My previous article, A Glimpse of the Regulatory Mechanism for the China SCCs, provided a high-level summary of the regulatory mechanism to rely on the CN SCCs to outbound transfer personal information from China. It introduced the applicable scope, conditions precedent and the filing requirements of the regulatory mechanism. From that article, you may have a general understanding that the CN SCCs has its origin from the GDPR SCCs. In this Article, Estella and I will make a deep dive into the CN SCCs to share with you some more details about the relationship between CN SCCs and GDPR SCCs. However, due to our limited knowledge of GDPR SCCs practice, our comments about GDPR SCCs may not be accurate in all aspects. If you find places where our understanding can be improved, you are welcome to contact us about it. Thank you!

The modernized SCCs, under the GDPR, can be used as one of the appropriate safeguards in the absence of an adequacy decision for a data controller or processor to transfer personal data to a third country or an international organisation outside EEA.

Since CN SCCs has its original from the GDPR SCCs, it is natural to wonder what the similarities and the differences are between the China SCCs and the GDPR SCCs. Specifically, to what extent does the latter influence the former, and what is the proper logic to coexist both SCCs for different regulatory and legal systems?

From a comparative law perspective, we are addressing those questions in this article for organizations that conduct businesses processing personal data in both jurisdictions.

The Similarities

The similarities between those two SCCs include:

  • Data subjects are entitled to the right as a third-party beneficiary and can make a claim against both the data exporter and foreign data recipient.
  • Both the data transferors and foreign data recipients should assume the joint and several liabilities to the data subjects.
  • Both jurisdictions require data exporter and data importer to exercise reasonable care to assess the impact of local laws on the performance of the SCCs, and impose notification obligations on data importer in case of access by local public authorities.

The Divergencies

Although there are similar words used in both SCCs, however, the basic legal concepts, the legal requirements and the regulatory practice behind those words are with major differences.

  • The Structure of the SCCs.

GDPR SCCs has four modules (i.e., C-C, C-P, P-C, P-P) that are based upon the obligations and rights of data transfers or data importers under the GDPR in transferring personal data to countries outside of the EEA. This allows more accurate tailorship by the parties of their rights and obligations by choosing the proper module based upon their specific roles in the underlying personal data outbound transfer.

China SCCs imposes a universal set of rights and obligations on the parties, regardless the different roles the parties may take in different scenarios of the outbound data transfer. This may impose higher standard of obligations on the parties. Behind such an approach is the defensive attitude and the security concern the CAC has towards personal information outbound transfer.

  • Separate Consent

CN SCCs incorporates the obligation to secure the separate or written consents under the PIPL for personal information cross-border transfer, even though CN SCCs does exempt the requirement for separate consent where the personal information exporter can rely on other statutory legal grounds to outbound transfer the personal information.

Although GDPR SCCs does not use the term "separate consent", the GDPR has a similar concept, "explicit consent", which can be used as a mechanism for cross-border transfers of personal data. In the absence of an adequacy decision, SCCs, or BCRs, according to Article 49 of the GDPR, data exporters may rely on derogations which include explicit consents from the data subjects who have been informed of the possible risks of the transfers and appropriate safeguards.

  • Administrate and Control
  • The application of China SCCs: Voluntary or not?

Generally speaking, the freedom of contract means that the parties have the ability to bargain and create the terms of their agreements as they desire. However, both China SCCs and GDPR SCCs are standardised clauses that are pre-approved by relevant authorities, and the parties are not allowed to execute other clauses that contradict with the SCCs.

Under the GDPR, there is no legal obligation for a data controller or processor to use SCCs. As explained in the official Q&A of the latest GDPR SCCs, the clauses can be used on a voluntary basis to demonstrate compliance with data protection requirements.

However, the CN SCCs does not equally give all personal information processors the right to "opt-in". If the personal information processor has triggered the thresholds for a government-led security assessment, the CN SCCs cannot be used as an alternative legitimacy mechanism for its personal information outbound transfers.

  • Filling obligations with Chinese characteristic

As required by the CN SCCs Rules, a filing of the SCCs and the PIPIA report must be made to the provincial office of the CAC. The purpose and basis of this filing requirement is unclear. Article 38 of the PIPL does not require "filing for record of the executed SCCs" as a necessary legitimate condition for the outbound transfer of personal information.

In contrast, there is no similar filing requirement under the GDPR for the executed SCCs.

  • DPIA v. PIPIA – PIPIA is a necessary step before signing the China SCCs

Article 35 of the GDPR provides for Data Protection Impact Assessments (DPIA). According to Article 35, the transfer of personal data abroad does not by itself necessarily trigger the assessment obligation under the GDPR, but depends on the nature, risks, etc. of that processing activity.

Although PIPIA is a similar concept as the DPIA, PIPL takes a very different approach: the PIPIA becomes a mandatory legal requirement for the transmission of personal information abroad.

Article 55 of the PIPL provides that transmitting personal information abroad by itself triggers the need for a PIPIA. In an extreme example, a personal information processor needs to run a PIPIA even if it will merely outbound transfer a single piece of insensitive personal information.

CN SCCs bears more administrative color from the government. It is not only the respect of the control the data subjects should have on their personal data, but also a government's safeguard and supervision of its data resource for security and competition advantage.

To conclude this article, we share for your reference in Appendix I a more detailed comparison between China SCCs and GDPR SCCs. If you are interested in knowing more about our view and advice on CN SCCs and its related regulation and enforcement policies, you are welcome to contact us!

