The final piece of the puzzle? China finalizes its SCCs for cross-border transfers of personal data

Background

On February 24, 2023, the Cyberspace Administration of China ("CAC") released the final version of the Measures on the Standard Contract for the Cross-border Transfer of Personal Information ("SCCs Measures") along with the Standard Contractual Clauses ("SCCs") that set a baseline for data transfer agreements.  Coming into effect on June 1, 2023, the SCCs Measures provide a six-month grace period to allow data exporters to implement contracts compliant with the requirements.

With the finalization of the SCCs Measures, China’s regulatory apparatus for cross-border transfers of personal data is formally settled.  As highlighted in our earlier posts (July 12, 2022 and September 8, 2022) organizations transferring personal data from mainland China are required to complete a CAC security assessment where certain data volume thresholds are exceeded. With respect to transfers of personal data falling below these thresholds, data exporters have a choice to either obtain third party certification by a professional institution authorized for this purpose or use the SCCs.  For organizations whose data transfers fall below the threshold, the finalization of the SCCs has therefore been an important piece of the puzzle of Chinese cross-border data transfer regulation.  Although the SCCs specifically apply only to sub-threshold transfers, the mandatory terms set out in the SCCs will also shed light on the legal terms the CAC will expect to cover larger transfers which are subject to security assessment.

Below we briefly discuss key provisions of the SCCs Measures and the SCCs, including a comparison with the drafts published June 30, 2022 (see here for our previous coverage), discuss concerns we have with the SCCs and suggest action items for organizations considering the implementation of the SCCs in practice.

Key provisions unchanged

• Scope of Application of SCCs: As was the case with the draft SCCs Measures, the SCCs are only available in respect of smaller transfers of personal information, covering transfers both on a “controller-controller” and “controller-processor” basis, where the data exporter meets each of the following requirements: (i) is not an “operator of critical information infrastructure,” (ii) it does not process the personal information of more than 1 million individuals; and (iii) its cross-border data transfers do not involve the personal information of more than 100,000 individuals or the sensitive personal information of more than 10,000 individuals, in either case, since January 1st of the preceding year.
• Adoption of SCCs: The data exporter is required to file the executed SCCs with the local provincial CAC within ten business days of the SCCs become effective, together with a report on the data protection impact assessment (“DPIA”) undertaken in respect of the transfer. The scope of this DPIA is similar to that set out in the CAC security assessment.
• Liabilities to data subjects and data subject rights: Data subjects enjoy direct rights of enforcement of the SCCs exercisable against both the data exporter and the offshore recipient of the data. The data exporter and the offshore recipient will be jointly liable to data subjects if the SCCs are breached in a way that infringes the rights of data subjects.
• Governing law and dispute resolution: The SCCs are required to be governed by Chinese law, with dispute resolution  through a choice of arbitration venues specified in the template or by the Chinese People’s Court.

What's new in the SCCs Measures

• Grace period: Coming into effect on June 1, 2023, the SCCs Measures provide a six-month grace period to allow data exporters to make any necessary rectification with respect to the cross-border data transfers already taking place.
• Non-circumvention of CAC security assessment requirements: In the final version of the SCCs Measures, the CAC states that data exporters should not seek to split data transfer volumes so as to slip under the CAC security assessment thresholds and so avoid having to file an assessment. The SCCs Measures do not go into detail, however, as to  what circumstances would constitute a circumvention. 
• CAC’s supervision of data transfers after the execution of SCC: The final SCCs Measures moderate the authority originally proposed for provincial CACs to exercise post-event supervision of cross-border transfers. The final SCCs Measures provide that the CAC will only take action where greater risks are associated with the cross-border data transfer and/or any security incidents have occurred. Further, the CAC will not directly stop such transfers, but will instead meet with the data exporter before directing any remediation. 

What do you need to know about the SCCs?

For many organizations, key questions will arise as to whether there are any unpalatable terms in the SCCs and how the SCCs compare to more familiar data transfer terms, such as the European Union’s standard contractual clauses under Regulation (EU) 2016/679 (the “EU SCCs”):

