The Cyberspace Administration of China released for public consultation its long-awaited template for the cross-border data transfer agreement on June 30, 2022, under the draft Provisions on the Prescribed Agreement on Cross-border Data Transfer. The consultation period ends July 29, 2022.
Before the release of the draft Provisions on the Prescribed Agreement on Cross-border Data Transfer (Draft Provisions), the “standard contract” was widely recognized as a one of the most practical routes for cross-border data transfers under the Personal Information Protection Law because it is easier to implement, considering the uncertainty of a security assessment or of having both parties to the cross-border data transfer being certified by the Chinese government. The draft China Standard Contractual Clauses (Draft China SCCs) supplement and substantiate the “standard contract” route and would certainly become essential guidance for multinational corporations’ (MNCs’) data privacy compliance in China.
The Draft China SCCs closely resemble the EU SCCs, but also reflect the particulars and focus of China data privacy supervision. MNCs may want to review their cross-border data transfer workstreams based on the regulatory trend reflected in the Draft Provisions, and make proper adjustments to the existing compliance measures if they were established mainly in accordance with the EU General Data Protection Regulation (GDPR). This LawFlash examines the Draft Provisions and summarizes noteworthy points.
In accordance with the Draft Provisions, the Draft China SCCs would be applicable only when all of the following conditions are met:
The above threshold is generally aligned with the draft Measures on Security Assessment of Overseas Data Transfer (Measures on Security Assessment) released on July 7, 2022. If any of the abovementioned conditions is not met, the Measures on Security Assessment would apply, which means the transfer would be subject to a government-led security assessment. In this situation, neither the SCCs nor the certification can be used in lieu of a security assessment. Compared with the EU SCCs, the Draft China SCCs seem to be applicable in relatively limited scenarios.
Though the Draft Provisions set a two-year limitation on the cumulation period, for many data-heavy industries, e.g., retail, transportation, medical, and online business-to-consumer services, the 1 million, 100,000, and 10,000 individuals threshold seems fairly low considering China’s population, especially when the calculation would be conducted on an enterprise-level regardless of business scenarios.
In addition, for MNCs having large-size China operations that employ more than 10,000 employees, the cross-border transfer of such employees’ personal information also may not be able to use the Draft China SCCs because the personal information to be transferred outside China normally would include sensitive personal information. Therefore, it is likely that many companies may not be able to pursue the SCC route in practice and will still be subject to security assessments for cross-border data transfers.
In addition to the limitation in terms of data volume, parties to the Draft China SCCs are also limited to a Data Handler and the overseas data recipient; however, it seems that China-based entrusted parties (essentially equivalent to “data processors” under the GDPR) will be unable to rely on this mechanism.
With the above being said, there is overlap between the SCC, the security assessment, and the certification routes for cross-border data transfers.
In particular, the Measures on Security Assessment also require a contract between the data handler and the overseas data recipient as a part of documentation to be filed with authority. The content requirements for such contract largely overlap with the Draft China SCCs. As such, for data transfers subject to the security assessment, companies may also refer to the Draft China SCCs to formulate the data transfer agreement required for the security assessment.
On other hand, the Cyber Security Standard Practical Guidance – Security Certification Specification on Cross-border Transfer of Personal Information (Certification Specification), issued on June 24, 2022, likewise proposes that a binding agreement for cross-border data transfers would be necessary for obtaining the personal information protection certification.
China adopts a supervision method of a “combination of willful agreement and filing” for the Draft China SCCs. Prior approval is not required for the Draft China SCCs. Instead, the Draft Provisions require that the PI Handler file its use of template agreement with the Cyberspace Administration of China’s (CAC’s) local branch at the provincial level within 10 working days after the effective date of the prescribed agreement.
Correlating with the Personal Information Protection Law (PIPL), the Draft Provisions reiterate that the report of personal information transfer impact assessment must also be filed with the local CAC along with the signed China SCCs. In contrast, the European Union does not require filing of SCCs.
Filing does not equal an approval, which means the CAC would not conduct a substantive review on the SCCs and the report of transfer impact assessment and reject the proposed data transfer.
However, it leaves sufficient room for post-filing supervision: The local provincial-level CAC is entitled to suspend the overseas transfer of personal data if the CAC discovers that the actual transfer does not comply with the relevant cross-border data transfer rules. Alternatively, when a violation of filing requirements is identified, the CAC would give the order to rectify within a time limit; impose penalties if the PI Handler or the overseas recipient refused to rectify or a harm to PI related rights and interests were caused; or pursue criminal liabilities, if a crime were constituted.
