On February 24, 2023, The Cyberspace Administration of China (“CAC”) released standard contractual clauses (“SCCs”) and accompanying SCC Regulations, as part of China’s Personal Information Protection Law (“PIPL”).
These Chinese SCCs are one of 3 mechanisms for cross-border data transfers of personal information from China.
The Chinese SCCs are available as a transfer mechanism so long as the data exporter:
- is not a critical information infrastructure operator (“CIIO”) – business entities in financial, energy, telecom, public utility, health care, transportation, e-government and other sectors that have a concern on national security and public interest of China;
- has not processed personal data exceeding 1 million individuals;
- has not transferred personal data of more than 100,000 individuals since Jan. 1 of the preceding year; and
- has not transferred sensitive personal data of more than 10,000 individuals since Jan. 1 of the preceding year.
As such, the Chinese SCCs provide a transfer mechanism for relatively small amounts of personal data.
There are many similarities to Europe’s SCCs in terms of rights and responsibilities of the data exporter and recipient, and the need to conduct an impact assessment and execute a Data Transfer Agreement with appended SCCs between the parties prior to the data transfer.
However, the Chinese SCCs have some notable distinctions, including:
- a single universal template, regardless of whether the data exporter and recipient are a controller or processor of the data,
- the SCC-based data transfer agreement and the impact assessment report must be filed with the provincial CAC within 10 working days of the effective date, and must be written in Chinese,
- the data exporter must redo the impact assessment, review and update the data transfer agreement and file the updates with provincial CAC if anything changes that could affect the data subjects, such as:
- the data retention period is extended,
- changes to the purpose, scope, category, volume, storage location and sensitivity of personal data to be processed outside China,
- changes of the personal data protection laws and policies in foreign destination countries affecting the data subjects,
- the data transfer agreement must be governed by Chinese law and enforceable in Chinese courts or arbitration,
- data subjects are third-party beneficiaries to the Chinese SCCs, and the data exporter and recipient are jointly and severally liable for the personal data transferred.
Given these particularities, U.S. companies that receive personal data from China, such as from subsidiaries, related entities, and outside sources such as contractors, vendors and suppliers should consider whether there is a need to transfer personal data from China (which includes remote access from outside China or storage on a cloud server or central database outside China). If so, the Chinese SCCs can be used as a cross-border transfer mechanism provided the conditions are met.
The Chinese SCCs will go into effect on June 1, 2023, and must be used for all new data transfers at that time. However, data transfers already occurring before June 1 will have a grace period until November 30, 2023, to bring the transfers into compliance. It is therefore advisable to begin efforts to afford sufficient time for the assessments and documentation to be prepared, translated, and filed.
This post was written by Jessica Mozingo