UK: Standard Contractual Clauses Route Finalised: China Cross-border Data Transfer

A regulatory update

Key developments:

1. Businesses who want to utilise Standard Contractual Clauses (SCCs) to transfer data outside of China have until the end of November 2023 to become compliant.

2. The text of the promulgated SCCs is highly prescriptive, including the definition of terms such as Personal Data, applicability of Chinese law and arbitration options. Utilising other existing agreements as templates, such as those compliant under GDPR is not possible. This is a major change from the draft version.

3. Businesses are now obliged to undertake a Personal Data Protection Impact Assessment (DPIA or PIA). The report needs to be submitted for recordal alongside the completed SCCs.

Which businesses should consider using the SCCs route:

Most international businesses who transfer data outside of China, including those who deploy data management software solutions but not trigger the threshold of Government Security Review, will likely need to comply with the SCCs. The route to be certified by a specialized agency is not easy to deploy within a short timeframe, despite recent regulatory updates.

Typical scenarios where the SCCs are easily appliable:

• Employee or clients' personal data is transferred cross-border to headquarters out of China;
• Chinese entities purchase and deploy products or services (e.g. ERP systems) provided by oversea vendors who may access or process personal data;
• Short-term or one-off transactions which will involve personal data transfer, such as mergers, acquisition or joint R&D projects.

Key steps to ensure compliance with the SSCs:

1. Understand how the regulatory framework applies within the context of the business and develop a Compliance Action Plan.

To develop a timely and prioritised action plan, businesses need to undertake a data flow mapping exercise to ensure all data transfers understood, especially those which are software based. Once established, reviewing the flows within the context of the regulatory framework will identify any compliance gaps. How to address these gaps needs to be considered within the business context, which will inform the Compliance Action Plan.

Read our Cross-Border Data Compliance in China for International Businesses article to learn more about developing a risk based and prioritised Action Plan, addressing your pain points.

2. Mitigate the risks by minimizing cross-border data transfer and delivering a considered Personal Data Protection Impact Assessment (DPIA)

According to the regulations, the personal data impact assessment needs to reflect on the legitimacy, justifiability, and necessity to transfer the data outside of China. If data transfer is minimised, the need to provide such justifications is reduced. As such businesses should review and streamline their personal data flows outbound from China, where it makes business sense.

The final impact assessment can be based upon the Compliance Action Plan, addressing the additional required points.

3. Draft and implement the Standard Contractual Clauses, update business processes and internal documents

Unlike the draft version of the SCCs, where the two parties may use their own version as long as the main clauses of the Chinese SCCs are covered (for example, a GDPR template), the contract must now be concluded strictly in line with the promulgated SCCs version. Whilst direct amendments to the SCC terms is not allowed, the two parties can attach supplementary clauses in an appendix as long as they do not conflict with the SCCs.

For those businesses who have started to implement the SCCs, a review needs to be undertaken to see what further updates are required to bring the draft in line with the promulgated SCCs.

To fully implement the Compliance Action Plan, amendments to internal processes and documents, such as updating the employee privacy policy or implementing a standalone data system for China are expected.

Implications of non-compliance:

The Measures on the Standard Contract for the Outbound Transfer of Personal Information were released on 24 February 2023 and will take effect on 1 June 2023. There will be a 6-month grace period for companies to be fully compliant.

If the Cyberspace Administration of China (CAC) is aware of outbound data transfer activities with high risk or the occurrence of personal information security incidents, the authorities have the power to interview and order the violators to rectify and eliminate the potential risks. For serious non-compliance, severe administrative liability or even criminal liability may be imposed.

Aside from the risk of regulatory authorities legislating for enforcement and enhancing their manpower and capability in identifying non-compliance, we are seeing increasing complaints from customers and employees, especially those that are affected by post covid restructuring. As such, it is critical that businesses seek to be compliant to cover themselves from all angles.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.