International: China's Standard Contract for cross-border data transfers - What do you need to know to implement it
On 24 February 2023, the Cyberspace Administration of China ('CAC') released the final form of its key transfer mechanism for data exports - the long-awaited Personal Information Export Standard Contract ('the Standard Contract') and its accompanying Measures on the Standard Contract ('the Measures'), which set out the principles governing the use of the Standard Contract. While the Standard Contract comprises one of three transfer mechanisms under China's data protection law - the Personal Information Protection Law of the People's Republic of China ('PIPL') - the Standard Contract is anticipated to be the most popular approach for international businesses seeking to export personal information out of mainland China.
Alex Roberts, from Linklaters, and Roger Li and Tiantian Ke, from Zhao Sheng Law Firm, look at the key aspects of the Standard Contract and compare them to the EU 2021 Standard Contractual Clauses ('EU SCCs').
Recap on the background to the Standard Contract
Developments relating to cross-border data transfers from mainland China have been rapid since the summer of 2022, as the Chinese Government has seemed keen to implement the mechanisms outlined in the PIPL.
Having taken effect on 1 November 2021, the PIPL's three major transfer mechanisms are:
- passing a CAC-led security assessment, which applies only to those organisations which trigger certain thresholds set out under the implementation measures that became effective from 1 September 2022;
- obtaining a certification from an authorised institution, although the implementation of the underlying scheme remains untested as these institutions are generally not yet active in the market; and
- signing the Standard Contract, which, compared to the other two mechanisms, appears to be a relatively business-friendly method without involvement of a government body or government-authorised third party.
International businesses may also transfer data by fulfilling other conditions provided in laws or administrative regulations or by the CAC. However, details of these routes are yet to be made publicly available.
EU SCCs: Comparison and contrast
Those that studied the draft Standard Contract that was released in June last year would have noted the similarities to the EU SCCs, which may be used to legitimise exports of personal information from the EU under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). This is still the case, as both the Standard Contract and the Measures generally remain the same as their 2022 drafts.
Nevertheless, the template contract differs from the EU SCCs in several aspects, such as the scope of application, overall structure, and the additional filing obligations that it carries. Understanding the gaps between the Chinese and GDPR regimes will be essential for businesses that are seeking to use both the Standard Contract and the EU SCCs as part of their international data transfer strategy.
A comparison table highlighting some key issues across the Standard Contract and the EU SCCs is set out below.
China Standard Contract
Comparison and commentary
Scope of application
EU data exporters can use the EU SCCs to make cross-border transfers to a data importer located in a third country outside of the EU, where that country has not been granted an adequacy decision (so-called 'whitelisted' jurisdictions).
If the personal information processor (a term similar to a 'controller' under the GDPR) which seeks to make a cross-border data transfer is not subject to the security assessment regime, the Standard Contract can be used. To qualify, the organisation must:
The Standard Contract has a narrower scope of application (both in terms of sectoral relevance and data volumes) than the EU SCCs.
The Measures - as released in final form - explicitly prohibit organisations from splitting the volume of data to be exported via Standard Contracts among different entities in order to avoid meeting the thresholds for a mandatory security assessment. This new provision seeks to prevent organisations using the Standard Contract to circumvent the more onerous security assessment mechanism, which it is understood the CAC thinks has been adopted less than it envisaged.
EU SCCs can be adopted for personal information exports:
The Standard Contract has been released in one form that must be signed between a personal information processor and an offshore recipient, despite the CAC having considered a two-module approach like that adopted under the recommendary measures applicable in Hong Kong Special Administrative Region ('SAR').
Multinational organisations will likely find it difficult to apply the one-size-fits-all terms of the Standard Contract to all transfer scenarios in practice. Compared with the multiple circumstances that are feasible with the EU SCCs, this aspect will be challenging for international business. For example:
Flexibility of contract
One or more modules of the EU SCCs can be included in a master contract and supplemented with other provisions or additional safeguards, so long as they do not contradict with the EU SCCs or prejudice the fundamental rights or freedoms of data subjects.
The EU SCCs are also expressly designed to be adopted by multiple controllers and/or processors and include a 'docking' clause to subsequently add further parties.
The Measures state that the Standard Contract must be concluded in strict accordance with the CAC's form. A domestic organisation may agree other terms with its overseas counterpart and record these in the second appendix to the Standard Contract. However, these additional terms must not conflict with the Standard Contract.
Differences exist, but with some similarities
The Standard Contract seems to be less flexible in its form than the EU SCCs. This will create a challenge for international businesses' global data transfer programmes if they are to meet the requirements imposed on the form of the Standard Contract.
It will be crucial for the CAC to clarify whether the Standard Contract must be used in a bilateral manner or can also be revised so it is multilateral (as the EU SCCs allow) for use in the existing intra-group data transfer agreements of international groups.
Pre-contract step: transfer impact assessment
The EU SCCs and related European Data Protection Board guidance require a transfer impact assessment ('TIA') to be conducted to assess the risk of transferring personal data to the relevant third country. A key objective of the TIA is to examine the extent of data access rights of local law enforcement and national security agencies in the third country.
There is no specific retention requirement for holding TIA records. However, in practice, organisations should retain their TIAs to assist in complying with their accountability obligations under the GDPR.
