On February 24, 2023, the Cyberspace Administration of China (“CAC") issued the Standard Contract Measures for the Outbound Transfer of Personal Information (“China SCC Measures") and formally promulgated the text of the Standard Contract for the Outbound Transfer of Personal Information (“China SCC"). Following the Measures for the Security Assessment of Outbound Transfer of Data (“Assessment Measures") promulgated on July 7, 2022, the China SCC Measures are also specific regulations that the CAC has introduced for the three mechanisms concerning outbound transfer of personal information under Article 38 of the Personal Information Protection Law (“Personal Information Protection Law" or “PIPL") and have an important and far-reaching impact on China’s supervision regime for outbound transfer of data and the compliance approach that enterprises may adopt towards their outbound transfer of personal information. On May 30, 2023, the CAC further issued the Guidelines for the Filing of Standard Contract for Outbound Transfer of Personal Information (First Edition), which provide more specific guidance for the filing stipulated in the China SCC Measures and took effect from June 1, 2023.

Because of the multilateral and international attributes of personal information outbound transfer, understanding the similarities and differences between China and other major jurisdictions in terms of regulatory rules for personal information outbound transfer will help enterprises to efficiently carry out compliance work regarding personal information outbound transfer. The EU has put in place a relatively advanced system of privacy and personal information protection, which has an important impact on other jurisdictions. In addition, the EU has taken the lead in using the standard template contract to regulate outbound activities of personal information. On June 4, 2021, the European Commission issued a new version of the standard contractual clauses for transfer of personal data to third countries (“EU SCC"). This article aims to provide some guidance for compliance with respect to cross-border data transfer to multinational enterprises and other relevant parties by identifying and analyzing the similarities and differences between the mechanisms stipulated under the EU SCC and the China SCC.

I. Overview of the Overall Mechanism of Cross-border Transfer of Personal Information under China’s PIPL and EU’s GDPR

With regard to cross-border transfer of data, the EU General Data Protection Regulation (“GDPR") provides a variety of compliance mechanisms, including adequacy decisions, binding corporate rules (“BCR") and the EU SCC, and there is no restriction on localized storage of personal information. The PIPL provides that informing and obtaining individual consent is a prerequisite for cross-border data transfer and specifies three compliance mechanisms, namely, security assessment, personal information protection certification, and conclusion of the China SCC with overseas recipients. At the same time, it imposes the obligation of localized storage on critical information infrastructure operators and personal information processors that process personal information up to the amount prescribed by the CAC.

The GDPR provides different ways of transferring personal data compliantly from the EU to non-EU countries. One of such ways is applied where the destination of the transfer is determined to be sufficient by the European Commission, which means that personal data can be transferred directly to countries or regions where the EU considers that personal data is adequately protected without taking protective measures. This rule applies primarily to specifically identified countries[1]. In comparison, if business entities in countries and regions or international organizations are not on such “white list", they need to take protective measures in order to get personal data to be transferred fully protected. Among these protective measures, the two most important are execution of the EU SCC and adherence to binding corporate rules. The BCR are mainly applicable to cross-border transfer of data within multinational corporations.

China’s rules for personal information outbound transfer are based on Article 38 of the PIPL. If a domestic personal information processor needs to provide personal information abroad for business purposes, it shall meet one of the following conditions: (i) passing the security assessment organized by the CAC; (ii) obtaining the personal information protection certification conferred by qualified organizations (such as China Cybersecurity Review Technology and Certification Center); or (iii) concluding a contract with the overseas recipient in accordance with the China SCC formulated by the CAC. What personal information processors should consider, first and foremost, is whether their outbound transfer activities necessitate the security assessment of such activities. If not, they can choose a suitable compliance mechanism between obtaining the personal information protection certification and signing the China SCC with overseas recipients.

II. Comparison between EU SCC and China SCC

1. Different preconditions for application.

The EU SCC applies to the transfer of personal data to a third country or regional or international organization that has not put in place an adequate level of protection, regardless of the nature of the transfer of personal data or the size of the business or personal data to be transferred. Therefore, the focus of EU regulations is to examine whether the destination of cross-border personal data transfer can provide adequate protection for personal information, rather than to assess whether the party transferring personal data out of the EU or the party receiving personal data outside the EU is capable of adequately protecting such data.

The PIPL stipulates that personal information processors must take into account the type, scale and importance of personal information to be transferred, as well as whether critical information infrastructure is involved in such transfer. Personal information processors that intend to resort to the mechanism under the China SCC must meet four conditions at the same time, namely, (i) not constituting a critical information infrastructure operator, (ii) processing personal information of less than 1 million individuals, (iii) providing abroad personal information of less than 100,000 individuals accumulatively since January 1 of the previous year, and (iv) providing abroad sensitive personal information of less than 10,000 individuals accumulatively since January 1 of the previous year. Therefore, in contrast to the EU SCC, under the China SCC, the destination of personal information will not play a primary role in determining the compliance obligations to be assumed by personal information processors and overseas recipients.

2. Standard terms cannot be modified.

When the EU SCC is applied as a security measure for cross-border data transfer, its provisions cannot be modified. However, without prejudice to the provisions of the EU SCC, terms on additional protective measures that do not conflict with the provisions of the EU SCC may be added.

According to Article 6 of the China SCC Measures, the provisions of the China SCC shall not be amended, and a data transferor and its overseas recipient may agree on other terms in the appendix to the China SCC, provided that the terms in the appendix shall not conflict with the China SCC.

Given that neither the China SCC nor the EU SCC can be modified, and there are some irreconcilable conflicts between their clauses (such as governing law and dispute resolution mechanism), in the event of transferring personal information from the EU to China and from China to the EU at the same time within a corporation, adding clauses in the appendix to the contract alone would not suffice to satisfy requirements of both jurisdictions.

3. Both the EU SCC and the China SCC require assessment of the level of personal data protection in the place where the overseas recipient is located and analysis of the impact of the data governance law of the destination country/region on the performance of the contract.

Schrems II case[2] has affected the EU’s requirements for assessment of the legality of cross-border transfer of personal data. In the wake of the Schrems II case, the European Data Protection Board (EDPB) proposed that the transferor should ensure that the country where the transferee is located can provide adequate protection for personal data, and that the transferor should ensure that it has no reason to believe that the laws, regulations, policies and practices of the jurisdiction where the overseas recipient is located will affect the performance of the contract. The EU SCC, in Section III Local Laws and Obligations in case of Access by Public Authorities, provides that cross-border data transfers should be reviewed on a case-by-case basis, to ensure that the laws of the jurisdiction where the foreign recipient is located provide adequate protection for personal data transferred from the EU, and that there is no provision of any laws, regulations, policies or practices in substantial violation of the EU SCC and affects the performance of the EU SCC.

Meanwhile, the China SCC system also requires assessment of personal information protection impact (“PIA"). The PIA report should be submitted to the CAC together with the signed China SCC for filing. The China SCC Measures also emphasizes that the following content shall be included in the impact assessment of personal information protection under the scenario of outbound transfer of personal information: (1) the legality, legitimacy and necessity of the purpose, scope and method of processing personal information by personal information processors and overseas recipients; (2) the scale, scope, type and sensitivity of personal information transferred abroad, and the risks that outbound transfer of personal information may bring to individuals’ rights and interests regarding such personal information; (3) whether the obligations undertaken by overseas recipients, as well as the recipients’ management and technology measures and capabilities of fulfilling such obligations can guarantee the security of the personal information transferred abroad; (4) the risk of personal information being tampered with, destroyed, disclosed, lost or illegally used upon transfer, and whether the channels of safeguarding the rights and interests concerning personal information are unobstructed; (5) the impact of the personal information protection policies and regulations of the country or region where the overseas recipient is located on the performance of the contract; (6) other matters that may affect the safety of personal information to be transferred. The China SCC also requires that the personal information processor and the overseas recipient shall ensure with reasonable efforts that, the personal information protection policies and regulations of the country or region where the overseas recipient is located will not prevent the overseas recipient from fulfilling its obligations under the China SCC. While ensuring the above requirements are met, both parties shall declare that they have considered the specific circumstances of outbound transfer, the personal information protection policies and regulations of the country or region where the overseas recipient is located, and the security management system and technology tools the overseas recipient has in place.

4. Both the China SCC and the EU SCC established mechanism for protecting the rights of third-party beneficiaries.

The cross-border transfer of personal information concerns the vital interests of the personal information subject, so the EU SCC has designed a “third-party beneficiary" mechanism to protect the subject of personal information. This mechanism breaks through the privity of contract, so that the subject of personal information can claim against the processor of personal information or the overseas recipient if the subject’s own interests are prejudiced, although the subject is not a signatory to the EU SCC.

