On February 24, 2023, the Cyberspace Administration of China (CAC) released the final version of the Standard Contractual Clauses (SCCs) and SCC Measures for the cross-border transfer of personal data under the Personal Information Protection Law (PIPL). The SCCs provide a mechanism for businesses to transfer personal information from mainland China to other jurisdictions. China’s SCCs closely mirror the EU’s SCCs, which were updated in 2021, but feature several important distinctions described in detail below. As an alternative to the SCCs, organizations may instead be subject to a security assessment by the CAC or certification by designated institutions, depending on the legal nature of the organization and the number of China individuals whose data it exports.
- The final SCCs and SCC Measures were released by the CAC on February 24, 2023.
- The SCCs become effective on June 1, 2023 for cross-border data transfers but organizations should start the implementation process as soon as possible. Any personal information transferred prior to June 1, 2023, is still subject to the new SCCs, but the deadline for law compliance related to this data is November 30, 2023.
As discussed, China has provided three mechanisms for data transfers. Any organization that transfers personal information outside of China must adopt one of the three mechanisms. Security assessments are intended for large-volume data exporters and involve a comprehensive review by the CAC of the suitability of the transfers based on the organization’s self-assessment. On the other hand, the certification mechanism—which had formerly been proposed to be restricted to intra-group transfers but is now more generally available—requires contractual and organizational measures, as well as the preparation of an impact assessment. In practice, the certification mechanism has been implemented very recently and has not been widely utilized.
A data exporter relying on the SCCs must not exceed strict thresholds. The SCCs are not available to entities that have processed personal data exceeding one million individual subjects, made aggregate transfers of more than 100,000 individuals’ personal data since January 1 of the preceding year, or made aggregated transfers of sensitive personal data of less than 10,000 individuals since January 1 of the preceding year. Applicants may not attempt to circumvent these thresholds by employing methods like “quantity splitting” with regards to transfer volume. Additionally, critical information infrastructure operators, which are defined broadly under China’s Cyber Security Law, are not eligible to rely on the SCCs.
Entities utilizing the SCCs for cross-border transfers must meet two requirements. First, the data exporter must conduct a data transfer impact assessment (DTIA). Second, the data exporter must enter into agreements with overseas recipients of the data that comply with the SCCs.
When completing the DTIA, organizations must consider multiple factors relating to the proposed transfer, including the volume, scope and sensitivity of data being transferred, the necessity and appropriateness of the transfer, obligations of the recipient to safeguard the data, technical and organizational measures in place to prevent disclosure, the data protection laws of the destination jurisdiction, among others. The DTIA, along with the SCCs, must be filed with the CAC within 10 working days of the execution of the SCCs.
The SCCs are similar to the GDPR SCCs, but differ in several key respects. Unlike the EU SCCs, which are modular and provide different versions for different transfer arrangements, the China SCCs adopt a one-size-fits-all approach and do not distinguish between whether an exporter or recipient is a controller or a processor. Furthermore, while parties relying on the SCCs may not make any substantive changes to the SCCs, they may introduce supplemental obligations if they do not conflict with the obligations of the standard terms of the SCCs.
The China SCCs also impose stricter requirements on onward data transfers than the EU SCCs. For example, under the China SCCs, onward transfer of the data is only permitted if the data subjects are notified, technical security measures are implemented, and the ultimate recipient of the data enters into the agreement. In practice, this could impose significant barriers in the event that the data recipient needs to transfer the data to a third party and careful planning at the outset should take such contingencies into account as needed. The SCCs also empower Chinese authorities to request information from the data recipient regarding its use of the data.
Notably, data subjects are designated as third-party beneficiaries under the SCCs and may bring a claim against both the data exporter or the recipient for any misuse of data or breaches of the SCCs. The SCCs further differ from the EU SCCs by requiring the cross-border data transfer agreement be governed by Chinese law.
Implications and next steps
We recommend that businesses engaged in cross-border data transfers from China:
- Identify China cross-border data transfers. Businesses operating within China and collecting personal data from Chinese subjects should assess whether they are engaged in the types of outbound transfers that may require them to rely on one of the PIPL data transfer mechanisms.
- Identify which transfers will be affected. Businesses conducting such cross-border transfers should review their data transfers to quantify the volume of data (and sensitive data, if applicable) it exports. This exercise will help determine which of the transfer mechanisms is available.
- Consider how to scale the implementation of the new SCCs. If SCCs are identified as the appropriate transfer mechanism, businesses should identify vendors and other recipients of personal data and coordinate with them to ensure transfer agreements comply with the SCCs and necessary technical and organizational measures are in place.
If you have any questions about the new SCCs, please do not hesitate to reach out to one of the contacts listed below.