Reed Smith Client Alerts

Further to the Measures on China SCCs (see our detailed analysis of the China SCC Measures) effective as of 1 June 2023 and the Guidelines for Filing the Standard Contracts for Cross-Border Transfer of Personal Data SCCs (see our detailed analysis of the China SCC Guidelines), the Cybersecurity Administration of China (CAC) at the Beijing municipal level issued a notice (Notice) on 25 June. According to the Notice, a Beijing-based company has passed the first-ever China SCC filing. A few months ago, the first-ever positive security assessment in China was also granted to a hospital in Beijing. Beijing has undoubtedly become a pioneer in the implementation of cross-border data transfer mechanisms. This is an exciting development for data exporters in China, demonstrating that China has officially started the practical implementation of the China SCCs mechanism.

Overview of the first-ever China SCC filing case

According to the Notice, a Beijing company called Beijing De Yi Xin Data Co. Ltd has received an SCC filing registration number (Jing He Tong Bei No. 202300001) from the Beijing Municipal CAC, representing the first-ever China SCC filing case and becoming the first-ever company in China to make an SCC filing for the cross-border transfer of personal data. The Beijing company transfers personal data related to credit references to Hong Kong Nova Credit Co., Ltd. Based on public information, the Beijing company is an online data service provider, established in December 2022, that is 15% indirectly owned by the overseas data recipient (Hong Kong Nova Credit Co., Ltd.).

Timewise, this first-ever China SCC filing case was completed just 15 working days after the Measures on China SCCs became effective. Compared with the CAC security assessment, it is obvious that China SCC filing is much more time efficient.

Recap of China SCCs

Among all three major cross-border data transfer mechanisms (i.e., the CAC security assessment, China SCCs, and security certification) under Chinese data laws (see our detailed analysis on the International Data Transfer Mechanisms), the China SCCs mechanism is generally more favoured by businesses as it offers greater time and cost efficiencies and some synergies with the GDPR SCCs, with the caveat that companies are advised to conduct a detailed assessment to determine the most suitable channel in accordance with the Personal Information Protection Law of China and underlying regulations.

The China SCCs mechanism was formally launched on 1 June 2023. Companies transferring personal data abroad are now required, within the prescribed period, to submit an impact assessment report and the standard contract to the provincial CAC for review, with the outcome being either a “pass” or “fail”. If receiving a “fail” notification, the company will be notified of why its application was unsuccessful and will be required to provide supplementary information and documents. This indicates that the SCC filing review is not just a formality: it may serve as a de facto approval, although it remains to be seen what level of scrutiny the provincial CAC officials will exercise in the filing review.