Under the PIPL, a personal information processor must conduct a personal information protection impact assessment ('PIPIA') before any data export. The PIPIA must include an assessment of the impact of local policies and applicable laws regarding the protection of personal information on compliance with the Standard Contract.
A PIPIA must be retained for three years.
Differences exist, but with some similarities
To prepare PIPIAs, domestic organisations can be expected to request information on the offshore party's circumstances as the recipient of the personal information, including the protections afforded to that information under the local law of place in which the offshore recipient is located, together with information on the offshore party's data security practices.
Undertaking a compliant PIPIA will likely be time consuming. Multinational groups should implement procedures to map their data processing and data flows and consolidate the data required to complete a PIPIA on the relevant data export activities.
Post-contract step: filing procedure
EU SCCs do not require filing with the competent supervisory authority. However, the EU authorities may request to review relevant EU SCCs in certain circumstances, such as an audit or investigation.
A personal information processor must file both the Standard Contract and the report generated by the PIPIA with the provincial branch of the CAC that supervises the location where the organisation is registered. The filing must be completed within ten days from the effective date of the Standard Contract.
If certain changes occur that may affect interests in the personal information, the data exporter must reconduct the PIPIA, supplement, or resign the Standard Contract.
Because the Standard Contract and corresponding PIPIA must be filed, domestic enterprises can be expected to make increasing numbers of information requests of overseas counterparties for the purposes of undertaking compliant PIPIAs. This may lead to service providers seeking to prepare the relevant information in advance to give them a competitive advantage in servicing Chinese businesses expanding abroad.
International organisations must consider implementing an ongoing monitoring protocol to flag when changes to their data export activities affect a filed PIPIA and/or Standard Contract.
Compliance with data processing principles and safeguards
Aligned with the GDPR requirements, parties are required to comply with obligations and principles of lawful processing, transparency, data minimisation, respecting data subject rights, limitation of storage, security, and accountability.
Aligned with the PIPL requirements, parties are required to comply with obligations and principles of lawful processing, transparency, data minimisation, respecting data subject rights, limitation of storage, security, and accountability.
Data processing terms
Provisions are included in the EU SCCs that meet the requirements of Article 28 of the GDPR in respect of data handling by processors (where applicable).
Provisions are included in the Standard Contract that meet the requirements of Article 21 of the PIPL in respect of data handling by an entrusted party.
Acceptance of oversight from supervisory authorities
The party receiving the personal information must accept supervision by the relevant EU supervisory authority, including to respond to enquiries, cooperate with audits by, and comply with measures adopted by, the supervisory authority.
The parties to the EU SCCs must also be able to show their compliance with the EU SCCs, and make available to the supervisory authority, upon request, documentation evidencing that compliance and the corresponding processing activities.
The offshore recipient must accept the supervision and management of the Chinese supervisory authority during the term of the Standard Contract, including to respond to enquiries and comply with measures adopted or decisions made by that authority.
The parties to the Standard Contract must be also able to show their compliance with the Standard Contract, and make available to the competent authorities on request documentation evidencing that compliance and the corresponding processing activities.
Generally aligned, but a new term requires notification of government access requests which may cause a possible conflict of law
The final form of the Standard Contract contains a new provision requiring the offshore recipient to immediately notify the data exporter when the recipient receives a data access request from a local government department or judicial authority. Since this new obligation does not have any exceptions provided under the Standard Contract or the Measures, conflicts of laws will likely occur between the two jurisdictions. Namely, where a notification is prohibited under the law of the foreign jurisdiction, failing to make the notification to the party in China would likely constitute a breach of contract, while notifying the Chinese party in accordance with the Standard Contract's obligation may lead to a violation of the overseas jurisdiction's regulatory requirements.
Governing law and choice of jurisdiction
Depending on the four modules:
The Standard Contract is solely governed by laws and regulations of mainland China.
If disputes arise between the data exporter and data importer, they can resolve the dispute through an arbitration institution that is a member of the 'New York Convention', or through litigation conducted in courts of mainland China.
If a data subject (as a third-party beneficiary) claims against the personal information processor or the offshore recipient, the jurisdiction should be determined in accordance with the provisions of China's Civil Procedure Law.
Many multinational organisations will embrace the option of agreeing on an arbitration institution that is a member of the New York Convention, since they have been traditionally hesitant to bring disputes in China because of concerns on impartiality and practical issues, such as choice of language.
The Chinese authorities are pushing implementation of their transfer regimes forward, and the regulatory sanctions for cyber and data non-compliance are increasing. If they are still yet to start, international organisations conducting cross-border business in or with mainland China must complete comprehensive data protection examinations and assess which outbound transfer mechanisms they may utilise or have to comply with.
The Standard Contract and the Measures will take effect on 1 June 2023. New in-scope data exports from mainland China (including to Hong Kong SAR) must use the Standard Contract from that date, unless another transfer mechanism is mandatory or chosen. Although a six-month grace period applies to existing transfer arrangements, it may take months to renegotiate and sign revised agreements with counterparties - particularly those outside China that do not wish to increase their legal exposure to its regulators.
Time is now of the essence to ensure compliance in this crucial market for so many multinational groups.