On 24 February 2023, the Cyberspace Administration of China ("CAC") promulgated the Measures for the Standard Contract for the Export of Personal Information ("Measures"), which come into force on 1 June 2023, to which the Personal Information Export Standard Contract ("Chinese SCCs") was attached.

This Special Edition Newsletter will provide readers with an overview of the Chinese SCCs. It focuses on the following:

  • When and how the Chinese SCCs can be used;
  • Helping readers to understand the Measures;
  • Similarities and differences with the GDPR Standard Contract; and
  • Important and noteworthy clauses in the Chinese SCCs.

I have also attached a copy of the Chinese SCCs for reference purposes.

I hope that you find this Special Edition Newsletter helpful.

A QUICK GUIDE TO CHINESE SCCs

When can the Chinese SCCs be used?

A company can only choose to sign the Chinese SCCs, if:

  • It is not a critical information infrastructure operator ("CIIO");
  • It processes the personal information of less than one million individuals;
  • It has provided personal information of less than 100,000 individuals in aggregate to overseas recipients since 1 January of the previous year; and
  • It has provided sensitive personal information of less than 10,000 individuals in aggregate to any overseas recipients since 1 January of the previous year.

If any of the above conditions are not met, a company must apply to the Cyberspace Administration of China ("CAC") for data export security assessment, and it cannot choose to sign the Chinese SCCs.

Necessary steps to implement the Chinese SCCs

For those who can sign Chinese SCCs to legitimise their outbound data transfers, the following steps are necessary:

1298886a.jpg

Step 1: Outbound Data Transfer Mapping.

This is a necessary step to understand the purpose, scope, type, quantity, sensitivity, scale and method of personal information processing by the personal information processor and the overseas recipient.

Step 2: Personal Information Protection Impact Assessment ("PIPIA").

A PIPIA is required before the personal information processor transfers personal information to any overseas recipient. A PIPIA report also needs to be filed with the government.

Step 3: Finalising the SCCs between the personal information processor and the overseas recipient.

The parties cannot change the terms of the Chinese SCCs. However, the parties will need to fill in certain information concerning intended outbound data transfers, such as: the purpose and method of processing, the scale of personal information involved, types of personal information and sensitive personal information, overseas storage period and storage location.

Step 4: Filing the signed SCCs and the PIPIA report with the government.

The signed SCCs and a completed PIPIA report need to be filed with the provincial Cyberspace Administration of China within ten (10) working days after the signed SCCs take effect.

When do companies need to complete the above steps?

The regulations governing the use of Chinese SCCs will come into force on 1 June 2023. It provides a 6-month grace period for past and current outbound data transfers. This means that companies will need to complete the above steps by 30 November 2023.

CHINESE SCCs: A CLAUSE BY CLAUSE ANALYSIS

On 24 February 2023, the Cyberspace Administration of China ("CAC") promulgated the Measures for the Standard Contract for the Export of Personal Information ("Measures"), which come into force on 1 June 2023 ("Effective Date"), and to which the Personal Information Export Standard Contract ("SCCs") was attached.

The SCCs only apply to relevant cross-border transfers of personal information by personal information processors that have:

  • not been identified as critical information infrastructure operators;
  • transferred less than 100,000 individuals' personal information since 1 January in the previous year;
  • transferred less than 10,000 individuals' sensitive personal information since 1 January in the previous year; and
  • processed the personal information of less than 1 million individuals in total.

Relevant cross-border transfers of personal information initiated after the Effective Date must use the SCCs, while the parties to relevant cross-border transfers initiated before the Effective Date will have a six-month grace period to make new arrangements involving the SCCs. Under the Measures, the SCCs must be strictly adhered to and registered with the authorities within ten working days of signing.

Overview

The SCCs contain only nine articles and two appendices that cover all data export scenarios due to their focus on exporters and recipients rather than different processing relationships. In Chinese, the SCCs (and their appendices) contain only 18 pages (with multiple line spacing and size 14 font), which is much more condensed than its EU counterpart, i.e. the SCCs under the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR").

Article 1 - Definitions

Article 1 contains eight key definitions, namely:

  • personal information processor;
  • overseas recipient;
  • party and parties;
  • personal information subject;
  • personal information;
  • sensitive personal information;
  • Chinese regulators; and
  • relevant laws and regulations.

The meanings of undefined terms are expressly stated to be 'consistent with the meanings stipulated in the relevant laws and regulations'.

Article 2 - Obligations of personal information processors

The obligations of personal information processors are provided in Article 2 and consist of the following:

  • exporting only the necessary amount of data and doing so in accordance with the law;
  • informing the personal information subject of the particulars of the overseas recipient and the processing that will occur overseas (subject to exceptions);
  • ensuring that appropriate consent is in place where consent is the legal basis of processing - where minors under 14 are involved, consent should be obtained from their parents or guardians;
  • recognising that the personal information subject has rights as a third-party beneficiary under the SCCs;
  • ensuring that the foreign recipient will take certain technical and management measures to protect the personal information;
  • providing the foreign recipient with copies of Chinese legal provisions and technical standards, whereby it is unclear if this would include a requirement to provide translations;
  • responding to Chinese regulators' inquiries about overseas recipient's processing activities;
  • conducting a personal information protection impact assessment in relation to the export of personal information, including the risks that the personal information will be exposed to from the general, cybersecurity, and legal environment of the country where the overseas recipient is based;
  • providing a copy of the executed SCCs to a personal information subject upon request; and
  • providing Chinese regulators with information, including the results of all compliance audits.

