Application scope
The SCC Guidelines reiterate that business organizations are required to conduct a proper analysis of specific cross-border data transfer scenarios to determine the applicable legal mechanism for international data transfer. For example, if the aggregated transfers of personal data since January 1 of the preceding year is fewer than 100,000 individuals, China SCC applies, while the compulsory CAC security assessment is triggered if the above mentioned data transfer exceeds 100,000 individuals.
Both the China SCC Measures and the SCC Guidelines highlight that business organizations are prohibited from dividing up or splitting the volume of personal data transferred abroad to circumvent the compulsory CAC security assessment mechanism (see our detailed comparison and analysis on CAC security assessment and China SCC mechanism).
Filing submission and outcome
The data exporter is required to make a filing with the provincial CAC by submitting the requisite documents, including a personal information protection impact assessment report (PIPIA Report), the executed China SCCs, and any other auxiliary information within 10 working days after the executed China SCC-based data transfer agreement comes into force.
The provincial CAC officials will take 15 working days to conduct the review, with the outcome to be either “pass” or “fail.” A filing number will be granted to the data exporters who pass the filing review. Once the "fail" notification is issued, the data handler will be notified of why its application was unsuccessful and will be asked to provide supplementary materials within 10 working days. This suggests that the provincial CAC filing review is not just a procedural filing, but serves as a de facto approval, although it is unclear at this stage what level of scrutiny the provincial CAC will exercise in the review. As provided by the China SCC Measures, the cross-border data transfer can occur after the executed China SCC-based data transfer agreement becomes effective. This means that the cross-border transfer is not conditional on a successful filing, but, in reality, it remains to be seen whether the cross-border data transfer can still proceed if the company receives a “fail” notice and then fails to pass again after submitting the supplementary materials.
China SCC
The SCC Guidelines include an appendix of China SCC template. Such template is identical to the one included in the China SCC Measures issued by CAC in February 2023. The SCC Guidelines repeat what is provided in the China SCC Measures that parties to an agreement for transferring personal data from China must enter into a cross-border data transfer agreement based on the China SCC template. The main body of the SCC terms cannot be changed, although the bespoke or supplementary terms and conditions can be addressed in Addendum II of the China SCC, provided that such terms do not contradict or conflict with the standard SCC terms.
For multinational companies (MNCs) that have already adopted the GDPR SCC-based terms for international data transfers from China, they will need to consider how to synchronize the China SCC requirements with their global data strategy and structure.
Following the execution of China SCC-based data transfer agreement, the data exporters are expected to monitor and track the life-cycle performance of the data transfer. In case of certain changes of the transfer scenario or risk level, the business organization is required to conduct an updated impact assessment and sign a supplementary agreement or possibly enter into a new data transfer agreement based on the China SCC terms.
PIPIA Report
In addition to the signed China SCC-based data transfer agreement, the PIPIA Report is another important document to be prepared and submitted to the provincial CAC for filing. The China SCC Measures issued in February 2023 only contain a generic description of what is expected to be addressed in the PIPIA Report, but seem to lack specific and detailed guidance. It is undoubtedly a welcome development that the SCC Guidelines incorporate a template PIPIA Report with more granular details.
It is important to note that the template PIPIA Report mirrors some provisions in the template report for the CAC security assessment adopted in September 2022. However, the template PIPIA Report covers more expansive aspects in relation to personal information protection, e.g., the processing of sensitive personal information and automated decision-making. As provided by the SCC Guidelines, the PIPIA Report must be submitted to the provincial CAC within three months after being prepared without any material changes.
It is understandable that MNCs may wish to leverage their global international data transfer work product or methodology – for example, the GDPR-based transfer impact assessment (TIA) or data processing impact assessment (DPIA) – for preparing the China SCC PIPIA report. Although the TIA/DPIA report under the GDPR may contain some aspects required by the PIPIA Report, the template PIPIA Report has its unique Chinese law requirements and elements that are significantly different from the GDPR TIA or the DPIA report.
For example, compared with the TIA report under the GDPR, the template PIPIA Report requires a wider variety of information and more specific details on the cross-border transfer of personal information, such as the ultimate beneficiary of the data exporter, the data center, the data flow of personal information to be exported, the information system involved, and others. It is important and necessary to prepare the PIPIA Report based on the requirements of the China SCC Measures and SCC Guidelines.
