On February 24, 2023, the Cyberspace Administration of China released the Standard Contractual Measures for the Transfer of Personal Information Oversees and the corresponding Standard Contractual Clauses (“China SCCs”), which will take effect on June 1, 2023.
The release of the new SCCs is an important development in China’s efforts to ensure that transfers of personal information from China to other countries is done in a secure and privacy-respecting manner, in accordance with the requirements of the Personal Information Protection Law (“PIPL”). Accordingly, an organization engaging in the transfer of personal information outside of China is required to adopt one of the three transferring mechanisms. Organizations exporting large amounts of information, including sensitive information, are required to undergo a security assessment organized by the Cyberspace Administration of China (“CAC”). Organizations transferring information to overseas subsidiaries or affiliated companies may obtain a Personal Information Protection Certification from a specialized body.
Beginning in June 2023, organizations that do not meet the criteria for the two above mechanisms, can leverage the China SCCs as a valid mechanism to transfer information outside China, provided they meet the requirements enumerated in the Measures for the Transfer of Personal Information Oversees (i.e. be a non-critical information infrastructure operator and not cross the thresholds for processing personal information or the threshold for transferring personal/sensitive information abroad.
Background
PIPL governs the processing of electronic or recorded personal information that is related to an identified or identifiable natural person within China’s borders, or outside the territory of China if processing personal information of natural persons within the territory of the People's Republic of China. It provides protections for rights of individual natural persons (“data subjects”) whose personal information is being processed, and corresponding obligations for personal information processors, defined as organizations and individuals that independently determine the purposes and means of processing personal information (PIPL, art. 73). The obligations from the law extend to entrusted persons (or data processors) to the extent that such persons may handle personal information on behalf of a personal information processor, for a specific purpose, and for the duration stipulated in an agreement between the parties (PIPL, art. 21.).
The China SCCs are an extension of the PIPL. In substance, the China SCCs outline the rights and obligations of the exporting organization (“exporter”) and the organization receiving the information (“oversees recipient”) with respect to any transferred personal information and provide safeguards for personal information transferred oversees by requiring the oversees recipient to comply with China’s privacy laws. To certain extent, the Chinese SCCs share similarities with EU SCCs. However, there are notable distinctions. In this blog post, we highlight some of the most notable aspects of the China SCCs.
Obligations of the Exporter
Unlike the EU SCCs, which are modular and outline obligations depending on the relationship between the exporter and the importer, the China SCCs take a different approach. The China SCCs outline the obligations of the exporter and the overseas recipient generally utilizing one template, not addressing specifically the obligations depending on their role and function.
According to the China SCCs, when transferring personal information, the exporter must comply with any requirements of notice to data subjects and consent for international transfers, if applicable. Additionally, the exporter is expected to make reasonable efforts to ensure that the overseas recipient undertakes technical and management measures to safeguard the personal information, provide any required documentation to the overseas recipient or the data subjects, and respond to regulatory agency requests.
Most notably, the exporter is required to conduct personal information impact assessments prior to transferring information outside of China. The assessment should evaluate several aspects surrounding the transfer, such as:
- The legality, legitimacy, and necessity of the processing;
- The scale, scope, and sensitivity of information, as well as the potential risks to the personal information and individuals;
- The obligations and capability of the overseas recipient to safeguard the personal information; and
- The impact of the local laws and regulations in the performance of the contract.
Obligations of the Overseas Recipient
Overseas recipients are expected to process personal information in accordance with the terms of the China SCCs and not exceed the agreed scope of processing unless separate consent is obtained from the personal information subject (if applicable). Further, to safeguard personal information, the overseas recipient is required to adopt technical and administrative measures, limit access to the information on need basis, comply with the obligations to notify in the event of a data breach and undertake appropriate remedial measures.
When processing personal information as an entrusted party, the overseas recipient must adhere to the processing purpose and methods agreed upon with the exporter, paying particular attention to the requirements of minimization, purpose limitation, retention, and deletion. In addition, the China SCCs impose stricter requirement for further transfer of personal information to a third party outside China, obliging the oversees recipient to:
- Determine that a business need for the further transfer exists;
- Comply with the requirements of notice and consent to data subjects;
- Conclude required agreements with such third parties;
- Obtain consent of the personal information processor; and
- Confirm that the third parties agree to have their performance monitored in compliance with the contractual clauses.
Rights Of Data Subjects and Private Right of Action
As outlined in the China SCCs, data subjects enjoy certain individual rights as guaranteed by PIPL. Though the exporter is primarily responsible for complying with individual requests, the overseas recipient is obligated to assist with responding to such requests, when applicable.
Additionally, the China SCCs recognize data subjects as third-party beneficiaries, and as such data subjects are entitled to directly seek performance of particular obligations by the parties to the SCCs. Data subjects may exercise a private right of action against the overseas recipient, and have their complaint handled by a regulator, or resolved by an applicable court in accordance with the applicable laws in China.
Transfer Impact Assessment, Liability, and Enforcement Under China SCCs
Similar to the EU SCCs, there is concern with interference on the overseas recipient’s ability to perform their duties under the China SCCs. As such, parties are required to conduct a transfer impact assessment evaluating the legislation and practices in the country where the overseas recipient is located to confirm that their performance under the contract will not be affected. This includes conducting necessary assessments of factors related to the processing of personal information, any relevant prior practices, and applicable laws and regulations, as well as the existence of effective mechanisms and remedies for data subjects.
According to the China SCCs both parties are liable for breach of the contractual clauses. Additionally, parties bear civil legal liability towards individual data subjects if they infringe upon their individual rights. If both parties are jointly liable, the data subject may seek relief from either or both parties.
Lastly, it should be noted that by default the contract shall be governed by the laws of China and, unlike in the case of EU SCCs, parties will not be able to choose the governing law. Similarly, parties may select to settle their disputes either through arbitration or litigation, which shall be conducted in China in accordance with Chinese law.
Next Steps
As we approach the effective date, organizations that do business in China should take several steps to prepare for the changes, including:
- Evaluate and confirm the Standard Contractual Clauses are the appropriate transfer mechanism and conduct the required assessments.
- Conclude the SCCs and file with the appropriate authority within the required time.
Octillo will continue to monitor further developments regarding transfer of personal information outside China and the implementation of the China SCCs and provide updates accordingly. Our team of experienced attorneys helps businesses assess their data transfer practices and develop comprehensive international data transfer strategies. If you have any questions about the China SCCs or other mechanisms for transferring personal information outside China, reach out to a member of our team.
*Attorney Advertising: Prior results do not guarantee future outcomes.