China's laws protecting personal data were recently updated with the announcement of two new Standard Contractual Clauses (SCCs). These are known as the SCC Measures and SCC Guidelines, and they are part of China's efforts to protect privacy along the lines of the EU's GDPR (General Data Protection Regulation).

SCC Measures

On 24 February 2023, the National Internet Information Office of China issued the Measures for Standard Contracts for the Exit of Personal Information (SCC Measures). These regulations conform to Article 38 of the Personal Information Protection Law (PIPL).

The SCC Measures govern the cross-border transfer of personal information from China to overseas recipients, specifying the terms, conditions, and filing requirements for standard contracts. The new rules come into effect on 1 June 2023 with a six-month grace period, meaning companies have until 30 November 2023 to ensure their data-transfer activities comply.

SCC Guidelines

On 30 May 2023, the Cyberspace Administration of China (CAC) published the Guidelines for Recording Standard Contracts for Exporting Personal Information (SCC Guidelines). This came into effect simultaneously with the SCC Regulations on 1 June 2023 with the same six-month grace period.

The SCC Guidelines require personal information processors to provide specific information when submitting a standard contract, including a unified social credit code certificate, a legal representative's ID card, a signed power of attorney template, a letter of commitment, the standard contract, and a completed Personal Information Protection Impact Assessment (PIPIA). Templates for each of these documents are provided in the SCC Guidelines.

Businesses providing personal information to overseas parties through standard contracts must meet the following criteria:

  • Not an operator of critical information infrastructure
  • Handle fewer than one million individuals' personal data
  • Provided fewer than 100,000 individuals' personal data to overseas recipients since 1 January of the preceding year
  • Provided fewer than 10,000 individuals' sensitive personal data to overseas recipients since January 1st of the preceding year

If you have any questions about the new SCC Regulations and Guidelines, feel free to get in touch. Acclime can always help you keep up with the latest developments in staying compliant and safeguarding your data in China.