Scope of application
According to the SCC Regulations, business organisations are only allowed to adopt the Chinese SCCs for transferring China-collected or generated data abroad if they have satisfied all of the following conditions as data exporters:
- They are not a critical information infrastructure operator (CIIO, which is broadly defined to cover business entities in financial, energy, telecom, public utility, health care, transportation, e-government and other sectors which are critically important to China for reasons of national security and the public interest).
- They have not processed the personal data of more than one million individuals.
- They have not made aggregate transfers of the personal data of more than 100,000 individuals since 1 January of the preceding year.
- They have not made aggregate transfers of the sensitive personal data of more than 10,000 individuals since 1 January of the preceding year.
It is worth noting that the above thresholds for Chinese SCCs are closely aligned with those for cross-border data transfers which are subject to the CAC-led security assessment. Under the Measures on Security Assessment for Outward Data Transfer (issued by CAC in August 2022 and effective from 1 September 2022), any international data transfer from China is required to go through the CAC-led security assessment if it falls short of any of the above four conditions.
The SCC Regulations explicitly prohibit businesses from transferring China-collected or generated data abroad by breaking down the data volume to circumvent the CAC security assessment mechanism.
Specific requirements for Chinese SCCs
Unlike the GDPR SCCs, which cover four different models for controller (C) and processor (P) transfers, namely C-C, C-P, P-P and P-C, the Chinese SCCs only have one universal template, regardless of the role and function of the parties.
Before entering into a cross-border data transfer agreement, the data exporter is required to conduct an impact assessment and prepare an impact assessment report by considering multiple factors, including:
- the validity, necessity and appropriateness of the anticipated cross-border data transfers;
- the scope, category, volume and sensitivity of the data transferred;
- the obligations to be undertaken by the foreign data recipient;
- what technical and organisational measures are to be adopted by the foreign recipient;
- the potential risk of personal data breaches or data being leaked or damaged after the transfer, and what remedy channels are available to data subjects;
- the data protection laws and policies of the foreign destination countries; and
- any other factors which may affect the cross-border data transfers.
The cross-border data transfer agreement must be prepared based on the SCCs’ standard terms. The parties are not allowed to make changes to the standard terms, although they can add supplementary terms in the Appendix of the agreement if they do not conflict with the standard terms.
A significant number of terms in the Chinese SCCs mirror the GDPR SCCs in relation to the obligations of the transferor, the responsibilities of the foreign data recipient and the rights of the data subjects. However, there are notable clauses with significant Chinese characteristics, for example:
- The Chinese SCCs impose stricter requirements on onward data transfer as compared to the GDPR SCCs. Under the Chinese SCCs, the foreign data recipient is only allowed to make further transfers upon satisfaction of certain conditions, such as notifying the data subjects of the onward transfer, adopting sufficient technical measures, and signing an agreement with the onward transferee to ensure data protection.
- Data subjects can enjoy the contractual rights under the terms of the Chinese SCCs as third-party beneficiaries and make a claim against both the data transferor and foreign data recipient. Both the data transferor and foreign data recipient will assume joint and several liability to the data subjects according to the applicable laws.
- The Chinese SCCs provide that the cross-border data transfer agreement must be governed by Chinese law, while the GDPR SCCs allow more flexibility to choose the national law of an EU or non-EU country as the governing law.
- In terms of dispute resolution, parties to the Chinese SCCs can choose to either litigate at a Chinese court, or refer the dispute to a Chinese arbitration tribunal or an international arbitration tribunal according to the 1958 New York Convention on the Recognition and Enforcement of Foreign Arbitration Awards.
Within 10 working days of taking effect, the Chinese SCCs-based cross-border data transfer agreement and the impact assessment report must be filed with the provincial CAC. The effectiveness of the data transfer agreement is not conditional upon its filing with the CAC authorities.