Article 3 - Obligations of overseas recipients

The obligations of overseas recipients are provided in Article 3. It is worth noting that several items in this article differentiate between the roles of the overseas recipients, i.e. as an independent personal information processor or as an entrusted processor, and stipulate different legal obligations for each role, including:

  • not processing personal information beyond any consent given or the scope agreed in the SCCs;
  • providing a copy of the executed SCCs to a personal information subject upon request;
  • processing personal information in a way that has the least impact on personal rights and interests;
  • conforming to relevant retention periods and deleting personal information if any relevant contract of entrusted processing is not in effect, invalid, revoked, or terminated; where information is technically difficult to delete, all such processing must stop except for storage and necessary safety precautions;
  • implementing technical and management measures, along with imposing confidentiality obligations and access controls on authorised personnel to ensure the security of personal information;
  • taking remedial measures, notifying the personal information processor, notifying personal information subjects (when required), reporting data breaches to Chinese regulators, and documenting all circumstances related to data breaches;
  • only making onward transfers outside of China when certain conditions exist, including a genuine business need, the personal information subject having been informed of the transfer (subject to exceptions), ensuring that appropriate consent is in place where consent is the legal basis of processing, imposing certain contractual conditions on onward recipients, assuming liability for the personal information rights infringement of onward recipients, providing copies of agreements with onward recipients to the personal information processor, obtaining consent from the personal information processor for sub-processing, and supervising such sub-processors;
  • ensuring that automated decision-making is transparent, just, and fair;
  • providing evidence of compliance and allowing audits;
  • keeping objective records of processing, retaining such records for more than three years, and providing such records to Chinese regulators when legally required; and
  • accepting the supervision and management of Chinese regulators, including cooperation with enquiries, inspections, and decisions.

Article 4 - The impact of policies and regulations on the protection of personal information in the country or region of the overseas recipient on the performance of the contract

Article 4 requires the parties to work together to conduct due diligence on the likely impact of the personal information destination on the performance of the contract. Some might consider such an exercise to be a transfer impact assessment covering several factors related to the personal information, the overseas data recipient, and the personal information destination.

Article 4 also provides that, where changes occur in the policies and regulations of the overseas recipient's country or region, or the government or judicial authorities of the country or region seek access to the personal information, notice must be given to the personal information processor immediately.

Article 5 - Rights of the personal information subject

All personal information subject rights recognised by the law are listed in Article 5. However, the personal information subject may also request assistance from the personal information processor or the overseas recipient to realise their rights against the overseas recipient. Where overseas recipients refuse to comply with requests from personal information subjects, they should provide reasons.

The specific third-party beneficiary rights of personal information subjects are also expressly stated in this section. Generally, only rights that the personal information processor and the overseas recipient would typically exercise against one another are excluded here.

Article 6 - Relief

Article 6 requires the overseas recipient to specify a contact person for inquiries and complaints and to provide such information concisely and easily through a separate notice or on its website.

The parties are expected to communicate and cooperate to resolve any disputes with the personal information subject. Where disputes cannot be resolved amicably, the overseas recipient is expected to accept the right of the personal information subject to complain to the Chinese regulator and file a lawsuit. The personal information subject may elect the 'relevant laws and regulations of the People's Republic of China if her or she so chooses'.

Article 7 - Cancellation of contract

If the overseas recipient violates its obligations under the SCCs, or if there are changes in the personal information protection policies and regulations of the overseas recipient's country or region, resulting in the overseas recipient's inability to perform its obligations, the personal information processor may suspend the provision of personal information to the overseas recipient until the violation is corrected.

The personal information processor may suspend the contract and notify the Chinese regulators where:

  • a suspension of personal information transfers lasts for more than one month;
  • compliance with the SCCs would violate the laws of the overseas recipient's country or region;
  • the overseas recipient is in material or persistent breach of the SCCs;
  • the overseas recipient breaches the SCCs according to the final decision of a competent court or regulator of jurisdiction over the foreign recipient; and
  • the contract is cancelled by mutual consent.

The overseas recipient must delete or return all personal information processed under the SCCs unless this is difficult to achieve, in which case processing should cease except for storage, and necessary safety measures should be taken.

Article 8 - Liability for breach of contract

The parties are liable to one another for any harm resulting from a breach of contract. The personal information subject can request either or both parties to assume liability for violating the personal information subject's rights. Where a party assumes more than its share of liability, it can seek to recover from the other party.

Article 9 - Other

Article 9 provides that the SCCs are to prevail in a conflict with any other legal document entered by the parties. It is unclear how such provisions would interact with the standard contracts of other jurisdictions. It also states that Chinese law applies to the formation, validity, performance, and interpretation of the SCCs, and any dispute related to the SCCs between the parties.

Boilerplate provisions for notices under the SCCs are included. They require the inclusion of contact details by the parties.

The jurisdiction clause within Article 9 is interesting because it gives the parties the option to select a forum for resolving disputes, which includes arbitral tribunals outside of China in countries that are parties to the New York Convention. How this will work in practice remains to be seen.

An interpretation clause provides that the SCCs must be interpreted in accordance with laws and regulations, and not in any way that contradicts the rights and obligations under such laws and regulations. This could perhaps be regarded as a purposive approach to contractual interpretation.

Appendix 1

This contains the details of the personal information export, including the purpose and methods of processing, the scale of personal information, the types of personal information as classified by the Information Security Technology - Personal Information Security Specification (GB/T 35273-2020), permitted onward recipients, mode of transmission, retention period, overseas storage location, and other matters.

Appendix 2

This is reserved for 'Other matters agreed by the parties'.

Conclusions

Companies engaged in relevant cross-border data transfers will need to incorporate the SCCs into their data transfer arrangements. We advise companies to tackle the adoption of the SCCs early on to avoid problems later, such as overseas recipients refusing to use the SCCs. Such issues could cause business disruption for some companies if they unsuccessfully try to address them towards the end of the grace period.

Click here to continue reading . . .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.