• Must the SCCs be adopted verbatim, or can other clauses be used instead? The SCCs Measures leave scope for the data exporter and offshore recipient to incorporate non-standard terms into Appendix II of the SCCs, provided that those terms do not conflict with the SCCs, but expectations are that the SCCs set out in the SCCs Measures must be used verbatim. There may be room to explore flexibility with the CAC.  However, given that (i) the SCCs must be filed with the CAC; and (ii) the SCCs only apply to relatively small transfers of personal data, we can anticipate that many organizations will opt to have a stand-alone set of clauses for China, or perhaps schedule the China SCCs to a comprehensive data transfer agreement as part of their global compliance solution.
• Controller-controller, controller-processor, processor-processor, controller-processor?  Those who have grown accustomed to using the EU SCCs will be familiar with its modular approach covering four types of processing arrangements noted in the heading. The SCCs appear to have been drafted on the assumption that the equivalent to a “data controller” will be located in mainland China, with the same clauses covering both controller-controller and controller-processor transfers. The SCCs do not draw any general distinction between controller-controller and controller-processor transfers, but specific clauses in the SCCs do refer to entrustment arrangements, creating some differences as to how the clauses apply in those circumstances. 
• Do the SCCs make the offshore recipient subject to oversight by Chinese authorities?  Similar to Clause 13(b) of the EU SCCs in respect of European compliance, clause 3.13 of the SCCs require the offshore recipient to agree to be subject to the supervision and management of the CAC, including responding to CAC inquiries, cooperating with CAC's inspections, complying with decisions taken or made by the CAC and providing written evidence that necessary actions have been taken.
• Does the separate consent requirement only apply when consent has been used as the lawful basis for the transfer? PIPL’s “separate consent” requirement for cross-border transfers (generally understood to involve a separate, “tick-box” form of consent) is said to only be required where personal data is transferred with data subject consent as the applicable lawful basis. This change to the SCCs Measures is very interesting given its potential to have broader interpretive impact for the PIPL. Many organizations find the separate consent requirement to be onerous, and this change to the SCCs Measures supports broader arguments that separate consent requirements only apply under PIPL where consent is the lawful basis for processing, as opposed to other lawful bases provided for under PIPL.
• Can the use of SCCs be invalidated based on changes in law in the offshore jurisdiction? There has been much focus on the use of the EU SCCs in the wake of the Schrems II litigation and the need for those exporting personal data from Europe to validate the use of the EU SCCs against local law conditions in the jurisdiction where the personal data is being received. In a similar vein, the final version of the SCCs require both parties to warrant that they are not aware of any local law requirements that could impede the offshore recipient from complying with its obligations under the SCCs. The SCCs also provide that the change in the personal information protection policies and regulations of the country/region (including the mandatory measures by local authorities) where the offshore recipient is located that prevent the offshore recipient from performing its obligations under the SCCs is an additional triggering event for the suspension and termination of the SCCs. 
• How is liability allocated between the data exporters and offshore recipients? The CAC has simplified the treatment of contractual liabilities in the final SCCs: (i) providing the data exporter and the offshore recipient with more freedom to determine their respective liabilities for breach of the SCCs; and (ii) narrowing the circumstances in which the data exporter and the offshore recipient will be jointly liable to data subjects to those cases which are required by Chinese laws and regulations (under the PIPL, if the data exporter and the offshore recipient are data controllers jointly processing personal information, they shall bear joint and several liability for damages caused to data subjects due to breaches of the PIPL). In those cases, either party is entitled to recover contribution from the other party if it assumes a liability that exceeds its due share. The effectiveness of the third party rights of enforcement under the SCCs remains to be seen. Perhaps more pertinently, there is a question of whether the incorporation of third party rights of enforcement into the SCCs means that larger data transfers processed under the CAC security assessment must also incorporate such a provision into the data transfer terms.

Next Steps?

The finalization of the SCCs Measures and the SCCs brings a degree of greater clarity to the treatment of international transfers of personal data under PIPL. With the March 1, 2023 deadline for filings under the CAC security assessment having passed, organizations should be carefully assessing their China data transfers and taking advice accordingly.

For transfers falling below the CAC thresholds companies should evaluate their use of the SCCs, noting that third-party certification is an alternative approach to the SCCs, but one which requires the engagement of a state-approved third-party institution that will undertake a review similar to the CAC security assessment. Using the SCCs may be more convenient on the basis that it is less invasive and potentially less costly, particularly in proportion to the small scale of the data transfers addressed by these routes to compliance.

Where the SCCs are used, the data exporter is required to do the following:

1. Complete a Data Protection Impact Assessment: A DPIA will be required prior to the cross-border data transfers. In the absence of a standard format for DPIA in the context of SCC, the approach to self-assessment required for the CAC security assessment and the recommendations concerning DPIA contained in the non-binding national standard GB/T 39335-2020 Information security technology-Guidance for personal information security impact assessment may be useful reference points.
2. Prepare and execute the SCCs: Given that the data exporter and offshore recipient are required to use the SCCs verbatim, there will be little room to negotiate its terms.  However, the offshore recipients will need to carefully evaluate and understand the SCCs’ implications for their operations, taking steps to ensure that their internal data policies and procedures accommodate the requirements of the SCCs.
3. Complete the CAC Filing: Data exporters are obliged to file the executed SCCs and DPIA report with their local provincial CAC within 10 business days from the effective date of the executed SCC.

The regulation of cross-border transfers of personal data under PIPL is continuing to evolve.  The slow uptake of applicants under the CAC security assessment procedure suggests that international businesses continue to have concerns about the sensitivity of disclosures they are expected to make under that procedure.  For smaller transfers, the SCCs provide a less intrusive approach to compliance, but careful review of the terms and conditions will nevertheless be important.

Authored by: Mark Parsons, Sherry Gong, and Flora Feng.