On June 30, 2022, the Cyberspace Administration of China released the long-awaited draft provisions on the Standard Contract for the Cross-border Transfer of Personal Information for public consultation. The deadline to submit comments is July 29, 2022. The draft provisions were circulated pursuant to Article 38 of China’s Personal Information Protection Law, under which the government-approved standard contract is one of the lawful transfer mechanisms available that a personal information processing entity — equivalent to a “data controller” under the EU General Data Protection Regulation — must adopt to transfer personal data outside of China.

In practical terms, the most significant part of the draft provisions is a template standard contract attached to the regulation that is designed to be signed and implemented by parties for cross-border transfers. In an explanatory note, the CAC states China’s SCCs are drafted based on the requirements of the draft provisions, and parties may negotiate additional provisions and attach them as an annex to the template contract. The draft provisions also require the data exporter to file the standard contract with the provincial branch of the CAC within 10 days after the contract is effective, together with a personal information protection impact assessment that must be prepared before the transfer.

In general, China’s SCCs share a number of similarities with the EU SCCs, such as requiring both the data exporter and the overseas recipient to take measures to ensure the security of the transferred personal information and providing third-party beneficiary rights to data subjects. However, a few proposed provisions in China’s SCCs could substantially influence on how companies can implement this mechanism, if at all, for cross-border data transfers outside of China.

Scope and applicability

The EU SCCs is one of several legal mechanisms available under the GDPR that parties may rely upon to ensure the lawful transfer of personal data to a non-EU/European Economic Area country that does not provide an adequate level of personal data protection as compared to EU law. Generally speaking, EU SCCs are available to all controller(s) and/or processor(s) who wish to sign and implement them, provided they can adhere to the provisions in practice. 

In contrast, only certain entities are allowed to rely on China’s SCCs — namely, data exporters that satisfy the following requirements:

• The entity is not a critical information infrastructure operator.
• The entity processes the personal data of less than 1 million individuals.
• The entity has transferred personal data of less than 100,000 individuals on a cumulative basis since Jan. 1 of the previous year.
• The entity has transferred sensitive personal data of less than 10,000 individuals on a cumulative basis since Jan. 1 of the previous year.

Structure

The EU SCCs are designed to provide adequate safeguards for the transfer of personal data outside of Europe in four possible transfer scenarios: controller-to-controller, controller-to-processor, processor-to-controller and processor-to-processor. The relevant obligations for each of these permutations are set out in separate “modules” within certain clauses of the EU SCCs. 

However, China’s SCCs are limited to transfers from a China-based entity to an “overseas recipient,” which does not differentiate the role of the recipient. Accordingly, as the text of China’s SCCs does not differentiate between certain transfer scenarios, there are some ambiguities as to what obligations may apply to another controller or importer outside of China or only to a processer or importer outside of China.

Data breach remediation and notification

Obligations related to data breach notification vary under the EU SCCs depending on the transfer scenario and the level of risk arising from the breach that affects the rights and freedoms of individuals. In the C2C scenario, the data importer has an obligation to notify the competent authority if the breach results in a risk to the rights and freedoms of individuals, but in the C2P scenario, the data importer is not under such an obligation.

By contrast, under China’s SCCs as drafted, the notification obligation is triggered in every breach scenario, regardless of the level of risk. More specifically, in the event of a data breach, the overseas recipient must promptly adopt appropriate remedial measures and immediately inform both the data exporter and regulators. Further, the overseas recipient should notify affected data subjects if required by law. It is unclear from the text of China’s SCCs whether the overseas recipient still has an independent obligation to notify regulators if it only is a processor-importer outside of China. Notably, China’s SCCs specify the data exporter should bear the burden of notifying affected data subjects if the overseas recipient is a processor.

Onward transfers

Under the EU SCCs, an “onward transfer” refers to further disclosure of personal data by the data importer to another third party outside the EU. The data importer is prohibited from carrying out the onward transfer unless it meets certain conditions, such as entering into a binding instrument with the third party in the C2C scenario.

China’s SCCs, by contrast, have stricter restrictions on carrying out onward transfers. Overseas recipients are not allowed to disclose personal data to third parties located outside of China unless the following requirements are met:

• There are real and legitimate business needs to provide personal data.
• The overseas recipient has informed the data subjects about the third-party recipient, and separate consent has been obtained. Note: It seems the obligation to obtain separate consent is imposed on the overseas recipient, although China’s SCCs allow the overseas recipient to notify the data exporter and request assistance if it is difficult for them to obtain separate consent from data subjects.
• The overseas recipient has entered into a written agreement with the third party to implement the same level of personal data protection.
• The overseas recipient has provided the data exporter with a copy of the agreement.

Supervision and request from the regulators of destination

The EU and China’s SCCs require the data importer to submit to the competent authority's jurisdiction. China’s SCCs further specify the overseas recipient must agree to be subject to the supervision of regulators in China, which refers to the CAC and its provincial branches, including cooperating with inspections. This includes complying with the measures taken or decisions made by the regulator and providing documented evidence that the necessary actions have been taken. 

Unlike the C2C and P2C scenarios under the EU SCCs, which clarify how a data importer as a controller should respond to legally binding requests or demands from foreign authorities in the country of destination, China’s SCCs do not specifically address this issue. As a result, it is unclear whether responding to governmental requests for transferred personal data to foreign authorities would be considered an “onward transfer” under China’s SCCs, and if so, what the overseas recipient must do to satisfy relevant requirements.

Looking forward

Considering the Measures for the Security Assessment of Cross-border Data Transfer, which provides details regarding the lawful transfer mechanism — the CAC-led security assessment, goes into effect Sept. 1, 2022, the draft provisions will likely be finalized soon, maybe in fall 2022. Companies not subject to the CAC-led security assessment should closely follow the developments of the draft SCCs and consider if changes are needed to existing contractual arrangements, e.g., intra-group data transfer agreement and vendor agreement, considering China's SCCs.