Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

International: China's Standard Contract for cross-border data transfers - What do you need to know to implement it

On 24 February 2023, the Cyberspace Administration of China ('CAC') released the final form of its key transfer mechanism for data exports - the long-awaited Personal Information Export Standard Contract ('the Standard Contract') and its accompanying Measures on the Standard Contract ('the Measures'), which set out the principles governing the use of the Standard Contract. While the Standard Contract comprises one of three transfer mechanisms under China's data protection law - the Personal Information Protection Law of the People's Republic of China ('PIPL') - the Standard Contract is anticipated to be the most popular approach for international businesses seeking to export personal information out of mainland China.

Alex Roberts, from Linklaters, and Roger Li and Tiantian Ke, from Zhao Sheng Law Firm, look at the key aspects of the Standard Contract and compare them to the EU 2021 Standard Contractual Clauses ('EU SCCs').

Viorika / Signature collection /

Recap on the background to the Standard Contract

Developments relating to cross-border data transfers from mainland China have been rapid since the summer of 2022, as the Chinese Government has seemed keen to implement the mechanisms outlined in the PIPL.

Having taken effect on 1 November 2021, the PIPL's three major transfer mechanisms are:

  • passing a CAC-led security assessment, which applies only to those organisations which trigger certain thresholds set out under the implementation measures that became effective from 1 September 2022;
  • obtaining a certification from an authorised institution, although the implementation of the underlying scheme remains untested as these institutions are generally not yet active in the market; and
  • signing the Standard Contract, which, compared to the other two mechanisms, appears to be a relatively business-friendly method without involvement of a government body or government-authorised third party.

International businesses may also transfer data by fulfilling other conditions provided in laws or administrative regulations or by the CAC. However, details of these routes are yet to be made publicly available.

EU SCCs: Comparison and contrast

Those that studied the draft Standard Contract that was released in June last year would have noted the similarities to the EU SCCs, which may be used to legitimise exports of personal information from the EU under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). This is still the case, as both the Standard Contract and the Measures generally remain the same as their 2022 drafts.

Nevertheless, the template contract differs from the EU SCCs in several aspects, such as the scope of application, overall structure, and the additional filing obligations that it carries. Understanding the gaps between the Chinese and GDPR regimes will be essential for businesses that are seeking to use both the Standard Contract and the EU SCCs as part of their international data transfer strategy.

A comparison table highlighting some key issues across the Standard Contract and the EU SCCs is set out below.

Key issue


China Standard Contract

Comparison and commentary

Scope of application

EU data exporters can use the EU SCCs to make cross-border transfers to a data importer located in a third country outside of the EU, where that country has not been granted an adequacy decision (so-called 'whitelisted' jurisdictions).

If the personal information processor (a term similar to a 'controller' under the GDPR) which seeks to make a cross-border data transfer is not subject to the security assessment regime, the Standard Contract can be used. To qualify, the organisation must:

  • not be a critical information infrastructure operator, as outlined in other cybersecurity rules released by the CAC;
  • process personal information of no more than 1 million individuals;
  • have provided personal information of no more than 100,000 individuals in aggregate to overseas recipients since 1 January of the previous year; and
  • have provided sensitive personal information of no more than 10,000 individuals in aggregate to overseas recipients since 1 January of the previous year.

Materially different

The Standard Contract has a narrower scope of application (both in terms of sectoral relevance and data volumes) than the EU SCCs.

The Measures - as released in final form - explicitly prohibit organisations from splitting the volume of data to be exported via Standard Contracts among different entities in order to avoid meeting the thresholds for a mandatory security assessment. This new provision seeks to prevent organisations using the Standard Contract to circumvent the more onerous security assessment mechanism, which it is understood the CAC thinks has been adopted less than it envisaged.

Overall structure

Four-module approach

EU SCCs can be adopted for personal information exports:

  • from a controller to another controller ('C2C');
  • from a controller to a processor ('C2P');
  • from a processor to a sub-processor ('P2P'); and
  • from a processor to its appointing controller ('P2C').

One-size-fits-all approach

The Standard Contract has been released in one form that must be signed between a personal information processor and an offshore recipient, despite the CAC having considered a two-module approach like that adopted under the recommendary measures applicable in Hong Kong Special Administrative Region ('SAR').

