Application scope

The Standard Contract can be used in certain scenarios, i.e. if the personal information processor (which is similar to a controller under the GDPR):

• is not a critical information infrastructure operator;
• processes personal information of no more than 1 million individuals;
• has provided personal information of no more than 100,000 individuals in total to offshore recipients cumulatively since 1 January of the previous year; and
• has provided sensitive personal information of not more than 10,000 individuals in total to offshore recipients cumulatively since 1 January of the previous year.

The EU SCCs are generally applicable to any transfer to a third country outside of the EU that has not been granted an adequacy decision.

However, they do not apply to scenarios where the data importer is also subject to the GDPR, under which circumstances the European Data Protection Board ('EDPB') will release a separate set of clauses.

Radically different

Overall structure

One-size-fits-all approach

Although we understand that the Chinese authorities first considered a two-module approach like that taken by

Hong Kong (see Insight article here), the draft form of the Standard Contract has been released with one form: to be signed between a personal information processor and an offshore recipient.

Four-module approach:

EU SCCs can be used for transfers:

• from a controller to another controller ('C2C');
• from a controller to a processor ('C2P);
• from a processor to another processor ('P2P'); and
• from a processor to its appointing controller ('P2C').

Radically different

Flexibility of contract

A certain level of flexibility exists. In particular, there is a blank Appendix II to the Standard Contract where the contracting parties can agree on extra provisions so long as these do not contradict the Standard Contract (in which case the Standard Contract will prevail).

The EU SCCs can be incorporated into a wider contract and supplemented with other clauses or additional safeguards, provided that they do not contradict the EU SCCs or prejudice the fundamental rights or freedoms of data subjects.

Generally aligned

Pre-contract step: transfer impact assessment

Personal information processors must conduct a Personal Information Protection Impact Assessment ('PIPIA'), which is required to be conducted under the PIPL before any data exports, including assessments of the impact of local policies and applicable laws regarding the protection of personal information on compliance with the Standard Contract.

PIPIAs must be retained for three years.

There is no mandatory data protection impact assessment requirement for data exports, but conducting a transfer impact assessment ('TIA') is required under the EDPB guidance.

There is no specific retention requirement for retaining TIA records.

Differences exist, but with a certain similarity

Post-contract step: filing procedure

A filing procedure applies. A personal information processor must file both its Standard Contracts and reports on the PIPIAs with the provincial CACs in the place where it is located within ten days from the effective date of the Standard Contracts.

A Standard Contract must be re-signed and filing must be re-submitted in the case of certain changes that may affect interests in the personal information occurs.

There is no filing obligation, but certain consultation requirements may apply in limited circumstances, e.g. a case-by-case analysis of whether the EU SCCs can be used and, depending on the TIA result, a data exporter may need to implement supplementary measures and consult with the competent supervisory authorities.

Radically different

Compliance with data processing principles and safeguards

Aligned with the PIPL requirements, parties are required to comply with obligations and principles of lawful processing, transparency, minimum necessity, limitation of storage, security, and accountability.

Aligned with the GDPR requirements, parties are required to comply with obligations and principles of lawful processing, transparency, minimum necessity, limitation of storage, security, and accountability.

Generally aligned

Acceptance of oversight from supervisory authorities

The personal information processor warrants to respond to enquiries from the supervisory authority, unless the parties agree that a response will be made by the offshore recipient, in which case, if the offshore recipient fails to respond within the required time limit, the personal information processor must still respond.

The offshore recipient must accept the supervision and management by the supervisory authority in the course of the implementation of the Standard Contract.

Parties must be able to demonstrate compliance, and make documentation available to supervisory authority on request.

The data importer must accept the supervision by the competent supervisory authority, including to respond to inquiries, cooperate with audits by, and comply with measures adopted by, the supervisory authority.

Parties must be able to demonstrate compliance, and make documentation available to the supervisory authority upon request.

Generally aligned

Governing law and choice of jurisdiction

The Standard Contract limits itself to being governed by laws and regulations of the People's Republic of China ('PRC') only.

When disputes arise between the personal information processor and the offshore recipient, they can only resolve the dispute through arbitration (through an arbitration institution that is a member of the Convention on the Recognition and Enforcement of Foreign Arbitral Awards) or litigation conducted in courts in the PRC.

Where a data subject brings an action against the personal information processor or the offshore recipient as a third-party beneficiary, the jurisdiction should be determined in accordance with the provisions of the PRC Civil Procedure Law.

Depending on the four modules:

• C2C: parties must select the governing law and jurisdiction of courts of any EU Member State, provided that such choice of law allows for third-party beneficiary rights.
• C2P or P2P: parties must select the governing law of the EU Member State where the data exporter is established, provided that such choice of law allows for third-party beneficiary rights; parties must agree on jurisdiction of courts of any EU Member State.
• P2C: parties can select any governing law and jurisdiction of any courts provided that such choice of law allows for third-party beneficiary rights.
• Data subjects may also bring legal proceedings against the data exporter and/or data importer before the courts of the EU Member State in which they have their habitual residence.

Radically different

Data processing terms

Data processing terms are omitted (particularly given one-size-fits-all approach). One implication is that, in case of a controller-processer scenario, separate processing terms must be additionally included to reflect the requirements under the PIPL.

Processor terms set out under Article 28 of the GDPR are included.

Radically different