China SCCs for Cross-Border Data Transfer Are on the Way – Are You Ready?

China's Personal Information Protection Law ("PIPL") has attracted widespread attention since its promulgation last year. The legal requirements for cross-border data transfer under Chinese laws have been in the spotlight.

Article 38 of the PIPL provides for four permissible cross-border transfer mechanisms, one of which is the data transfer agreement entered into by business entities based on the standard contract ("China SCCs") formulated by the Cyberspace Administration of China ("CAC"). The GDPR Standard Contract Clauses are widely used by MNCs in their international data transfers, so business organisations have been waiting for the China SCCs with huge interest. On 30 June, CAC issued the draft Regulations of Standard Contracts for Cross-border Transfer of Personal Information ("SCC Regulations"), unveiling the long-awaited China SCC terms. The public consultation will end on 29 July 2022.

This note outlines major requirements of the China SCC mechanism, compares key similarities and distinctions between the China and GDPR SCC terms, and discusses what practical aspects business organisations should consider for the next steps.?

Scope of Application

It is important to note that business entities cannot always rely on China SCC structure for transferring personal information abroad. Under the SCC Regulations, a data handler (a PIPL concept similar to the data controller under the GDPR) is allowed to transfer personal data abroad by way of the SCC mechanism, if all of the following conditions are satisfied:

• the data handler is not a critical information infrastructure ("CII") operator;
• it has not processed personal information exceeding 1 million individuals;
• it has not made overseas transfers of personal information exceeding 100,000 individuals accumulatively since 1 January of the preceding year; and
• it has not made overseas transfers of sensitive personal information exceeding 10,000 individuals accumulatively since 1 January of the preceding year.

The above thresholds seem to be aligned with the criteria set out in the Draft Regulations for Administration of Data Security issued in 2021. This means that a data transferor will have to go through the CAC-conducted security assessment if the transferor is a CII operator or if the data volume is more than any of the above thresholds even if a non-CII operator. Therefore, from a practical perspective, it would be important for companies to perform a proper self-evaluation to assess whether they fall within the permissible scope to be able to make use of the China SCC mechanism for cross-border transfers.

The application scope of the China SCCs appears to be more stringent than the GDPR. As stated in Article 46 of the GDPR, in the absence of adequacy level of protection, the transfer of personal data out of the EU requires appropriate safeguards, which, among others, include the execution of standard data protection clauses. The GDPR does not seem to impose express restrictions (for example the nature of the data exporter or the volume of personal data) on the data exporter to be eligible for SCCs.

Template of the China SCCs

The SCC Regulations stipulate that where an entity in China intends to provide personal information to a foreign recipient on the basis of a contractual arrangement, the contract shall be based on the SCC terms attached to the SCC Regulations.

It is not uncommon for many MNCs to use a global template of cross-border data transfer agreements with necessary localisation to satisfy the local regulatory requirements. However, it is highly likely that the content and format of such localised data transfer agreements are still quite different from the China SCCs. The current draft of the China SCCs contains the main body of key clauses plus an appendix of supplementary clauses. The China SCCs are silent on whether the parties may sign the cross-border transfer agreement deviating from China SCC terms, but it seems to us that no changes to the main body of the China SCC would be allowed, although the parties may include, in the appendix, additional clauses which do not conflict with the main body.

The SCC Regulations also provide that any other commercial contracts cannot contravene the China SCC in terms of cross-border data transfer; otherwise the enforceability of those commercial contracts will be affected. This means that after the final version of China SCC is adopted, business organisations will need to do a sweeping review of the data transfer clauses in their ongoing commercial contracts, to ensure that those commercial contracts are consistent with the provisions of the China SCCs and if not, necessary changes and updates must be done as soon as possible.

Unlike the different modules (i.e. C-C, C-P, P-P, P-C) under the GDPR SCC terms, China SCCs do not differentiate scenarios based on the role of the parties. Regardless of whether the parties are a data controller or a data processor, only one China SCC template will apply.

Analysis of Key Clauses of the China SCCs

The SCC Regulations require that the China SCCs should consist of the following clauses:

• basic information of personal information data exporter and overseas recipient;
• the purpose, scope, type, sensitivity, quantity, method, storage period, and storage location of personal information transferred abroad;
• the responsibilities and obligations of the parties, as well as the technical and organisational measures to be taken;
• impacts of the personal information protection policies and regulations of the destination country/region on the performance of the SCC terms;
• data subjects' rights and how their rights are protected;
• remedies, termination of contract, liability for breach of contract, and dispute resolution.

The China SCCs share some similarities with the GDPR SCCs.

