the course of the implementation of the Standard Contract.

Parties must be able to demonstrate compliance, and make documentation available to supervisory authority on request.

The data importer must accept the supervision by the competent supervisory authority, including to respond to inquiries, cooperate with audits by, and comply with measures adopted by, the supervisory authority.

Parties must be able to demonstrate compliance, and make documentation available to the supervisory authority upon request.

Generally aligned

Governing law and choice of jurisdiction

The Standard Contract limits itself to being governed by laws and regulations of the People's Republic of China ('PRC') only.

When disputes arise between the personal information processor and the offshore recipient, they can only resolve the dispute through arbitration (through an arbitration institution that is a member of the Convention on the Recognition and Enforcement of Foreign Arbitral Awards) or litigation conducted in courts in the PRC.

Where a data subject brings an action against the personal information processor or the offshore recipient as a third-party beneficiary, the jurisdiction should be determined in accordance with the provisions of the PRC Civil Procedure Law.

Depending on the four modules:

  • C2C: parties must select the governing law and jurisdiction of courts of any EU Member State, provided that such choice of law allows for third-party beneficiary rights.
  • C2P or P2P: parties must select the governing law of the EU Member State where the data exporter is established, provided that such choice of law allows for third-party beneficiary rights; parties must agree on jurisdiction of courts of any EU Member State.
  • P2C: parties can select any governing law and jurisdiction of any courts provided that such choice of law allows for third-party beneficiary rights.
  • Data subjects may also bring legal proceedings against the data exporter and/or data importer before the courts of the EU Member State in which they have their habitual residence.

Radically different

Data processing terms

Data processing terms are omitted (particularly given one-size-fits-all approach). One implication is that, in case of a controller-processer scenario, separate processing terms must be additionally included to reflect the requirements under the PIPL.

Processor terms set out under Article 28 of the GDPR are included.

Radically different

What does this mean for you?

Once the Standard Contract is implemented, in-scope organisations that have adopted internal international group data transfer agreements incorporating the EU SCCs will need to revisit their intragroup agreements and put in place additional terms reflecting the Standard Contract in order to comply with China's rules on international data transfer. Several question marks, however, remain to be clarified by the Chinese authorities, e.g. whether the Standard Contract must be incorporated as a whole, to what extent the Standard Contract can be amended, and how to handle additional P2C and P2P transfers since the current scope of the Standard Contract does not appear to cover such transfers.

Whilst the specific timeline for the next legislative step of the current draft is not publicly available, we expect that the draft Rules and Standard Contract will likely be finalised within a relatively short period since another transfer mechanism (i.e. the data export security assessment) has already been finalised. Crucially, organisations doing cross-border business in or with China will need to complete comprehensive data protection examinations and assess which outbound transfer mechanisms they may utilise or have to comply with - now might be the last call if they have not done so.

Alex Roberts Counsel
[email protected]
Yang Fan Managing Associate
[email protected]
Linklaters, Hong Kong
Tiantian Ke Associate
[email protected]
Zhao Sheng Law Firm, Shanghai