The parties are required to re-do the impact assessment, review/update the data transfer agreement and make further filings with the provincial CAC in certain circumstances such as the extension of the data retention period, changes to the purpose, scope, category, volume, storage location and sensitivity of the personal data to be processed outside China, changes to personal data protection laws and policies in foreign destination countries affecting the rights and benefits of data subjects, and other situations which may affect data subjects.
Liability and enforcement
The SCC Regulations provide “teeth” to sanction non-compliance. If the provincial CAC is of the view that the cross-border data transfer poses a substantial risk of a major data incident, the CAC officials will request interviews and meetings with the data exporter and order rectifications. The SCC Regulations also provide a whistle-blowing mechanism whereby individuals or organisations can report to provincial CAC authorities non-compliant cross-border data transfer activities.
The SCC Regulations further provide that if any such irregularities constitute non-compliance with the PIPL, violators will face administrative, civil and possibly criminal liabilities, with maximum fines under the PIPL of RMB 50 million (approx. US$7.8 million) or 5% of the previous year’s turnover, whichever is higher.
Key takeaways
- The SCC Regulations and the Chinese SCCs will come into force on 1 June 2023 and will have significant implications for multinational corporations which transfer employee data, customer data and other personal data outside China as part of their business operations.
- Compared to other data export mechanisms under the PIPL (CAC security assessment and certification by licensed professional institutions), the Chinese SCCs regime is expected to offer clear advantages for inter-company transfers thanks to the greater foreseeability of contract terms and time/cost efficiencies. For transfers involving external customers or vendors, it is expected that time will be needed for negotiations and organisations are therefore recommended to initiate early in the data transfer process.
- On the other hand, if the data transfer triggers the CAC-led security assessment scenario, the business organisation must follow the CAC procedures since the Chinese SCCs regime would not be an option. In practice, the transfer of important data or large volumes of personal data will generally fall within the scope of the CAC security assessment and the Chinese SCCs tend to apply to the transfer of relatively small amounts of personal data.
- It is worth noting that the SCC Regulations expressly prohibit splitting or breaking down the volume of data to avoid the CAC security assessment. Therefore, companies must map out China-related data flows and perform a thorough assessment to determine the most appropriate cross-border data transfer mechanism under the relevant laws.
- Where it is possible to rely on the Chinese SCCs for transferring data outside China, business organisations should take necessary compliance actions as soon as possible. After 1 June 2023, all new cross-border data transfer agreements must be entered into based on the Chinese SCCs. Organisations which have transferred personal data from China before 1 June 2023 have a grace period of six months ending on 30 November 2023 to take remedial actions for their international data transfer activities and revise their data transfer agreements based on the Chinese SCCs.
- From a practical perspective, the SCC Regulations and the Chinese SCCs require a considerable amount of work to be done before the cross-border transfer of data and enhance the best practices. Data handlers are required to exercise due diligence over the foreign data recipient, compile information and documents for performing the impact assessment, send notifications to the data subjects according to the terms of the SCCs, and review, negotiate and enter into the data transfer agreement.
- The impact assessment report and signed SCCs-based data transfer agreement must be filed with the provincial CAC within the required time frame and all documents filed with the CAC authorities must be written in Chinese. Failure to comply with the filing requirements will expose companies to potential legal liability and penalties under the SCC Regulations and the PIPL. The active investigations and sky-high penalties (e.g., a fine of approx. US$1.2 billion imposed on a major online company in 2022) show that Chinese regulators will continue to take vigorous enforcement actions in the coming months and years.
- Business organisations will need to compile a significant amount of information both in and outside China, as well as map data flows, prepare assessment reports and update and finalise data transfer agreements. It is advisable that organisations take the necessary steps as soon as possible, rather than leaving things to the last minute.
- Compliance is not a one-off step. Companies should monitor and track ongoing compliance with the Chinese SCCs, secure legal advice, and take necessary measures in the event of any changes to the Chinese SCCs to ensure continued compliance.
Please see the original source from IAPP website.
In-depth 2023-064