The approach under the GDPR SCCs in relation to the assessment on the laws and regulations of the destination countries is mirrored in the China SCCs. The EU-US Privacy Shield was invalidated by the EU Court of Justice in July 2020 in the Schrems II case, but the CJEU affirmed the validity of the GDPR SCCs with strict conditions that companies shall verify whether the laws in the destination countries provide adequate protection on personal data on a case-by-case basis. Following the Schrems II judgement, the parties to the SCCs shall carry out a "transfer impact assessment" on the impacts of the destination country's laws and practice, especially the regulations requiring disclosure or authorisation of access to data by public authorities. Similar to the GDPR SCCs, Article 2.7 of the China SCCs requires personal information handlers to assess the possible impacts of personal information protection policies and regulations in the destination countries on the performance of the SCC terms. Article 4 of the China SCCs further lays down multiple factors to be considered, for example, whether the overseas recipient has received any requests from governmental authorities to provide personal information transferred and how the recipient has responded to the authorities.

Notwithstanding the similarities, the China SCCs contain some requirements which are stricter than the GDPR SCCs.

Regarding the onward transfer of personal data by the overseas recipient, the GDPR SCCs allow for onward transfer for legal proceedings,?safeguarding the vital interests of data subjects and a couple of other purposes. Onward transfer is generally prohibited under the China SCCs and is allowed only under exceptional circumstances with satisfaction of strict conditions including, among others, obtaining the consent from the affected data subjects, onward transferee's commitment to protect the data subjects and assume joint and several liability, and providing a copy of the onward transfer agreement to the China-based data exporter. It is also important to bear in mind the restrictions under Article 41 of the PIPL that personal information cannot be provided to foreign judicial and enforcement institutions without prior approval from competent Chinese authorities.

In terms of the governing law and dispute resolution, parties of the GDPR SCCs have different options to choose the applicable law to govern their contractual rights and obligations and the dispute resolution mechanism to resolve the disputes arising from their contract, depending on the specific C-C, C-P, P-C and P-P model. The parties under the China SCCs do not have such kind of choice. It is provided in the China SCCs that the governing law for the cross-border data agreement shall be Chinese law and the parties can only choose the litigation at a court in China or the arbitration proceeding at an arbitration tribunal in China or a member state of the 1958 New York Convention.?

Procedures for Cross-border Transfer of Personal Information

The following procedures shall be followed in performing the transfer of personal information under the China SCC mechanism:

• carrying out personal information impact assessment and completing the DPIA report;
• entering into a cross-border data transfer agreement based on the China SCCs;
• submitting the signed SCCs together with the DPIA report to the provincial CAC authority within 10 working days after the SCCs become effective.

It appears from the above provisions that the filing with CAC authority is not a pre-condition for the China SCCs to come into force or for the China-based data exporter to transfer personal data abroad. The provincial CAC authorities are not anticipated to conduct a substantial review and the filing is much more of a formality review. But in practice, if the submitted materials contradict the applicable Chinese laws and regulations or contain any content which clearly contravenes the requirements of the China SCC requirements, there is a high likelihood that the authority will reject the filing and request the parties for rectification. In addition, this may leave a "black record" for both the China-based transferor and the overseas transferee, causing potential reputational damage and leaving uncertainties for future data transfer activities.

Legal Liability

The SCC Regulations have "teeth" to regulate non-compliance. If a company is caught by the regulators for failing to complete the filing procedures, submitting untrue or false filing materials, or violating the obligations under the China SCCs, the regulators have power to suspend the cross-border transfer. If any of those irregularities constitutes non-compliance of the PIPL, the violator will face penalties and is required to assume other administrative, civil and even criminal liability under the PIPL.

Practical Takeaways

As of today, Chinese regulators have issued multiple draft rules to provide detailed guidelines for implementing the three main data export mechanisms under the PIPL, namely security assessment, protection certification and SCCs. After those rules are finalised and adopted, they will serve as important tools for business entities to conduct cross-border data transfer and also for regulators to supervise cross-border data activities and take enforcement actions against non-compliance.

Compared to other data export mechanisms under the PIPL, the China SCC regime is expected to have obvious advantages because of more foreseeability of contract terms and time/cost efficiency.?

The China SCCs share some similarities with the GDPR SCCs, but maintain significant Chinese characteristics. If the China SCCs are finalised in their current form, companies should start mapping their data flows to assess if they are eligible to rely on the China SCCs for cross-border data transfer, and if yes, companies should prepare or review/update their data processing agreements in line with the requirements under the China SCCs, and if not, what other mechanisms would be appropriate options for them to consider for the data export.

In the fast-moving digital era, it is very common for cross-border data transfers to take place both inward and outward. Where an MNC adopts a global data processing agreement based on an international standard for example the GDPR SCCs, how to address the differences between the China SCCs and the GDPR SCCs would be an important issue for many MNCs to consider.

China's data regime evolves at an extremely fast pace. With new international data transfer implementing rules on the horizon, business organisations are highly recommended to pay close attention to the legislative and enforcement developments in China in the field of data protection and cybersecurity and take appropriate compliance actions.?