Since 2022, China has issued a series of regulations, establishing a comprehensive legal regime for the cross-border transfer of data from China. On February 24, 2023, the long-awaited Measures for Standard Contracts for Cross-Border Transfer of Personal Data (China SCC Measures) and the corresponding Standard Contractual Clauses (China SCCs) were issued and became effective on June 1, 2023 (see our detailed analysis of the China SCC Measures).
In order to facilitate implementing the China SCC Measures, the Cyberspace Administration of China (CAC) issued the Guidelines for Filing the Standard Contracts for Cross-Border Transfer of Personal Data (first edition) (SCC Guidelines) to provide some practical guidance. Further on June 2, the Beijing Municipal CAC released a set of local filing guidance (Beijing Guidance) to provide more clarity and direction on adopting the SCC mechanism and completing the filing with the Beijing Municipal CAC.
The China SCC mechanism is one of the three major legal mechanisms for outward transfer of data from China under Chinese data laws. While it shares some similarities with the SCC mechanism under the General Data Protection Regulation (GDPR), it has multiple unique and peculiar distinctions from the GDPR. The SCC Guidelines and the Beijing Guidance aim to address certain ambiguities and provide useful clarifications and guidance on implementation of the China SCC mechanism. The key points and practical takeaways are set forth below.
The SCC Guidelines reiterate that business organizations are required to conduct a proper analysis of specific cross-border data transfer scenarios to determine the applicable legal mechanism for international data transfer. For example, if the aggregated transfers of personal data since January 1 of the preceding year is fewer than 100,000 individuals, China SCC applies, while the compulsory CAC security assessment is triggered if the above mentioned data transfer exceeds 100,000 individuals.
Both the China SCC Measures and the SCC Guidelines highlight that business organizations are prohibited from dividing up or splitting the volume of personal data transferred abroad to circumvent the compulsory CAC security assessment mechanism (see our detailed comparison and analysis on CAC security assessment and China SCC mechanism).
Filing submission and outcome
The data exporter is required to make a filing with the provincial CAC by submitting the requisite documents, including a personal information protection impact assessment report (PIPIA Report), the executed China SCCs, and any other auxiliary information within 10 working days after the executed China SCC-based data transfer agreement comes into force.