The Chinese SCC is finally coming
The Cyberspace Administration of China (the CAC”) has officially promulgated the final version of the Chinese Standard Contract for Outbound Transfer of Personal Information (the Chinese SCC”) on February 22nd. The SCC is an annex to the Measures for the Standard Contract for Outbound Transfer of Personal Information (the “Measures”). The Measures and the SCC will take effect on June 1st, 2023.
The SCC is a simple and compliant solution companies can chose for cross-border data transfer (for other solutions for cross-border data transfer, see our previous client news under the link). We summarized the takeaways of the Measures and SCC as follows for your better understanding and guidance for cross-border data transfer.
1. Who can sign the SCC?
Companies engaging in cross-border transfer of personal information could sign the Chinese SCC if they fulfill the following conditions:
- it is not a critical information infrastructure operator;
- it processes the personal data of less than one million individuals, calculated since the establishment of the company;
- it has provided overseas recipients with personal data of less than 100,000 individuals in aggregate since 1 January of the previous year (i.e., January 1, 2022); and
- it has provided overseas recipients with sensitive personal data of less than 10,000 individuals in aggregate since January 1 of the previous year (i.e., January 1, 2022).
As an alternative to the SCC, companies fulfilling the above-mentioned conditions could also choose to complete a personal information protection certification from a qualified certification institution designated by the CAC. However, the CAC has not determined such institution yet.
If any of the above-mentioned conditions is not fulfilled, companies should pass the security assessment conducted by the CAC.
2. Can clauses in the SCC be modified?
The clauses in the SCC cannot be modified in general. However, companies can add supplementary clauses into the SCC (as an annex) if such clauses are not in conflict with the SCC. Furthermore, if there are existing contracts contrary to the SCC, the SCC shall prevail. Finally, the CAC always reserves the right to adjust the SCC according to its own discretion.
3. Is there any other document to be prepared by companies?
Besides the SCC, companies should also prepare the personal information protection impact assessment report (the “PIA”) in accordance with Art. 55 and 56 PIPL. The following contents shall be included into the report:
- whether the purpose and method of handling personal information are lawful, legitimate, and necessary;
- impact on personal rights and interests and security risks; and
- whether the protection measures taken are lawful, effective and commensurate with the degree of risks.
4. What to do after signing the SCC?
Companies should submit the signed SCC and the PIA report to the local CAC for a filing within 10 days of the effectiveness of the SCC. Furthermore, companies can only conduct the cross-border transfer of personal information activities upon the effectiveness of the SCC. For the details of the filing procedure, please see the illustration in the annex.
5. How to deal with the existing cross-border data transfer activities before the Measures and SCC?
For previous outbound transfers of personal information, which are not compliant with the Measures, rectification shall be completed within 6 months upon the effective date of the Measures. Thus, companies should sign the SCC with the foreign recipient and fill the signed SCC and PIA at the local CAC until end of November 2023 latest.
6. Which laws shall govern the SCC? And can companies choose?
The Chinese laws shall govern the SCC mandatorily. Companies cannot choose other laws. However, companies could choose the disputes settlement method, arbitration or people’s court.
7. How to deal with the business terms besides the SCC?
In general, cross-border data activities are the result of certain business activities. For instance, the foreign headquarter would provide the CRM, ERP or other systems with the servers located in Europe to its subsidiary in China. Once the subsidiary input the personal information into the system, the data are automatically transferred to Europe. The business terms for the use of the system by the Chinese subsidiary can be subject of a separate intercompany contract (e.g. intercompany service contract), which could be mentioned in the preamble of the SCC as a reference. Whether the business contract mentioned in the preamble shall also be filed at the local CAC together with the SCC is unclear now.
As an alternative, the business terms could be directly added in an annex to the SCC (see No. 2 above).
8. Conclusion
The Measures and SCC surely provide a clearer way for the cross-border transfer of personal information and further supplement the PIPL. Nevertheless, there remains blanks to be filled or details to be clarified when it comes to implementation, e.g., whether the business contracts need to be filed, how to link with the European SCC, how to file at local CAC online or offline and so on. Not only is this a challenge for businesses (especially foreign invested companies), but also a big challenge for local CAC.
Anyway, there are three months away from the effective date of the Measures and SCC and we believe things would be further clarified by then and we will keep you informed and updated as always.
Please do not hesitate to contact us if you are interested in any of these topics and we are excited to discuss it with you!
Beijing, March 23rd, 2023
Annex: