The Cyberspace Administration of China (the "CAC") released on February 22, 2023 the finalized Rules on Standard Contract for Personal Information Outbound Transfer (the "CN SCC Rules"), which will take effect on June 1, 2023. This is the final step to close the three-way mechanism defined under Article 38 of the Personal Information Protection Law (the "PIPL") to outbound transfer personal information from China. Before the CN SCC, the other two mechanisms rolled out in 2022 are CAC's security assessment and personal information protection certification.
Not like the CAC security assessment which will only be triggered after meeting the legally defined threshold and the personal information protection certification which is voluntary, the CN SCC is compulsory for all personal information processors which transfer personal information out of China but not meeting the threshold for security assessment. In other words, when a personal information processor does not need to go through the security assessment, it will be required to use the CN SCC mechanism even if it only outbound transfers one piece of personal information and even if its transfer is only occasional. This very last mechanism has the largest impact of the three and will virtually impact all the foreign invested companies in China and all Chinese companies that are doing international businesses.
The CN SCC Rules offers a 6-month period for compliance preparation. In order to comply with the CN SCC filing requirement, the personal information processors need to map all scenarios of their outbound transfer of the personal information by the Chinese categories of personal information, conduct the PIIA following the Chinese requirements for each scenario, and negotiate with each of their foreign recipients to sign an CN SCC with or without additional terms, which may make the 6-month preparation period insufficient.
Therefore, personal information processors which transfer personal information out of China need to start working on their plans of compliance with the CN SCC Rules as early as possible. Or, they may face the potentially huge fines established by the PIPL.
This article gives you an overall highlight about the regulatory mechanism of the CN SCC. If you are interested in this topic, please follow us for a serial of 3 to 4 short articles about all the things you need to know on the CN SCC.
Conditions Precedent
According to the CN SCC Rules, when a personal information processor does not need to go through the security assessment, it can rely on the CN SCC mechanism to compliantly transfer personal information out of China. A personal information processor will not need to go through the security assessment if it meet all of the following conditions:
- It is not a CIIO;
- As of the date of the SCC, it processes less than 1 million data subjects' personal information on cumulative basis;
- It processes on cumulative basis less than 100K data subjects' personal information from January 1 of the last year till the date of the SCC; and
- It processes on cumulative basis less than 10K data subjects' sensitive personal information from January 1 of last year till the date of the SCC.
The CN SCC Rules prohibits any personal information processor from circumventing the security assessment requirement by using the CN SCC for personal information outbound transfer. The example of circumvention the CN SCC Rules gives is breaking the total data subject headcounts into parts.
Mechanism of CN SCC
To adopt the CN SCC mechanism, a personal information processor should go through three steps.
First, it should conduct a personal information impact assessment (the "PIIA") on circumstance basis before signing the CN SCC for the personal information outbound transfer. In the PIIA, the personal information processor should mainly evaluate the following factors:
- The lawfulness, legitimacy and necessity of the purpose, scope, and methods of the processing by both the personal information processor and its foreign recipients
- The scale, scope, categories, and sensitivity of the personal information outbound transferred, and the risks to the rights and interests of the data subjects due to the outbound transfer of the personal information
- The obligations assumed by the foreign recipients, and whether their management, technical measures, and capability can effectively safeguard the security of the personal information they received
- The risk of the personal information outbound transferred being modified without authorization, sabotaged, leaked, lost, transmitted without authorization, or illegally used
- The effectiveness of the channels that allow data subjects to claim their rights
- The impact on performance of the CN SCC by the foreign local data security and protection laws and regulations
Secondly, the personal information processor should sign with the foreign recipients the CN SCC without any modification. It is permissible that the CN SCC can have other and additional terms in its exhibits, but such other and additional terms are not allowed to be in conflict with the main text of the CN SCC. The draft CN SCC Rules used to provide that other contracts entered into by and between the personal information processor and its foreign recipients relating to the persona information outbound transfer should not be in conflict with the CN SCC. The slight difference is worth noting.
Thirdly, after the CN SCC with the foreign recipients takes effect, the personal information processor should file the executed CN SCC with the provincial CAC office for records. To file for record, the personal information processor should submit both the executed CN SCC and the PIIA corresponding to the CN SCC being filed.
If there is any supplement or amendment to an CN SCC that has been filed, the personal information processor will need to go through the above process again if:
- The purpose, scope, category, sensitivity, method and storage site of the outbound transfer of the personal information have been changed, or the foreign recipient has changed the purpose and method to process the personal information outbound transferred or has extended the storage term of the personal information; or
- The local personal information protection laws and regulations governing the foreign recipients have been changed or in other circumstances, which may affect the rights and interests of the data subjects on their personal information
The requirement of filing for records of the executed CN SCC allows the CAC to have clear visibility of all personal information that has been cross-border transferred from China. It is apparently beyond the EU's practice on its SCC and is a requirement additional to the requirement under Article 38 of the PIPL. Article 11 of the CN SCC Rules explains the purpose of the filing requirement, which is that the provincial CAC office may request conversation with the personal information processors if it determines from the filing that there is high risk or personal information security incident in association with the outbound transfer of the personal information. Therefore, a neat filing can ensure that the CAC will not call for conversations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
