On February 22, 2023, China's Cybersecurity Administration ("CAC") released the final version of the China SCC - the Measures for the Standard Contract for Outbound Transfer of Personal Information ("Measures for the Standard Contract"). The Measures for the Standard Contract will come into effect on June 1, completing all three mechanisms, including the security assessment and PI certification, for cross-border data transfers stipulated in the Personal Information Protection Law ("PIPL"). Therefore, all parties involved in processing Chinese-origin PI and conducting outbound data transfer must take action to comply with related laws and regulations. For more information on outbound data transfers, please refer to our previous blog posts:
- China Releases Security Review Measures for Cross-Border Data
- China Releases Guidance on Security Review of Cross-Border Data Transfers(http://blog.galalaw.com/post/102i31p/china-releases-guidance-on-security-review-of-cross-border-data-transfers)
- First Cases of Security Assessment Approval for Outbound Data Transfers in China(http://blog.galalaw.com/post/102i7e2/first-cases-of-security-assessment-approval-for-outbound-data-transfers-in-china)
What are the requirements?
To conduct cross-border data transfer under the Standard Contract Measures, the PI processor shall (i)conduct a personal information protection impact assessment ("PIA"). (ii) sign the Standard Contract with the overseas recipient and (iii) complete the filing with the local cybersecurity authority by submitting the PIA report and the signed Standard Contract within 10 working days from the effective date of the Standard Contract.
A PI processor can choose the mechanism of concluding a Standard Contract if the following four conditions are satisfied.
(i) The PI processor is not a critical information infrastructure operator;
(ii) The PI processor handles PI of less than one million individuals;
(iii) The PI processor provides PI of less than 100,000 individuals in aggregate to overseas recipients since January 1 of the previous year; and
(iv) The PI processor provides sensitive PI of less than 10,000 individuals in aggregate to any overseas recipients since January 1 of the previous year.
According to the Standard Contract Measures, before any outbound transfer of PI to an overseas recipient, a PI processor must perform a PIA. The PIA should cover:
(i) The legality, legitimacy, and necessity of the purpose, scope, and method of processing PI by the PI processor and the overseas recipient;
(ii) The volume, scope, category and sensitivity of the PI to be transferred overseas, and the risk that the outbound transfer may pose to the rights and interests;
(iii) The responsibilities and obligations that the overseas recipient undertakes to assume, and whether the management, technical measures, and capabilities of the overseas recipient to perform such responsibilities are sufficient to ensure the security of personal information to be transferred;
(iv) The risk of the PI being tampered with, sabotaged, disclosed, lost, or misused after it is transferred overseas, and whether there is a smooth channel for individuals to protect their PI rights and interests;
(v) The impact of PI on protection policies and regulations in the country of origin in which the overseas recipient is located; and
(vi) Other matters that may affect the security of PI to be transferred overseas.
If any circumstances change during the validity term of a Standard Contract, the PI processor must conduct a PIA again and supplement the existing Standard Contract or execute a new Standard Contract, as well as filing with the authority again. The above changes include:
(i) The purpose, scope, category, sensitivity, method, and storage location of exported PI, or the purpose and method of PI processing by the overseas PI recipient has changed, or the retention period of PI stored overseas is extended;
(ii) The rights and interests of data subjects will be affected by changes in the policies and regulations on PI protection in the country of origin in which the overseas PI recipient is located; or
(iii) Other circumstances that may affect the rights and interests of data subjects.
Similarly to the Measures for the Security Assessment of Outbound Data Transfers, the Measures for the Standard Contract also provide a grace period of 6 months for ongoing transfers from the date the Measures for the Standard Contract come into effect, namely June 1, 2023. This means that companies have until December 1, 2023, to undertake rectification measures, including performing a PIA, concluding the Standard Contract, and filing with the local cybersecurity authority in compliance with the Measures for the Standard Contract.
What are the challenges?
For companies operating in China, one of the main challenges is determining the appropriate mechanism for cross-border data transfer. The Cybersecurity Law provides three mechanisms for such transfers: passing a security assessment organized by the CAC, undergoing PI protection certification conducted by a specialized body, or concluding a Standard Contract with the overseas recipient. To determine which mechanism applies to them, companies must review their specific PI transfer scenarios and assess the risks and requirements associated with each mechanism.
Another challenge is that the application scope of the Standard Contract under the Standard Contract Measures is narrower compared with the GDPR, as it only applies to scenarios where the PI processor onshore is a data controller under the PIPL, but not a data processor under the PIPL. Under the PIPL, a data controller is an organization or individual who alone or jointly with others determines the purposes and means of processing personal information. In other words, a data controller is the entity that decides why and how personal information is processed. This is different from a data processor which processes personal information on behalf of the data controller and under their instructions.
Completing a PIA as required under the Standard Contract Measures can also present challenges. The PIA must cover various factors such as the legality, legitimacy, and necessity of the purpose, scope, and method of processing PI. To ensure compliance with the PIA requirements, companies may need to engage with a third-party consultant or legal counsel to conduct the assessment and provide guidance on remedial actions, such as implementing sufficient technical measures to protect PI.
Lastly, negotiating contracts with overseas recipients to comply with the Measures for the Standard Contract may present challenges, as the content of the Standard Contract is not allowed to be amended, and any additional terms agreed upon by the PI processor and overseas recipient must not conflict with the existing provisions in the annex of the Measures for the Standard Contract. As a result, it is important for the PI processor to carefully review the Standard Contract and any additional terms proposed by the overseas recipient to ensure that they comply with the requirements under the Measures for the Standard Contract. This may require the assistance of a local counsel with experience in cross-border data transfer regulations to help ensure that the contract accurately reflects the parties' intentions while complying with the requirements under the Measures for the Standard Contract.
How to get prepared?
To prepare for compliance with the Measures for the Standard Contract during the grace period, companies should take the following steps once they have determined that the Standard Contract is the appropriate mechanism for cross-border data transfer based on their specific PI transfer scenarios:
(i) Negotiate with the overseas recipient to conclude the China SCC and seek the assistance of a local counsel if necessary to explain any provisions;
(ii) Conduct a PIA and take remedial action based on the findings of the PIA, such as requesting that the overseas recipient implement sufficient technical measures to protect PI, and ensuring that the volume, scope, category, and sensitivity of the PI to be transferred overseas are appropriate;
(iii) File the PIA report and the signed Standard Contract with the local cybersecurity authorities within 10 working days from the effective date of the Standard Contract;
(iv) Establish internal policies and teams to ensure ongoing compliance with the Measures for the Standard Contract and other applicable laws and regulations regarding cross-border data transfer.
Given the challenges discussed above, it is recommended that companies begin preparing for compliance as early as possible.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.