Ins and Outs of China's SCC
Ins and Outs of China's SCC
Article 38 of the Personal Information Protection Law of the People’s Republic of China/《中华人民共和国个人信息保护法》 (“PIPL") stipulates that the outbound transfer of personal information[1] must satisfy one of the following three conditions: (i) passing the security assessment organized by the Cyberspace Administration of China (“CAC"); (ii) obtaining personal information protection certification (“PIPC") from a professional institution according to CAC’s requirements; or (iii) executing the standard contract formulated by CAC (“Standard Contract") with the overseas recipients.
On June 30, 2022, CAC issued the Provisions on the Standard Contract for Outbound Transfer of Personal Information (Comment-soliciting Draft)/《个人信息出境标准合同规定(征求意见稿)》 (“Provisions on Standard Contract"), which takes an approach similar to the Standard Contractual Clause (“SCC") under European Union’s General Data Protection Regulation. Therefore, China’s Standard Contract is also frequently dubbed as the “China’s SCC".
I. Application Scope of Standard Contract
According to Article 4 of the Provisions on Standard Contract, if a processor meets all of the following conditions, it may transfer personal information out of China by executing a Standard Contract[2]:
1. the processor is not a CIIO;
2. the processor processes personal information of less than 1 million individuals;
3. the processor has transferred personal information of less than 100,000 individuals overseas since January 1 of the previous year; and
4. the processor has transferred sensitive personal information[3] of less than 10,000 individuals overseas since January 1 of the previous year.
If the processor fails to meet any one of the above conditions, it must pass CAC’s security assessment.
II. Contents of the Standard Contract
The Standard Contract should be executed by the personal information processor in China (“Transferor") and the overseas recipient who receives personal information from the Transferor (“Overseas Recipient", collectively with Transferor, the “Parties"). Below are the key contents of the Standard Contract template attached to the Provisions on Standard Contract.
A. Obligations of a Transferor
1. Transferor’s General Obligations
Article 2 of the Standard Contract template sets forth the obligations of the Transferor, which include:
a. following the principle of minimization and meeting the requirements of laws and regulations for personal information processing;
b. informing the individuals and obtaining their separate consents based on Article 39 of PIPL, unless the law stipulates that the Transferor does not need to obtain separate consents;
c. informing the individuals that they are the beneficiaries of the Standard Contract, and they will automatically become beneficiaries if they do not reject within 30 days;
d. taking appropriate measures, including technological and administrative measures, to ensure the safety of personal and information and that the Overseas Recipient can assume responsibility under the Standard Contract;
e. providing the text of relevant laws, regulations and standards to the Overseas Recipient per its request;
f. conducting personal information protection impact assessment (“PIPIA")[4]; and
g. providing copies of the Standard Contract to individuals per their requests.
2. Transferor’s Obligations as the Primary Responsible Entity
It is usually difficult for the authority in one country to contact or regulate an entity in another country. To avoid such “regulatory dilemma", the Standard Contract holds the Transferor as the primary responsible entity for outbound transfer of personal information. Therefore, the Transferor becomes the main target of law enforcement authorities in China and is required to fulfill additional obligations. More specifically, these additional obligations include:
a. responding to inquiries from the authority on matters about outbound transfer and the Overseas Recipient, unless otherwise arranged by the Parties;
b. bearing the burden of proof to prove that obligations (including the obligations of the Overseas Recipient) under the Standard Contract have been fulfilled; and
c. providing necessary information from the Overseas Recipient to the authority per its request.