Appendix I – Comparison between the CN SCCs and the GDPR SCCs





I. Comparison on Application Scope and Structure


Scope of Application

A narrower application scope

When meeting all of the following circumstances, a personal information processor can rely on adoption of the CN SCC mechanism to compliantly transfer personal information out of China without going through any third-party certification or governmental assessment process:

  • The personal information processor is not a CIIO;
  • As of the date of the SCC, the personal information processor processes less than 1 million data subjects' personal information on cumulative basis;
  • It processes on cumulative basis less than 100K data subjects' personal information from January 1 of the last year till the date of the SCC; and
  • It processes on cumulative basis less than 10K data subjects' sensitive personal information from January 1 of last year till the date of the SCC.

(Article 4 of the Rules for the Standard Contracts for Outbound Transfer of Personal Information, the "CN SCC Rules")

Applied on a voluntary basis

Pursuant to Article 46(1) of Regulation (EU) 2016/679, in the absence of an adequacy decision by the Commission pursuant to Article 45(3), a controller or processor may transfer personal data to a third country only if it has provided appropriate safeguards, and on condition that enforceable rights and effective legal remedies for data subjects are available. Such safeguards may be provided for by standard data protection clauses adopted by the Commission pursuant to Article 46(2)(c).

The role of standard contractual clauses is limited to ensuring appropriate data protection safeguards for international data transfers.

(Article 1of the Decision of 4.6.2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, "the SCCs Decision")


Structure of the SCCs

An all-in-one Structure

Article 1 Definitions

Article 2 Obligations of the Personal Information Handler

Article 3 Obligations of the Foreign Recipient

Article 4 The Impact of Personal Information Protection Policies and Regulations in the Foreign Recipient's Country or Region on the Performance of this Contract

Article 5 Rights of the Personal Information Subject

Article 6 Remedies

Article 7 Termination of the Contract

Article 8 Liability for Breach of the Contract

Article 9 Miscellaneous


Each Clause contains provisions intended to cover different cross-border modules


Clause 1 Purpose and scope

Clause 2 Effect and invariability of the Clauses

Clause 3 Third-party beneficiaries

Clause 4 Interpretation

Clause 5 Hierarchy

Clause 6 Description of the transfer(s)


Clause 8 Data protection safeguards

Clause 9 Use of sub-processors

Clause 10 Data subject rights

Clause 11 Redress

Clause 12 Liability

Clause 13 Supervision


Clause 14 Local laws and practices affecting compliance with the Clauses

Clause 15 Obligations of the data importer in case of access by public authorities


Clause 16 Non-compliance with the Clauses and termination

Clause 17 Governing law

Clause 18 Choice of forum and jurisdiction


II. Procedures for contract


Pre-contract: Prior self -assessment

A must-have

Conduct PIPIA before transferring personal information abroad is necessary.

Exporting data by itself is not a condition triggering the DPIA.

For certain high-risk processing activities, regardless of whether a cross-border transfer is involved, a DPIA must be carried out.

Before the outbound data transfer, both parties should assess the impact of data laws and policies in the foreign recipient's country or region on the performance of the SCCs.

Relevant requirements and considerations in this Part of the China SCCs and GDPR SCCs are generally similar.


Post-contract: Filing obligation

There is a filing obligation on personal information processor.

They are required to file the signed SCC and the PIPIA report with the provincial CACs within ten days from the effective date of the SCCs.

No filing obligation.

  1. Main requirements under the SCCs


Obligations of the Personal Information Handler/Data exporter

Align with the PIPL

Align with the GDPR.

However, the GDPR SCC explicitly clarify different obligations that may apply under the different modules due to the different roles of data exporter and importer.


Obligations of the Foreign Recipient/Data importer


Onward transfer

See Article 3.8

The foreign data recipient is required to enter into a written agreement with the third party to ensure that the third party's personal information processing activities comply with the personal information protection standards set forth in the PRC relevant laws and regulations, and to assume legal responsibility for any violation of the rights of the personal information subject.

This is much higher standard than GDPR SCCs.

Under different modules, there are different lawful basis can be applied to when there is an onward transfer.

For example, under the C-C module, an onward transfer by the data importer may take place if:

  • it is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
  • it is necessary in order to protect the vital interests of the data subject or of another natural person;
  • and others.


Data Subject Rights

Data Subjects as the third-party beneficiary

Generally aligned with the GDPR SCCs.

Data Subjects as the third-party beneficiary


Local laws & obligations in case of accessed by public authorities

Generally aligned with the GDPR SCCs.

Both Parties are required to conduct a prior assessment on the impact of local laws and practices on the performance of the SCCs.

The foreign data recipient should notify the processor when there is access by public authorities to personal information transferred.



Supervision of competent regulators

The foreign data recipient must accept supervision by the competent CN supervisory authority.

Generally aligned with the GDPR SCCs.

The data importer must accept supervision by the competent EU supervisory authority.


Governing Law and Jurisdiction

China SCCs are governed solely by the laws and regulations of the PRC.

Parties to Chinese SCCs may choose to litigate in Chinese courts or to submit disputes to Chinese arbitration or to international arbitration under the 1958 New York Convention.

There are different requirements for different modules. For example, a C-C module allows both parties to choose the governing law of any EU member state, while a P-P module allows only the governing law of the EU member state where the data exporter is established to be chosen.

Due to the fundamental differences in their judicial and regulatory systems, overall, GDPR SCCs are more flexible than CN SCCs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.