Radically different

Multinational organisations will likely find it difficult to apply the one-size-fits-all terms of the Standard Contract to all transfer scenarios in practice. Compared with the multiple circumstances that are feasible with the EU SCCs, this aspect will be challenging for international business. For example:

  • Can an overseas personal information processor that is subject to the extraterritorial application of the PIPL adopt the Standard Contract?
  • The Standard Contract does not appear to allow a China-based entrusted party (akin to a 'data processor' under the GDPR) to adopt the Standard Contract with its offshore recipients. If so, how can an entrusted party legitimise its cross-border transfers, for example, when acting as a service provider to overseas affiliates?

Flexibility of contract

One or more modules of the EU SCCs can be included in a master contract and supplemented with other provisions or additional safeguards, so long as they do not contradict with the EU SCCs or prejudice the fundamental rights or freedoms of data subjects.

The EU SCCs are also expressly designed to be adopted by multiple controllers and/or processors and include a 'docking' clause to subsequently add further parties.

The Measures state that the Standard Contract must be concluded in strict accordance with the CAC's form. A domestic organisation may agree other terms with its overseas counterpart and record these in the second appendix to the Standard Contract. However, these additional terms must not conflict with the Standard Contract.

Differences exist, but with some similarities

The Standard Contract seems to be less flexible in its form than the EU SCCs. This will create a challenge for international businesses' global data transfer programmes if they are to meet the requirements imposed on the form of the Standard Contract.

It will be crucial for the CAC to clarify whether the Standard Contract must be used in a bilateral manner or can also be revised so it is multilateral (as the EU SCCs allow) for use in the existing intra-group data transfer agreements of international groups.

Pre-contract step: transfer impact assessment

The EU SCCs and related European Data Protection Board guidance require a transfer impact assessment ('TIA') to be conducted to assess the risk of transferring personal data to the relevant third country. A key objective of the TIA is to examine the extent of data access rights of local law enforcement and national security agencies in the third country.

There is no specific retention requirement for holding TIA records. However, in practice, organisations should retain their TIAs to assist in complying with their accountability obligations under the GDPR.

Under the PIPL, a personal information processor must conduct a personal information protection impact assessment ('PIPIA') before any data export. The PIPIA must include an assessment of the impact of local policies and applicable laws regarding the protection of personal information on compliance with the Standard Contract.

A PIPIA must be retained for three years.

Differences exist, but with some similarities

To prepare PIPIAs, domestic organisations can be expected to request information on the offshore party's circumstances as the recipient of the personal information, including the protections afforded to that information under the local law of place in which the offshore recipient is located, together with information on the offshore party's data security practices.

Undertaking a compliant PIPIA will likely be time consuming. Multinational groups should implement procedures to map their data processing and data flows and consolidate the data required to complete a PIPIA on the relevant data export activities.

Post-contract step: filing procedure

EU SCCs do not require filing with the competent supervisory authority. However, the EU authorities may request to review relevant EU SCCs in certain circumstances, such as an audit or investigation.

A personal information processor must file both the Standard Contract and the report generated by the PIPIA with the provincial branch of the CAC that supervises the location where the organisation is registered. The filing must be completed within ten days from the effective date of the Standard Contract.

If certain changes occur that may affect interests in the personal information, the data exporter must reconduct the PIPIA, supplement, or resign the Standard Contract.

Materially different

Because the Standard Contract and corresponding PIPIA must be filed, domestic enterprises can be expected to make increasing numbers of information requests of overseas counterparties for the purposes of undertaking compliant PIPIAs. This may lead to service providers seeking to prepare the relevant information in advance to give them a competitive advantage in servicing Chinese businesses expanding abroad.

International organisations must consider implementing an ongoing monitoring protocol to flag when changes to their data export activities affect a filed PIPIA and/or Standard Contract.

Compliance with data processing principles and safeguards

Aligned with the GDPR requirements, parties are required to comply with obligations and principles of lawful processing, transparency, data minimisation, respecting data subject rights, limitation of storage, security, and accountability.

Aligned with the PIPL requirements, parties are required to comply with obligations and principles of lawful processing, transparency, data minimisation, respecting data subject rights, limitation of storage, security, and accountability.