Articles 55 and 56 of the PIPL mentioned the concept of a personal information protection impact assessment (PIPIA, which is similar to a data protection impact assessment (DPIA) under the GDPR) and set forth several common items that will be assessed in every PIPIA scenario: (1) the legality, legitimacy, and necessity of the purpose, scope, and method of the personal information (PI) processing; (2) the risks that PI export may bring to the PI related rights and interests; and (3) the legality and effectiveness of the protective measures and whether they correspond to the level of risks.
Correlating with the PIPL, the Draft Provisions specify the additional items to be assessed in a PIPIA in the scenario of a cross-border data transfer: (1) the responsibilities and obligations that the overseas recipient commits to undertake, and whether its management and technical measures and capabilities for fulfilling the responsibilities and obligations can ensure the security of the PI to be exported; (2) the risks of leakage, damage, tampering, and abuse, etc. after the cross-border transfer; and (3) the impact of the PI protection policies and regulations of the country or region where the overseas recipient is located on the performance of the Draft China SCCs.
According to the Draft Provisions, the PIPIA should be conducted before transferring personal information abroad. As such, no matter which route the data exporter decides to take for cross-border data transfer (e.g., security assessment, certification, SCC), a PIPIA should be a precondition step.
It is noteworthy that the PIPIA items required for cross-border data transfers echo the evaluation factors required for self-evaluation under the Measures on Security Assessment. However, for the latter case, more emphasis is placed on the impact on national security, public interests, and legal rights of individuals and organizations.
The Draft China SCCs mainly require the following provisions:
In general, the Draft China SCCs are akin to the EU SCCs to an extent. Unlike the EU SCCs, which distinguish between controller-to-processor and controller-to-controller transfers, the China SCCs adopt a single module and include many provisions that resemble the controller-to-processor module of the EU SCCs.
According to the Draft Provisions, one of the PIPIA factors is whether laws in other jurisdictions will impact the performance of the Draft China SCCs.
This point is also reflected in Article 4 of the Draft China SCCs. Such consideration originated from the European Court of Justice’s recommendation in Schrems II that the parties to a transfer verify on a case-by-case basis whether the “law of the third country of destination ensures adequate protection . . . of personal data transferred pursuant to the standard data protection clauses.” For that purpose, data exporters from the European Union are required to conduct a transfer impact assessment (TIA) to review all transfers of personal data to non-EU countries and to implement adequate safeguards.
The counterpart clause in the Draft China SCCs could be deemed as a simplified TIA. We will wait to see how it would be implemented after the Draft Provisions roll out in China, e.g., whether local counsel’s opinion would be required for the China TIA.
The Draft China SCCs require the parties to specify technical and management measures to be taken to mitigate the risks of cross-border data transfer, enumerating several common methods as examples including encryption, anonymization, de-identification, and access control. In this regard, the EU SCCs also have counterpart regulations. Companies may refer to an explanatory description of safeguard measures in Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data released by the European Data Protection Board.
The Draft China SCCs restrict an overseas data recipient from onward-transferring data to third-party organizations and individuals located outside of China, unless all of the following conditions are met: (1) there is an actual business need; (2) the data subject is informed and separate consent is obtained; (3) the overseas recipient reaches a contract with the third party, and the third party meets the standard of equivalent protection and would take joint liability; and (4) a copy of agreement with the third party is provided to the Data Handler.
In addition, the Draft China SCCs require identification of such overseas third party. However, this may face some practical obstacles as sometimes the foreign recipient may not be able to forecast the onward transfer needs, let alone the identity of the second-tier recipients.
The Draft Provisions and Draft China SCCs release is the third in a series of recent steps to clarify the cross-border data transfer regulatory mechanism. Before that, China released the Measures on Security Assessment and the Certification Specification, which addressed another two routes of cross-border data transfers: security assessment and certification, respectively. The Draft China SCCs are therefore the final piece in the puzzle.
Given that the Draft China SCCs are arguably the simplest route for conducting cross-border data transfers, the guidance is welcomed by most companies. However, companies planning to take this route should be aware of the narrow application scope and various uncertainties inherent in the Draft Provisions and SCCs; for example, the validity of an SCC once the cumulative number of individuals whose personal information is transferred reaches the threshold for security assessment, and the room for negotiation on the Draft China SCCs when foreign data recipients refuse to accept some of the provisions, such as audit cooperation.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers: