International: Comparing China's Standard Contract to the EU's SCCs
As the digital economy continues to expand globally and the legal regimes of data protection vary in different jurisdictions, multinational companies carrying out cross-border data transfer activities face challenges in complying with multi-jurisdictional data protection regulations. In this context, those relatively flexible approaches for cross-border data transfers with less regulatory involvement will become important instruments for multinational companies seeking to navigate the legal landscape.
In this Insight article, Dora Luo (Duoqun), Partner at Hunton Andrews Kurth LLP, examines the similarities and differences between the Standard Contract for Cross-border Transfer of Personal Information (the Standard Contract) under the Personal Information Protection Law (PIPL) and the Standard Contractual Clauses (SCCs) under the General Data Protection Regulation (GDPR), with a particular focus on requirements, steps that must be taken before their use, circumstances that may require revision, and general comments.
The EU has implemented strict regulations to ensure the protection of personal data in cross-border data transfers. One such regulation is the GDPR, which requires that all cross-border transfers of personal data outside the EU must have an adequate level of protection. To meet this requirement, the European Data Protection Board (EDPB) issued SCCs as an appropriate safeguard to legally transfer personal data outside of the EU. On this basis, updated SCCs were issued by the European Commission on June 4, 2021, and include 18 clauses covering topics, such as third-party beneficiaries, data protection safeguards, and data subject rights. These clauses provide a standardized set of contractual terms and conditions that organizations can use to ensure that personal data is protected when it is transferred outside the EU. This legal instrument has become an essential tool for companies and organizations that transfer personal data across borders, to ensure that they comply with the GDPR and protect the privacy of individuals.
On the other hand, the Cyberspace Administration of China (CAC) issued the Measures and the Standard Contract on February 22, 2023. They became effective as of June 1, 2023 and the grace period for compliance is six months, which means the relevant data handlers must complete the remediation before December 1, 2023. The CAC further promulgated the Guidelines for Filing the Standard Contract for Outbound Cross-Border Transfer of Personal Information (First Edition) on May 30, 2023, for more detailed requirements for filing the signed Standard Contract with the competent Chinese cyberspace authority (the Filing Guidelines).
Based on Article 38 of the PIPL, if a data handler is not required to conduct a CAC security assessment for cross-border data transfers, it may choose either to conduct a certification by a qualified third institution in China or to execute the Standard Contract in order to transfer personal data outside of China. Certification might be more commonly used for cross-border transfers within a group, whereas the Standard Contract may be more popular under a small volume or sporadic transfer, or under a scenario that may clearly identify the data handler and the overseas data recipient. Meanwhile, given that the execution of the Standard Contract is relatively flexible and subject to less regulatory involvement, it might become a popular approach for cross-border data transfers for the relevant data handlers in China.
Conditions for use
Under the Measures, data handlers must satisfy all of the following conditions to be eligible for the execution of the Standard Contract for cross-border transfers:
- they are not considered critical information infrastructure operators;
- they do not process personal information of more than 1 million individuals located in China;
- they cumulatively transferred personal information of less than 100,000 individuals located in China from January 1 of the previous year; and
- they cumulatively transferred 'sensitive' personal information of less than 10,000 individuals located in China from January 1 of the previous year.
It is also noted that the Standard Contract only applies to personal data transfers rather than important data from China to overseas recipients, as the cross-border transfer of important data shall be subject to stricter regulatory requirements.
Before transferring personal data outside of China by execution of the Standard Contract, the relevant data handlers must obtain the explicit consent of the relevant data subjects or provide them with a clear and conspicuous notice of the data transfer unless there is another legal basis for it other than the consent of the data subject. If any personal information of a minor under the age of 14 is involved, separate consent from the minor's parent or other guardian shall be obtained; if written consent is required by laws or administrative regulations, such written consent shall be obtained.