Generally aligned

Data processing terms

Provisions are included in the EU SCCs that meet the requirements of Article 28 of the GDPR in respect of data handling by processors (where applicable).

Provisions are included in the Standard Contract that meet the requirements of Article 21 of the PIPL in respect of data handling by an entrusted party.

Generally aligned

Acceptance of oversight from supervisory authorities

The party receiving the personal information must accept supervision by the relevant EU supervisory authority, including to respond to enquiries, cooperate with audits by, and comply with measures adopted by, the supervisory authority.

The parties to the EU SCCs must also be able to show their compliance with the EU SCCs, and make available to the supervisory authority, upon request, documentation evidencing that compliance and the corresponding processing activities.

The offshore recipient must accept the supervision and management of the Chinese supervisory authority during the term of the Standard Contract, including to respond to enquiries and comply with measures adopted or decisions made by that authority.

The parties to the Standard Contract must be also able to show their compliance with the Standard Contract, and make available to the competent authorities on request documentation evidencing that compliance and the corresponding processing activities.

Generally aligned, but a new term requires notification of government access requests which may cause a possible conflict of law

The final form of the Standard Contract contains a new provision requiring the offshore recipient to immediately notify the data exporter when the recipient receives a data access request from a local government department or judicial authority. Since this new obligation does not have any exceptions provided under the Standard Contract or the Measures, conflicts of laws will likely occur between the two jurisdictions. Namely, where a notification is prohibited under the law of the foreign jurisdiction, failing to make the notification to the party in China would likely constitute a breach of contract, while notifying the Chinese party in accordance with the Standard Contract's obligation may lead to a violation of the overseas jurisdiction's regulatory requirements.

Governing law and choice of jurisdiction

Depending on the four modules:

  • C2C: Parties may select the governing law of any EU Member State, provided that such law permits data subjects to enjoy third-party beneficiary rights. Parties may agree on the jurisdiction of the courts of any EU Member State. Data subjects may also make claims against the Chinese party and/or offshore recipient before the courts of the EU Member State in which they have their habitual residence.
  • C2P or P2P: Parties must select the governing law of the EU Member State where the data exporter is located, provided that such choice of law permits data subjects to enjoy third-party beneficiary rights (and where that is not the case the governing law must be that of an EU Member State that does permit those rights). Choice of jurisdiction is the same as for the C2C module.
  • P2C: Parties can select the governing law and jurisdiction of the courts of any country, provided that in the case of governing law such law permits data subjects to enjoy third-party beneficiary rights.

The Standard Contract is solely governed by laws and regulations of mainland China.

If disputes arise between the data exporter and data importer, they can resolve the dispute through an arbitration institution that is a member of the 'New York Convention', or through litigation conducted in courts of mainland China.

If a data subject (as a third-party beneficiary) claims against the personal information processor or the offshore recipient, the jurisdiction should be determined in accordance with the provisions of China's Civil Procedure Law.

Materially different

Many multinational organisations will embrace the option of agreeing on an arbitration institution that is a member of the New York Convention, since they have been traditionally hesitant to bring disputes in China because of concerns on impartiality and practical issues, such as choice of language.

Next steps

The Chinese authorities are pushing implementation of their transfer regimes forward, and the regulatory sanctions for cyber and data non-compliance are increasing. If they are still yet to start, international organisations conducting cross-border business in or with mainland China must complete comprehensive data protection examinations and assess which outbound transfer mechanisms they may utilise or have to comply with.

The Standard Contract and the Measures will take effect on 1 June 2023. New in-scope data exports from mainland China (including to Hong Kong SAR) must use the Standard Contract from that date, unless another transfer mechanism is mandatory or chosen. Although a six-month grace period applies to existing transfer arrangements, it may take months to renegotiate and sign revised agreements with counterparties - particularly those outside China that do not wish to increase their legal exposure to its regulators.

Time is now of the essence to ensure compliance in this crucial market for so many multinational groups.

Alex Roberts Counsel
[email protected]
Linklaters, Shanghai
Roger Li Associate
[email protected]
Tiantian Ke Associate
[email protected]
Zhao Sheng Law Firm, Shanghai