Practice in Beijing and other provinces
On June 2, Beijing Municipal CAC issued a local version of the SCC Guidelines to data handlers based in Beijing (Beijing Guidance). Compared with the SCC Guidelines issued by the CAC at the national level, the Beijing Guidance provides further helpful clarifications on designing and conducting the impact assessment and preparing the PIPIA report.
It is stated in the Beijing Guidance that if multiple data exporters are members of the same corporate group, the group company is permitted to initiate the filing process on behalf of other data exporters, provided that the China SCC mechanism is applicable to the cross-border data transfers involved. This addresses the concern of many MNCs with multiple business entities in China. However, as the Beijing Guidance only applies to data exporters located in Beijing, it is uncertain whether a group company based in Beijing may submit the filing application to the Beijing CAC to cover its Chinese subsidiaries, in other parts of China, outside of Beijing. We believe the local CACs in different provinces and municipalities may need to coordinate with each other on how to handle a situation where multiple subsidiaries located in different cities but within one corporate group need to transfer personal data abroad as part of their business operations.
The Beijing Guidance is the first provincial guidelines in China issued by the local CAC authority at the provincial/municipal level to address cross-border data transfer. As of today, no other provincial guidelines are available based on public information. We anticipate the local CAC authorities in other provinces and municipalities will likely follow the same approach as Beijing Municipal CAC.
Key takeaways
China’s data laws are complex and evolving at an extremely fast pace. As an imporant legal regime for cross-border data transfer, the China SCC mechanism will play a significant role for the Chinese subsidiaries of international businesses that need to transfer personal data from China to the headquarters, affiliates, and other business partners that are located outside of China. For business organizations that are considering adopting the SCC mechanism, it is important that they fully understand the compliance and filing requirements applicable to the SCC-based data transfer and that they complete the filing successfully within the prescribed time line. Although the CAC filing for the PIPIA Report and the SCC terms is not mandatory, if the outcome of the CAC filing is negative, it may result in negative impacts on cross-border data transfers, cause business interruptions, and even harm a business’s reputation and brand image.
We highlight the following key takeaways for companies to consider from a practical perspective:
- Companies are recommended to conduct the data mapping and identify the type and volume of personal data being handled and transferred abroad so as to determine whether the China SCC mechanism will apply.
- Prior to the preparation of China SCC-based agreement, it is important to have a serious look at the relevant business and data transfer scenarios, to strategize the relevant approaches under the China SCC requirements for transferring personal data abroad, to plan and design the appropriate contractual structures under the Chinese data laws and regulations, and to address the complications of synchronizing the global cross-border data transfer strategy and documentation with the Chinese law requirements.
- Both the China SCC Measures and the SCC Guidelines provide for a six-month grace period between June 1 and November 30 for companies to take necessary steps in line with the new legal requirements. But in practice, that six-month transitional period may not be long enough, considering the wide range of necessary compliance actions to be completed, including analyzing the business scenarios and data flows, conducting the PIPIA and preparing the PIPIA Report, reviewing, updating, negotiating, and signing the new SCC contract, preparing the Chinese translation of the entire set of filing materials, and completing the filing with the provincial CAC.
- The template PIPIA Report shows that a substantial amount of organizational and technical information from the data exporter based in China, the foreign data recipient outside China, and the onward transferee(s) must be gathered and included in the PIPIA Report. It is therefore important to allow sufficient lead time for the back-and-forth communications.
- MNCs are advised to follow the template PIPIA Report and to prepare the PIPIA Report properly instead of just relying on the existing DPIA report or TIA report under the GDPR. The date of the PIPIA Report must be carefully calculated so that it can be submitted within three months with no material changes being made by the submission date.
- Companies should keep close watch on the developments of local CAC practice. For example, the Beijing Guidance expressly requires the application materials to be submitted by email first, with hard copies required only when the outcome of the review by Beijing CAC is positive. We anticipate that local CAC authorities in Shanghai, Guangdong, Zhejiang, Jiangsu and other provinces and municipalities with dynamic digital economy are likely to issue the filing guidelines for their own localities.
- The compliance steps are not one-time efforts. Companies should monitor and track the life-cycle performance of the China SCC mechanism, follow legislative and enforcement developments, secure legal advice and professional support, and take the required measures in the event of any changes to the China SCC requirements for continued compliance.
If you would like to receive an English translation of the China SCC standard terms or require assistance with the China SCC mechanism or wider China data law issues, please feel free to reach out to us.
In-depth 2023-127