Overview of the first-ever China SCC filing case
According to the Notice, a Beijing company called Beijing De Yi Xin Data Co. Ltd has received an SCC filing registration number (Jing He Tong Bei No. 202300001) from the Beijing Municipal CAC, representing the first-ever China SCC filing case and becoming the first-ever company in China to make an SCC filing for the cross-border transfer of personal data. The Beijing company transfers personal data related to credit references to Hong Kong Nova Credit Co., Ltd. Based on public information, the Beijing company is an online data service provider, established in December 2022, that is 15% indirectly owned by the overseas data recipient (Hong Kong Nova Credit Co., Ltd.).
Timewise, this first-ever China SCC filing case was completed just 15 working days after the Measures on China SCCs became effective. Compared with the CAC security assessment, it is obvious that China SCC filing is much more time efficient.
Recap of China SCCs
Among all three major cross-border data transfer mechanisms (i.e., the CAC security assessment, China SCCs, and security certification) under Chinese data laws (see our detailed analysis on the International Data Transfer Mechanisms), the China SCCs mechanism is generally more favoured by businesses as it offers greater time and cost efficiencies and some synergies with the GDPR SCCs, with the caveat that companies are advised to conduct a detailed assessment to determine the most suitable channel in accordance with the Personal Information Protection Law of China and underlying regulations.
The China SCCs mechanism was formally launched on 1 June 2023. Companies transferring personal data abroad are now required, within the prescribed period, to submit an impact assessment report and the standard contract to the provincial CAC for review, with the outcome being either a “pass” or “fail”. If receiving a “fail” notification, the company will be notified of why its application was unsuccessful and will be required to provide supplementary information and documents. This indicates that the SCC filing review is not just a formality: it may serve as a de facto approval, although it remains to be seen what level of scrutiny the provincial CAC officials will exercise in the filing review.
While mirroring some aspects of the GDPR SCCs, China SCCs maintain some unique Chinese characteristics; for example, the scope of the impact assessment under the China SCCs is much broader than the DPIA and TIA under the GDPR and the China SCCs’ terms differ significantly from those of the GDPR SCCs.
Trends in enforcement
In the Notice, the Beijing Municipal CAC has vowed to take a balanced approach to facilitate data flow while protecting data security. So far, the majority of data exporters that have passed the CAC security assessment are based in Beijing and in a range of industries, including the health care, aviation, and automotive industries. The Beijing Municipal CAC has been spearheading the supervision and administration of cross-border data transfers by approving the first-ever security assessment, and completing the first-ever SCC filing, in China.
Although practice will vary depending on the locality within China, we believe the Beijing Municipal CAC will set a good example for the CAC authorities in other provinces. After the Beijing Municipal CAC issued the guidance on the filing of China SCCs in early June, other municipalities and provinces, such as Shanghai, Zhejiang, Tianjin, Shandong, Hunan and Guizhou, also published implementation rules to guide local data exporters through the China SCC filing procedure. As the grace period under the Measures on China SCCs will expire at the end of November, we anticipate the next few months will witness more and more China SCC filings.
It is noteworthy that the grant of an SCC filing registration number is not a one-off undertaking. Companies should monitor and track the life-cycle performance of the China SCCs mechanism, follow legislative and enforcement developments, secure legal advice and professional support, and take the required measures in the event of any changes to the China SCC requirements, to ensure continued compliance.
China’s data regime evolves at an extremely fast pace. Business organisations are highly recommended to pay close attention to legislative and enforcement developments in China in the field of data protection and cybersecurity, and prepare for China SCC filings and other necessary compliance-related actions in advance.
If you require any assistance with the China SCCs or any other China data and cyber law issues, please feel free to reach out to us.
Client Alert 2023-142