In recent years, China has adopted a series of complex regulations around cybersecurity and privacy. In 2022, it issued rules for cross-border transfers of data, and its version of Standard Contractual Clauses (“China SCCs”) in February 2023. The China SCCs became effective in June, but there was a six month grace period for filing, until November 30, 2023.
Any company that has a presence in China or processes or transfers Chinese resident data outside of China will likely be required to comply with China’s comprehensive data protection law, the Personal Information Protection Law (“PIPL”). The PIPL outlines three legal mechanisms for cross-border data transfers: (1) the SCCs; (2) a Security Assessment with the Cybersecurity Authority of China (“CAC”); or (3) Security Certification by the Chinese government. The Chinese government has not provided details on the Security Certification process, thus companies are left with the other two options.
To determine their eligibility to rely on the transfer mechanisms, companies must assess the volume and type of data processed and transferred to determine the applicable mechanism. Companies must determine the volume of processing and transfers since January 1 of the previous year; put another way, if a company is doing the assessment today, it must review the below thresholds for January 2022 to September 2023.
The following companies must complete the Security Assessment process before exporting data from China: (1) those that have processed the personal information for more than one million Chinese residents or who are considered “critical information infrastructure operators”; (2) those who have exported the personal information of 100,000 Chinese residents or the sensitive personal information of 10,000 Chinese residents; (3) those who have exported “important data”, which is a broad category that is not clearly defined but generally any data that may be in China’s national security interest; or (4) other situations provided for by the CAC, which is a catch-all provision that has not been clearly defined.
If a company does not meet one of the processing or export thresholds above, and is not transferring important data, it may utilize the China SCCs for cross-border transfers. The company exporting data out of China (“Data Exporter”) is required to submit the SCCs and a data transfer impact assessment (“Assessment”), in Chinese, to the local CAC authorities within 10 working days after an executed China SCC-based data transfer agreement becomes effective. For existing agreements, the SCCs and the Assessment must be filed by November 30, 2023. Unlike some other data transfer schemes, the China SCCs do not distinguish between data controllers and data processors, providing only a single universal template, which must be strictly followed by all Data Exporters. Based on preliminary filings, it is clear that the CAC is requiring very detailed documentation, and it has the option to fail a company and request additional details, which it regularly does.
Companies are often surprised by the complexity of the SCC requirements. For example, the Assessment is more detailed and requires more specific information than similar data protection impact assessments. Additionally, companies that have multiple legal entities in China or that utilize several service providers may be required to make multiple filings. As such, we recommend companies that have not already started the process do so as quickly as possible. As a first step, companies must identify the type and volume of data being transferred from China to determine if they can utilize the China SCCs, or if they need to go through the CAC Security Assessment process. Then, companies should determine the best approach and strategy for data transfers given the complexity of the Chinese rules.
If you have questions or would like to receive an English translation of the China SCCs or Assessment template, please contact one of the authors of this article. Our US and China privacy and security attorneys regularly assist clients with China privacy and cybersecurity compliance, and are happy to provide any assistance needed.