Eight months after the issue of the draft version of China's standard contract for cross-border transfer of personal information ("China SCC"), on February 24, 2023, the Cyberspace Administration of China ("CAC") officially released the final version, together with the Measures for Standard Contract of Cross-border Transfer of Personal Information ("Measures", 《个人信息出境标准合 同办法》in Chinese).

The Measures with China SCC attached will come into force on June 1, 2023, the sixth anniversary of the implementation of the Cybersecurity Law of the People's Republic of China. Meanwhile, six months' grace period is provided, as according to the Measures, if the personal information ("PI") export activities that have been carried out before the implementation of the Measures do not conform to the requirements thereunder, rectification shall be completed within 6 months from June 1, 2023. This alert will introduce the Measures from a practical perspective for reference by enterprises, especially multinationals, with the needs for international PI transfer.

I. Application Scope

According to the Measures, a PI handler (basically equivalent to data controller under the GDPR) could provide PI outside of China by entering into the China SCC with the overseas recipient, provided that all of the following conditions are met:

(1) the PI handler is NOT a critical information infrastructure operator;

(2) the PI handler has processed PI of LESS THAN 1 million people;

(3) the PI handler has NOT provided abroad PI of MORE THAN 100,000 people accumulatively since January 1st of last year; and

(4) the PI handler has NOT provided abroad sensitive PI of MORE THAN 10,000 people accumulatively since January 1st of last year.

Such application scope corresponds to that of the security assessment stipulated under the Security Assessment Measures for Cross-border Data Transfer. That means, if any of the above conditions is not satisfied, the mandatory assessment will be triggered.

It is worth noting that compared with the draft version, the final version further stipulates that "PI handler shall not resort to quantitative splitting or other means to provide PI overseas that is legally required to pass a cross-border transfer security assessment by entering into a SCC".

II. Terms of China SCC

In general, China SCC mainly includes nine sections regarding (1) the relevant definition and basic elements of the contract; (2) contractual obligations of the PI handler and the overseas recipient; (3) the impact of the personal information protection policies and regulations of the country or region where the overseas recipient is located on the performance of the contract; (4) the rights and related remedies of the PI subject; and (5) the termination of the contract, liability for breach of contract, dispute resolution and other matters.

Meanwhile, two appendices are provided with one is to fill in the basic information of the transfer of PI, such as the purpose, method of processing, the categories of PI to be exported, location of storage and retention period, etc., and another is to add other terms agreed upon by both parties. Notably, the terms of China SCC cannot be changed, and other terms that the PI handler may agree with the overseas recipient shall not be in conflict with the terms of China SCC as well.

Unlike the EU SCCs, which have four modules based on the roles of data provider and recipient, China SCC adopts a one-stop structure. This does not mean that China SCC ignores the issue at all, since in the specific terms, the obligations of "entrusted party" (which is akin to data processor under the GDPR) are mentioned separately. For example, the consent of the PI handler shall be obtained when the entrusted party re-entrusts a third party (i.e. sub-processor) to process PI; and the obligations of report (to authority) and notification (to PI subjects) shall be borne by the PI handler, rather than the entrusted party, when security incidents like data breach occur.

Compared with the draft version, the final version adds an obligation of the overseas recipient, that is, the overseas recipient shall immediately notify the PI handler if it receives the request of the government department or judicial institution of the country or region where it is located regarding the provision of PI under such China SCC.

III. Filing System

Same as the draft version, according to the Measures, the PI handler (provider) should file with the local provincial-level cyberspace administration within 10 working days from the date the standard contract takes effect, submitting the standard contract signed and the personal information protection impact assessment ("PIPIA", which is similar to DPIA under the GDPR) report.

But notably, filing is not a prerequisite for the export of PI, as it could be carried out after the standard contract takes effect.

IV. How to Conduct PIPIA?

Echoing to Article 55 and 56 of the Personal Information Protection Law of the People's Republic of China ("PIPL"), the Measures specifies the factors to be assessed when conducting PIPIA with respect to the scenario of cross-border transfer of PI:

(1) the legality, legitimacy and necessity of the purpose, scope and method of the PI processing by the PI handler and the overseas recipient;

(2) the quantity, scope, category, and sensitivity of the PI to be exported, and the risks that PI export may bring to the PI related rights and interests;

(3) the responsibilities and obligations that the overseas recipient commits to undertake, and whether its management and technical measures and capabilities for fulfilling the responsibilities and obligations can ensure the security of the PI to be exported;

(4) the risks of falsification, damage, leakage, loss and illegal use, etc. after the cross-border transfer, and whether the channels for individuals to maintain their PI related rights and interests are smooth;

(5) the impact of the PI protection policies and regulations of the country or region where the overseas recipient is located on the performance of the standard contract; and

(6) other matters that may affect the security of PI going abroad.

V. Re-signing of China SCC

The Measures specifies in Article 8 that, if any of the following circumstances occurs during the validity period of the contract, a new PIPIA shall be conducted, and China SCC shall be re-concluded and filed with the authority:

(1) changes in the purpose, scope, type, sensitivity, manner, and place of storage of PI provided abroad or in the use or manner of processing PI by the overseas recipient, or extension of the storage period of PI abroad;

(2) changes in the policies and regulations on the protection of PI in the country or region where the overseas recipient is located, etc. that may affect the PI related rights and interests; or

(3) any other circumstances that may affect the PI related rights and interests.

VI. Legal Liability

Pursuant to the Measures, any violation of the Measures shall be dealt with in accordance with the PIPL and other relevant laws and regulations; and if a crime is constituted, criminal liability shall be pursued accordingly.

Meanwhile, as a new provision in the final version, it is provided that if the Cyberspace Administration at or above the provincial level finds that there is a greater risk in the PI export activities, or that a PI security incident has occurred, it may conduct an interview with the PI handler in accordance with the law. The PI handler shall make rectification then.

VII. Looking Forward

Along with the release of the official version of China SCC, China's cross-border PI transfer regime is finally established, as the security assessment and certification approaches for international PI transfer have been implemented so far.

Compared with the security assessment and the PI protection certification that require the substantive intervention of third party (competent authority or certification agency), standard contract is probably the most widely adopted approach for international PI transfer as a relatively easy way, though the filing procedure is necessary to follow. As such, it is recommended for enterprises, especially multinationals, with needs for international PI transfer to get prepared for the implementation of the Measures, assessing the applicability of China SCC and conducting PIPIA during the grace period.

Download : Data Protection And Cybersecurity Alert: Long-awaited China SCC Issued, Countdown To Implementation On June 1 St With Six Months' Grace Period

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.