International: China's draft Standard Contract for cross-border data transfers - Implications and comparison against EU SCCs
On 30 June 2022, the Cyberspace Administration of China ('CAC') released the long-awaited draft Personal Information Export Standard Contract ('the Standard Contract'), together with the draft Rules on the Standard Contract ('the Rules'). An analysis of the application and requirements of the Standard Contract to a business' cross-border data transfer strategy is critical as signing a Standard Contract is anticipated to be the most popular approach enabling international transfers of personal information out of mainland China. Alex Roberts and Yang Fan, from Linklaters, and Tiantian Ke, from Zhao Sheng Law Firm, look at key aspects of the latest draft of the Standard Contract and draw comparisons with the EU 2021 Standard Contractual Clauses ('the EU SCCs').
Watching for regulatory developments relating to cross-border transfers of personal information from the Chinese mainland has become a daily affair in the last few weeks, and almost as regularly since the Personal Information Protection Law of the People's Republic of China ('PIPL') took effect on 1 November 2021.
The PIPL adopted three major transfer mechanisms:
- passing a CAC-led security assessment, which applies only to those organisations which trigger certain thresholds set out under the implementation measures that will become effective from 1 September 2022;
- obtaining a certification from an authorised institution, with the implementation of the underlying scheme remaining untested as its binding rules are yet to be released; and
- signing a Standard Contract, which, compared to the other two mechanisms above, appears to be a relatively business-friendly method that in-scope international businesses will likely seek to rely on.
Comparison with the EU SCCs
Perhaps the good news for many multinational corporations that are subject to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and have put in place the EU SCCs is that the Standard Contract is greatly influenced by the EU SCCs regime. Nevertheless, while the Standard Contract resembles the EU SCCs, it appears to differ from the EU SCCs in a number of aspects, such as the scope of application, overall structure, and the additional filing obligations that it carries. Understanding the compliance gaps between the two regimes will be essential for businesses that are seeking to use both the Standard Contract and the EU SCCs as part of their international data transfer strategy.
We set out below a comparison chart highlighting some key issues between the China Standard Contract and the EU SCCs.
China Standard Contract
The Standard Contract can be used in certain scenarios, i.e. if the personal information processor (which is similar to a controller under the GDPR):
The EU SCCs are generally applicable to any transfer to a third country outside of the EU that has not been granted an adequacy decision.
However, they do not apply to scenarios where the data importer is also subject to the GDPR, under which circumstances the European Data Protection Board ('EDPB') will release a separate set of clauses.
Although we understand that the Chinese authorities first considered a two-module approach like that taken by
Hong Kong (see Insight article here), the draft form of the Standard Contract has been released with one form: to be signed between a personal information processor and an offshore recipient.
EU SCCs can be used for transfers:
Flexibility of contract
A certain level of flexibility exists. In particular, there is a blank Appendix II to the Standard Contract where the contracting parties can agree on extra provisions so long as these do not contradict the Standard Contract (in which case the Standard Contract will prevail).
The EU SCCs can be incorporated into a wider contract and supplemented with other clauses or additional safeguards, provided that they do not contradict the EU SCCs or prejudice the fundamental rights or freedoms of data subjects.
Pre-contract step: transfer impact assessment
Personal information processors must conduct a Personal Information Protection Impact Assessment ('PIPIA'), which is required to be conducted under the PIPL before any data exports, including assessments of the impact of local policies and applicable laws regarding the protection of personal information on compliance with the Standard Contract.
PIPIAs must be retained for three years.
There is no mandatory data protection impact assessment requirement for data exports, but conducting a transfer impact assessment ('TIA') is required under the EDPB guidance.
There is no specific retention requirement for retaining TIA records.
Differences exist, but with a certain similarity
Post-contract step: filing procedure
A filing procedure applies. A personal information processor must file both its Standard Contracts and reports on the PIPIAs with the provincial CACs in the place where it is located within ten days from the effective date of the Standard Contracts.
A Standard Contract must be re-signed and filing must be re-submitted in the case of certain changes that may affect interests in the personal information occurs.
There is no filing obligation, but certain consultation requirements may apply in limited circumstances, e.g. a case-by-case analysis of whether the EU SCCs can be used and, depending on the TIA result, a data exporter may need to implement supplementary measures and consult with the competent supervisory authorities.
Compliance with data processing principles and safeguards
Aligned with the PIPL requirements, parties are required to comply with obligations and principles of lawful processing, transparency, minimum necessity, limitation of storage, security, and accountability.
Aligned with the GDPR requirements, parties are required to comply with obligations and principles of lawful processing, transparency, minimum necessity, limitation of storage, security, and accountability.
Acceptance of oversight from supervisory authorities
The personal information processor warrants to respond to enquiries from the supervisory authority, unless the parties agree that a response will be made by the offshore recipient, in which case, if the offshore recipient fails to respond within the required time limit, the personal information processor must still respond.
The offshore recipient must accept the supervision and management by the supervisory authority in the course of the implementation of the Standard Contract.
Parties must be able to demonstrate compliance, and make documentation available to supervisory authority on request.
The data importer must accept the supervision by the competent supervisory authority, including to respond to inquiries, cooperate with audits by, and comply with measures adopted by, the supervisory authority.
Parties must be able to demonstrate compliance, and make documentation available to the supervisory authority upon request.
Governing law and choice of jurisdiction
The Standard Contract limits itself to being governed by laws and regulations of the People's Republic of China ('PRC') only.
When disputes arise between the personal information processor and the offshore recipient, they can only resolve the dispute through arbitration (through an arbitration institution that is a member of the Convention on the Recognition and Enforcement of Foreign Arbitral Awards) or litigation conducted in courts in the PRC.
Where a data subject brings an action against the personal information processor or the offshore recipient as a third-party beneficiary, the jurisdiction should be determined in accordance with the provisions of the PRC Civil Procedure Law.
Depending on the four modules:
Data processing terms
Data processing terms are omitted (particularly given one-size-fits-all approach). One implication is that, in case of a controller-processer scenario, separate processing terms must be additionally included to reflect the requirements under the PIPL.
Processor terms set out under Article 28 of the GDPR are included.
What does this mean for you?
Once the Standard Contract is implemented, in-scope organisations that have adopted internal international group data transfer agreements incorporating the EU SCCs will need to revisit their intragroup agreements and put in place additional terms reflecting the Standard Contract in order to comply with China's rules on international data transfer. Several question marks, however, remain to be clarified by the Chinese authorities, e.g. whether the Standard Contract must be incorporated as a whole, to what extent the Standard Contract can be amended, and how to handle additional P2C and P2P transfers since the current scope of the Standard Contract does not appear to cover such transfers.
Whilst the specific timeline for the next legislative step of the current draft is not publicly available, we expect that the draft Rules and Standard Contract will likely be finalised within a relatively short period since another transfer mechanism (i.e. the data export security assessment) has already been finalised. Crucially, organisations doing cross-border business in or with China will need to complete comprehensive data protection examinations and assess which outbound transfer mechanisms they may utilise or have to comply with - now might be the last call if they have not done so.