B. Obligations of the Overseas Recipient
1. Overseas Recipient’s General Obligations
Article 3 of the Standard Contract sets forth the obligations of the Overseas Recipient, which include the following:
a. processing the transferred personal information according to the “Description of Outbound Transfer of Personal Information/个人信息出境说明" in Appendix I of the Standard Contract[5];
b. processing the transferred personal information according to the principle of minimization;
c. deleting or anonymizing the transferred personal information after the agreed storage period has expired, unless separate consents on the storage period have been obtained from the individuals;
d. taking security measures to protect the safety of personal information;
e. taking remedial measures and informing the Transferor and authority in a timely manner after a data breach;
f. not transferring the personal information to an overseas third party, unless certain conditions are met;
g. following requirements of the law when adopting automated decision-making;
h. providing necessary information to the Transferor to prove that obligations under the Standard Contract have been fulfilled;
i. keeping accurate records on the processing activities and storing the processing record for at least three years; and
j. cooperating with the authority when inquiries or inspections are initiated.
2. Overseas Recipient as a Delegated Processor
Article 21 of PIPL provides the scenario of “delegated processing". Under “delegated processing", the role of “delegated processor" is similar to the “processor" under GDPR. By definition, a delegated processor has no power to decide the purpose and method of the processing activity, and can only take orders and instructions from the principal processor, which is similar to the “controller" under GDPR.
The Standard Contract makes a difference between the scenarios of the Overseas Recipient as an ordinary processor and as a “delegated processor". If the Overseas Recipient is a “delegated processor", it should not further delegate another processor to process personal information on its behalf, unless it has obtained a prior approval from the Transferor.
C. Laws and Practices in the Overseas Recipient’s Jurisdiction
Article 4 of the Standard Contract requires the Parties to take reasonable steps to know the laws and regulations about personal information protection in the Overseas Recipient’s jurisdiction, and ensure that the local laws, regulations and practices will not have a negative impact on the Overseas Recipient’s efforts to perform obligations under the Standard Contract.
D. Individuals’ Rights
As mentioned above, the Standard Contract recognizes “individuals", which has the same meaning as “data subjects" under GDPR, as the third-party beneficiaries. Individuals are entitled to exercise their rights stipulated in PIPL under the Standard Contract.
If the individuals’ personal information has been transferred to the Overseas Recipient and the individuals still wish to exercise their rights stipulated in PIPL, Article 5 of the Standard Contract stipulates that such rights can be exercised against either the Transferor or the Overseas Recipient. If the Transferor cannot deal with individuals’ requests to exercise their rights, it should inform the Overseas Recipients and request its assistance. After receiving requests from the Transferor, the Overseas Recipient is obliged by the Standard Contract to provide it with assistance.
E. Liabilities for the Breach of the Standard Contract
As individuals are recognized as the beneficiaries under the Standard Contract, Article 8 of the Standard Contract provides that:
1. if the Parties are collectively liable for the breach of the Standard Contract, the Parties should be jointly and severally liable to the individuals for damages;
2. if one of the Parties (“Party A") is held jointly and severally liable for the damages to individuals caused by the other party (“Party B") because of the breach of the Standard Contract, and Party A’s liability exceeds the portion it should share, then Party A is entitled to recover from Party B for the exceed portion; and
3. the Transferor should be held liable for damages caused to the individuals by any breach of the Standard Contract by the Overseas Recipient and assume the responsibility for indemnification. Afterwards, the Transferor is allowed to recover its loss from the Overseas Recipient.
F. Applicable Laws and Dispute Resolution
The Standard Contract stipulates that the Chinese laws should be applied to the Standard Contract. For dispute resolution, the Standard Contract provides two different methods:
1. Arbitration: The Parties may submit their dispute to one of the following arbitration institutions: (i) China International Economic and Trade Arbitration Commission; (ii) China Maritime Arbitration Commission; (iii) Beijing Arbitration Commission (Beijing International Arbitration Center); or (iv) any other arbitration institution in a jurisdiction which is a signatory to the New York Convention.
2. Litigation: The Parties may bring the dispute in front of a Chinese court which has proper jurisdiction over the matter according to Chinese laws.
Article 9 of the Standard Contract also stipulates that the Standard Contract has the “supreme authority" over any existing contracts between the Parties for the outbound transfer. If the Transferor and the Overseas Recipient have executed any other contract on the matter, articles and clauses of such contract contradicting the Standard Contract will be automatically invalidated.