Based on the Standard Contract, except for cases where the obligation to inform the data subject is not required by laws and administrative regulations, the domestic data handler shall inform data subjects of the following items:
- the name of the overseas recipient, contact information, the purpose of processing personal information transferred abroad, the method of processing, the type of personal information, the retention period, the method and procedure for exercising data subject rights, and other matters;
- the data subject is a third-party beneficiary of the Standard Contract and may enjoy the rights of a third-party beneficiary pursuant to the Standard Contract; and
- if a domestic data handler plans to provide sensitive personal information abroad, it shall also inform the personal information subject of the necessity of providing sensitive personal information and the impact on personal rights and interests.
On the other hand, the SCCs allow data transfers to third countries in the absence of an adequacy decision. In particular, the SCCs apply to data transfers from the data exporter established in a Member State of the EU to the data importer in a third country. Furthermore, the SCCs do not require explicit consent, but require the data exporter to verify that the data importer can provide an adequate level of data protection. This includes verifying that the data importer has appropriate technical and organizational measures in place to protect the personal data, and that the data importer will comply with the obligations set out in the SCCs. The SCCs also require the data importer to assist the data exporter in complying with its obligations under data protection laws.
Steps before use
Before using either the Standard Contract or the SCCs, both require parties to take steps to conduct a data protection impact assessment and implement appropriate technical and organizational measures. The Personal Information Protection Impact Assessment (PIPIA) requirements under the Measures are similar in concept to the Data Protection Impact Assessment (DPIA) requirement under the GDPR. These measures are aimed to identify and assess the risks to individuals' privacy and personal data, reduce the risk of data breaches, and ensure compliance with data protection laws. Both must include an evaluation of the necessity and proportionality of the transfer, the nature of the data, the potential risks to individuals, and any safeguards to mitigate those risks.
Specifically, Article 5 of the Measures stipulates more detailed requirements for PIPIAs for cross-border transfers of personal information as follows:
- legality, legitimacy, necessity of purpose, scope, and method of processing personal information by the data handler and the data recipient;
- quantity, scope, type, and sensitivity of personal information to be transferred outside of China, and potential risks to rights and interests in personal information caused by the cross-border transfer;
- responsibilities and obligations that the data recipient assumes, and whether its management, technical measures, and capabilities to fulfill such responsibilities and obligations are sufficient to ensure the security of the personal information to be transferred;
- risks of disclosing, destroying, tampering with, or misusing personal information, and whether there is a convenient channel for individuals to assert their rights and interests in the personal information;
- impact of personal information protection policies and regulations in the country or region of the data recipient on fulfillment of the Standard Contract; and
- other matters that may affect the security of personal information to be transferred outside of China.
PIPIAs under the Measures shall be re-assessed in case of a major change to the key information subject to the Standard Contract, including, for example, a change to the purpose, scope, or type of data to be exported, sensitivity level, data storage location, uses of the data by overseas recipients, or change in the laws and regulations of the data recipient's home country that is likely to impact the protection of personal information rights and interests. Where necessary, DPIAs under the SCCs shall be carried out as a review to assess when there is a change in the risk represented by processing operations.
Both the Standard Contract and the SCCs require parties to have technical and organizational measures in place to ensure the protection of personal data. Technical measures refer to the use of technology to safeguard personal data, such as encryption, anonymization, and de-identification. Organizational measures refer to the policies, procedures, and controls put in place to manage the processing of personal data, such as training employees on data protection, implementing data retention policies, and conducting regular security audits. The SCCs specifically require parties to take measures to ensure the security of personal data, such as implementing appropriate technical and organizational measures to protect against unauthorized access, disclosure, or destruction of personal data, and to ensure the availability and integrity of personal data.
The SCCs combine general clauses with a modular approach to cater to various transfer scenarios and the complexity of modern processing chains. They provide four modules, including controller to controller, controller to processor, processor to controller, and processor to processor. Based on the module selected, controllers and processors should tailor their obligations under the SCCs to their role and responsibilities in relation to the data processing in question.
