China's Standard Contract, also known as Standard Contract Clauses (SCCs), is a legal instrument that enables multinational corporations (MNCs) to transfer personal data from China to other countries or regions. It is one of the three legal mechanisms for cross-border data transfer under Chinese data protection laws. A security assessment conducted by the Cyberspace Administration of China (CAC) is one of the other mechanisms and is mandatory if certain thresholds are met. The third option is to obtain personal data protection certification from a specialized institution designated by CAC. Many MNCs prefer to adopt SCCs as they have a number of advantages over the certification route, including that they are less complicated, less time-consuming, and do not require significant amounts of information to be provided to a certification institute.

In this blog post we explain what the SCCs are, why they are relevant to most MNCs operating in China, and how they can be used effectively to help MNCs comply with the Chinese data protection laws when transferring personal data from China to other countries or regions.

What are the SCCs?

On 24 February 2023, CAC released the final version of the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information (Measures), which included the SCCs as a schedule. The Measures took effect on 1 June 2023 but allow a six-month grace period for full compliance. Any non-compliant cross-border transfer of personal data in place before 1 June 2023 must ensure compliance with the Measures by 30 November 2023. Any new arrangements set up after 1 June 2023 will need to comply with the Measures before the transfer. On 30 May 2023, CAC issued the first edition of guidance on filing the SCCs together with a template form for the personal data protection impact assessment report.

The SCCs cover the following:

  • basic information for both the data exporter and overseas data recipient, including but not limited to the name, address, contact name and contact information;
  • the purpose, scope, type, sensitivity, quantity, provision manner, retention period and storage location of the personal data to be transferred;
  • the responsibilities and obligations of the data exporter and overseas data recipient with respect to the protection of personal data, as well as the technical and management measures to be taken to prevent potential security risks arising from the cross-border transfer of personal data;
  • the impact that local policies and regulations on the protection of personal data in the overseas recipient's location may have on compliance with the SCCs;
  • the rights of data subjects, and the ways and mechanisms of realising them; and
  • provisions on other aspects such as remedies, termination of contract, liabilities for breach of contract and dispute resolution.

The Measures provide that the relevant data transfer agreement shall strictly follow the form of the template SCCs. A data exporter is able to agree additional clauses with an overseas data recipient provided that the new clauses do not contradict the template SCCs.

Why are the SCCs relevant to MNCs in China?

The SCCs are relevant not only in data-heavy industries such as internet, IT, financing, hospitality, consumer products and automotive industries, but also to almost all MNCs operating in China. Many MNCs in China use global IT or employment management systems that store or process personal data on servers or cloud platforms located outside China. For example, an MNC may use a global HR system that collects and manages employee data from different subsidiaries around the world, or a global supply chain management system that collects and manages supplier or vendor data. Such systems may involve cross-border data transfers of personal data from China to other countries or regions, making the SCCs an important tool for compliance with Chinese data protection laws.

How can MNCs use the SCCs to comply with the Personal Information Protection Law?

The SCCs can only be adopted if the cross-border data transfer does not trigger the CAC mandatory security assessment requirements. This means that the MNC as the PRC data exporter:

  • cannot be a critical information infrastructure operator (as defined in the PRC Cybersecurity Law);
  • must not process personal data of 1,000,000 individuals or more;
  • must not provide personal data of 100,000 individuals or more in aggregate to overseas data recipients since 1 January of the previous year; and
  • must not provide sensitive personal data of 10,000 individuals or more in aggregate to overseas data recipients since 1 January of the previous year.

MNCs that want to use the SCCs for cross-border data transfers need to follow these steps:

  • identify the type and scope of personal data that will be transferred from China to other countries or regions;
  • negotiate and sign the SCCs with the overseas data recipients (which could be MNCs headquarter or overseas affiliates) in those other countries or regions;
  • conduct a personal data protection impact assessment and prepare a report;
  • file the SCCs with the local CAC together with the personal data protection impact assessment report; and
  • implement and monitor compliance with the SCCs throughout the duration of the data transfer.

Where multiple entities in China will transfer personal data to multiple companies overseas under the SCCs, the following should be noted:

  • each entity in China will need to file the SCCs separately with local CAC of the place where the entity is located;
  • regulators normally require bilateral agreements instead of multiple entities transferring data to multiple overseas data recipients under a single set of SCCs;
  • some local CACs, such as Beijing and Shanghai, may have their own implementing rules and guidance for filing the SCCs, so it is advisable to check with them before filing; and
  • we recommend seeking legal and compliance expertise to navigate the filing processes and ensure compliance.

Please refer to our previous articles for further details on the implementation of the SCCs: China officially releases standard contract for cross-border transfer of personal data | Data notes (hsfnotes.com) and filing of the SCCs with CAC: The Cyberspace Administration of China issues guidance on filing the standard contract for outbound cross-border transfer of personal information | Data notes (hsfnotes.com).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.