Companies that export personal data out of China have roughly one month to adopt China’s Standard Contractual Clauses (“SCCs”) to comply with the Cyberspace Administration of China’s (“CAC”) deadline of June 1, 2023. As outlined in previous client alerts, the SCCs are one of three mechanisms in place for cross-border data transfers from mainland China to other jurisdictions.
Many multinationals will be impacted by these requirements because Chinese employment data, which is regularly accessed by those outside of the country, is included in China’s definition of personal information under the Personal Information Protection Law (“PIPL”). In order to comply, data exporters must: (i) complete a self-assessment which must be filed with the CAC; (ii) incorporate the SCCs into existing intercompany and third party agreements; and (iii) obtain consent from data subjects in China.
There are three key components in the China SCC adoption process, as detailed below. SCC use is reserved for lower risk entities. Entities that process large amounts of data, that are considered critical infrastructure, or that process specific data the Chinese government deems higher risk may not use the SCCs for transfers.
- Complete a Personal Information Protection Impact Assessment. This must be filed with the CAC within 10 days of adoption of the SCCs.
- Supplement current data transfer agreements (or adopt new ones) with the SCC language. While entities may not make material changes to the SCCs, there is an ability to introduce supplemental obligations if they do not conflict with the standard terms.
- Obtain consent from the data subjects to transfer the data outside of China. Entities may need to seek additional consent from data subjects for the transfer of data outside of China.
If you have any questions about the SCCs or need assistance with any of the above, please do not hesitate to reach out to one of the contacts listed below.
Zhenyu "Jay" Ruan
Jay Ruan specializes in corporate and M&A and regulatory advisory matters in China. He has acted for clients across a broad range of industries, and has extensive experience in advising clients on strategic joint ventures and business alliances, corporate-commercial and technology transactions, TMT regulatory matters as well as financial service and insurance regulatory.
Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.
Rachel Ehlers is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group, based in the Firm's Houston office. Rachel's practice focuses on technology transactions, data privacy and cybersecurity. She has extensive experience advising clients on data incidents and breach response, cross-border transfers, and data privacy and cybersecurity issues related to mergers and acquisitions.
Manisha is an associate in the Data Privacy and Security practice group based in Chicago, advising global organizations on privacy and data security compliance requirements, as well as data security incident response.
Adam Aft helps global companies navigate the complex issues regarding intellectual property, data, and technology in product counseling, technology, and M&A transactions. He leads the Firm's North America Technology Transactions group and co-leads the group globally. Adam regularly advises a range of clients on transformational activities, including the intellectual property, data and data privacy, and technology aspects of mergers and acquisitions, new product and service initiatives, and new trends driving business such as platform development, data monetization, and artificial intelligence.
Cynthia is an Intellectual Property Partner in Baker McKenzie's Palo Alto office. She advises clients across a wide range of industries including Technology, Media & Telecoms, Energy, Mining & Infrastructure, Healthcare & Life Sciences, and Industrials, Manufacturing & Transportation. Cynthia has deep experience in complex cross-border, IP, data-driven and digital transactions, creating bespoke agreements in novel technology fields.
Nick's practice focuses on privacy and cybersecurity, particularly in the healthcare and technology industries. His substantive technical experience, experience with the HIPAA Rules, and deep understanding of information security and privacy regulators' expectations, allows Nick to efficiently guide clients on compliance with emerging laws, regulatory oversight and obligations created through contract.
Stephen Reynolds frequently advises clients on complex matters involving data privacy and security laws and serves on the board of directors of the International Association of Privacy Professionals (IAPP). Stephen’s expertise adds value to organizations by mitigating cyber threats through proactive preventative measures and navigating complex litigation on behalf of clients in data privacy and security. He is uniquely able to and routinely uses his computer background in cases involving data privacy and security, electronic discovery, social media discovery, and computer forensics.
Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.