In contrast, the Standard Contract only has one module to transfer from data handler to data handler under different data processing situations. The data handler shall act as the personal information exporter and comply with the relevant requirements under the PIPL during cross-border data transfer activities. The overseas recipient, as the personal information importer, in most cases bears the same obligations regardless of the processing roles, such as:
- processing personal information with the minimum impact on the data subjects;
- implementing technical and management measures;
- conducting regular checking and access controls; and
- ensuring confidentiality obligation of the authorized personnel who is entitled to processing and obligations related to data breaches.
Circumstances requiring revision
Both the Standard Contract and the SCCs may require revision if there are changes in the law or circumstances that affect the adequacy of the protection provided by the measures.
The SCCs were updated in 2021 to address the judgment of the Court of Justice of the European Union (CJEU) in the Schrems II case, which invalidated the Privacy Shield agreement between the EU and the US, which now require data exporters to conduct a case-by-case assessment of the third country's laws and practices and terminate the transfer if there are no appropriate safeguards.
Similarly, the Standard Contract may need to be revised if there are changes to Chinese data protection laws or regulations or changes in the risk environment that affect the adequacy of the protection provided by the Standard Contract.
The Standard Contract and the SCCs share many similarities, such as the requirement to conduct a PIPIA and DPIA, respectively, and the need for periodic reviews and updates.
However, there are also some differences: the Standard Contract must be filed with the competent cyberspace authority at the provincial level within 10 business days of the effective date of the Standard Contract. Based on the Filing Guidelines, the filing process for a signed Standard Contract includes the submission of materials, the review of materials, feedback on the filing result, and supplementary filing or re-filing. The PIPIA shall be filed together with the signed Standard Contract. The filing result can be 'Pass' or 'Fail.' If the result is 'Pass,' the CAC will issue a filing number to the data handler; if the result is 'Fail,' the data handler will be notified of the unsuccessful filing and the reason, and if additional materials are required, the data handler should complete the materials and resubmit them within 10 working days.
In contrast, there is no requirement to file the SCCs with a regulator. The SCCs can be included in a broader contract and additional clauses or safeguards may also be added by the parties involved, as long as they do not conflict with the GDPR SCCs or infringe upon the fundamental rights of data subjects. For the Standard Contract, the contracting parties cannot change the provisions of the Standard Contract, and the contracting parties may have additional agreements in Annex II of the Standard Contract, but they cannot prejudice or conflict with the Standard Contract. In the event of any conflict between the Standard Contract and any other existing agreement by and between the data handler and the data recipient, the terms of the Standard Contract shall prevail.
In terms of governing law and jurisdiction, the SCCs permit the parties involved to choose third countries as their governing law and jurisdiction. However, the Standard Contract shall be governed by Chinese law and the parties may choose either court or arbitration as dispute resolution as mandated under the Standard Contract.
In case of a transfer to a data importer acting as a processor or sub-processor, specific requirements should apply in accordance with Article 28(3) of the GDPR. The SCCs should require the data importer to make available all information necessary to demonstrate compliance with the obligations set out in the clauses and to allow for, and contribute to, audits of its processing activities by the data exporter. With respect to the engagement of any sub-processor by the data importer, the SCCs should in particular set out the procedure for general or specific authorization from the data exporter and the requirement for a written contract with the sub-processor ensuring the same level of protection as under the clauses. Under the Standard Contract, the data recipient shall obtain consent from the data handler before entrusting a third party for processing. The processing purposes and means shall not exceed what is provided by the Standard Contract. Meanwhile, the data recipient shall supervise the third party's processing activities.
In conclusion, both the Standard Contract and the SCCs aim to provide adequate protection for personal data during cross-border transfers. However, data controllers should carefully consider the requirements and limitations of each measure before deciding which to use. It is also important to stay informed of any updates or changes to these measures and adjust data protection practices accordingly.
Dora Luo (Duoqun) Partner, PhD
Hunton Andrews Kurth LLP, Beijing