III. Compliance Tips for the Transferor
The Provisions on Standard Contract provides detailed guidelines on the execution of a Standard Contract. In addition to the obligations stipulated in the Standard Contract, Transferors should pay attention to the following:
A. Before Executing the Standard Contract
1. The Transferor needs to carefully analyze and evaluate its current personal information processing activities and making judgement on whether the execution of Standard Contract can be used to satisfy the requirement for outbound transfer. According to Article 4 of the Provisions of Standard Contract, such analysis and evaluation should focus on two aspects: (i) whether the processor is a CIIO; and (ii) the amount of personal information it processes and transfers overseas.
2. The Transferor needs to analyze the following matters as a part of PIPIA conducted before the outbound transfer: (i) measures taken by the Transferor to ensure compliance; (ii) the Overseas Recipient’s protection measures for personal information; (iii) local laws, regulations and practices in the Overseas Recipient’s jurisdiction concerning personal information protection.
3. The Transferor needs to (i) formally conduct a PIPIA according to PIPL and other relevant regulations, (ii) formulate a report, which needs to be submitted to the authority for filing, and (iii) keep the record of the PIPIA. It should be noted that, compared with PIPL, the Provisions of Standard Contract requires more items to be assessed in PIPIA, which include:
a. the legitimacy and necessity of the processing purpose and method of the Transferor and Overseas Recipient;
b. the amount, type and sensitivity of the transferred personal information and possible risks to the individuals’ rights and interests;
c. whether the measures and responsibilities taken by the Overseas Recipient are enough to protect the safety of the transferred personal information;
d. security risks, such as the risks of being exposed, destroyed, tampered and misused, after the personal information is transferred overseas;
e. whether there is a convenience mechanism allowing individuals to protect their own rights and interests;
f. possible impact on the performance of Standard Contract by the policies, laws and regulations on personal information protection in the jurisdiction where the Overseas Recipient is located; and
g. other matters that may have an impact on the safety of the transferred personal information.
B. After Executing the Standard Contract
1. Filing with the Provincial-Level Cybersecurity Authority
According to Article 7 of the Provisions of Standard Contract, the Transferor must file the executed Standard Contract with the local provincial-level cybersecurity authority within 10 working days after its execution. The Transferor must submit both (i) the executed Standard Contract and (ii) the PIPIA report.
2. Monitoring the Status of the Transfer and Latest Development in the Overseas Jurisdiction
Article 8 of the Provisions of Standard Contract requires the Transferor to execute a new Standard Contract with the Overseas Recipient under the following circumstances:
a. When there is a change in the (i) purpose, (ii) types of involved personal information, (iii) amount, (iv) method, (v) storage period, (vi) storage location or (vii) Overseas Recipient’s processing purpose and method;
b. When there are major changes of personal information protection laws and regulations in the jurisdiction where the Overseas Recipient is located, which may have a major impact on the individuals’ rights and interests; or
c. Other circumstances that may affect individuals’ rights and interests.
That means that the Transferor needs to continuously monitor the status of outbound transfer and the latest legislation development in the jurisdiction where the Overseas Recipient is located.
3. Cooperating with the Authority’s Inspections
The Transferor should cooperate with the authority for responding the inquiries and provide necessary assistance during authority’s inspection.
If the local provincial-level cybersecurity authority finds that the outbound transfer activities are no longer meet the requirements, the authority will notify the Transferor in writing to mandate termination of relevant outbound transfer activities. In this case, the Transferor should immediately cease such outbound transfer activities upon receiving the above written notice.
IV. Future Outlook
The issuance of the Provisions of Standard Contract marks a major step in China’s regulation on outbound transfer of personal information. However, the Provisions of Standard Contract is still currently a draft soliciting public comments and has yet to be formally promulgated.
That said, to be well prepared for the challenges brought about by the uncertainties down the road, personal information processors, especially those which have the need to conduct outbound transfer of personal information, should pay close attention to legislative developments and seek professional advice, when necessary.
[Note]