In brief

Companies that export personal data out of China have roughly one month to adopt China’s Standard Contractual Clauses (“SCCs”) to comply with the Cyberspace Administration of China’s (“CAC”) deadline of June 1, 2023. As outlined in previous client alerts, the SCCs are one of three mechanisms in place for cross-border data transfers from mainland China to other jurisdictions.  

Many multinationals will be impacted by these requirements because Chinese employment data, which is regularly accessed by those outside of the country, is included in China’s definition of personal information under the Personal Information Protection Law (“PIPL”). In order to comply, data exporters must: (i) complete a self-assessment which must be filed with the CAC; (ii) incorporate the SCCs into existing intercompany and third party agreements; and (iii) obtain consent from data subjects in China.

Background

There are three key components in the China SCC adoption process, as detailed below. SCC use is reserved for lower risk entities. Entities that process large amounts of data, that are considered critical infrastructure, or that process specific data the Chinese government deems higher risk may not use the SCCs for transfers.

  1. Complete a Personal Information Protection Impact Assessment.  This must be filed with the CAC within 10 days of adoption of the SCCs.
  1. Supplement current data transfer agreements (or adopt new ones) with the SCC language. While entities may not make material changes to the SCCs, there is an ability to introduce supplemental obligations if they do not conflict with the standard terms.
  1. Obtain consent from the data subjects to transfer the data outside of China. Entities may need to seek additional consent from data subjects for the transfer of data outside of China.

If you have any questions about the SCCs or need assistance with any of the above, please do not hesitate to reach out to one of the contacts listed below.