The China SCC has set forth similar provisions for the protection of third-party beneficiaries. As per Article 2 of the China SCC, the personal information processor shall perform the following obligations: (IV) the personal information processor has informed the personal information subject that the personal information subject is a third-party beneficiary to the contract the personal information processor enters into with the overseas recipient, and if the personal information subject does not explicitly deny the status as a third-party beneficiary  within 30 days, the subject may enjoy the rights a third-party beneficiary in accordance with the contract. This clause, while clarifying that the personal information subject can exercise the rights of third-party beneficiaries, limits the scope of third-party beneficiaries to the personal information subject.

Under the EU SCC, in addition to the personal information subject as a third party beneficiary, Article 9 stipulates that when the receiving party outside the EU entrusts its processing activities under the SCC to a sub-processor and the receiving party outside the EU ceases to operate or goes bankrupt, the data transferor in the EU can act as a third party beneficiary to cancel the contract between the overseas recipient and the sub-processor and require them to destroy or return the personal data that has been transferred. This system offers a wider scope of protection than the third-party beneficiary mechanism does under the China SCC.

5. The applicable scenarios for transfer are different.

The EU SCC defines four scenarios for cross-border transfer of personal data, namely, data controller to data controller (C-C), data controller to data processor (C-P), data processor to data controller (P-C) and data processor to data processor (P-P)[3].

However, the contracting parties under the China SCC are only concerned with “personal information processors" and “overseas recipients". Based on the China SCC’s requirements on the obligations of “overseas recipients", such recipients fall into two categories, i.e., the overseas personal information processor and the overseas entrusted party. Therefore, the China SCC currently only covers two types of data processing relationships: personal information processors in China to overseas personal information processors (C-C) and personal information processors in China to overseas entrusted parties (C-P). How to deal with, under the Chinese regulatory framework, the other two scenarios covered by the EU SCC, namely P-P and P-C, remains to be observed.

6. Additional terms and multi-signatory mechanism.

The EU SCC gives parties to a contract the flexibility to incorporate the EU SCC clauses into a broader agreement (e.g., commercial contracts, user agreements) and to add additional clauses to the EU SCC clauses as long as such clauses do not directly or indirectly conflict with the EU SCC and do not infringe the fundamental rights or freedom of data subjects. At the same time, the EU SCC can be signed amongst multiple parties and allow new signatories to be added over time.

However, under the China SCC, the personal information processor and the overseas recipient are only allowed to include additional terms in the appendix to the contract that they enter into and ensure such terms do not conflict with the China SCC. At the same time, China's SCC does not allow a multi-party signing mechanism where new signatory may be added after the contract is concluded. Therefore, in practice, in the case of cross-border data processing by multiple parties, they may need to sign and file the China SCC with CAC for multiple times.

7. Filing requirements.

There is no mandatory requirement for the EU SCC to be filed, but Article 14 (d) of the EU SCC requires the contracting parties to keep a record of the transfer impact assessment that has been carried out and to submit it to regulatory authorities if required.

The China SCC Measures adopts an ex-ante supervision approach to cross-border transfer of personal information. Article 7 of the China SCC Measures stipulates that the data transferor shall file the signed China SCC with the local office of the CAC within 10 working days from the effective date of such signed China SCC. Article 8 of the China SCC Measures also requires that if there is any change regarding cross-border transfer of personal information, the contracting parties shall re-sign the contract and conduct the filing again. Although upon the China SCC taking effect, enterprises can carry out personal information outbound transfer activities before the filing is completed, regulatory authorities still have the right to interview personal information processors and request rectification according to laws when they find that there are significant risks arising from such personal information outbound transfer activities or personal information security incidents may occur.

8. Long-arm jurisdiction, governing law and dispute resolution.

The essence of the standard contract, as a data outbound transfer compliance mechanism, is to provide the legal obligations related to data outbound transfer that are originally stipulated by a country’s domestic law into those that are specified by a contract mutually agreed and signed by the parties concerned, so that the overseas recipient will be subject to the long-arm jurisdiction of that country and to ensure that the protection standard of personal information upon outbound transfer is no lower than that specified by the minimum requirements under that country’s national laws. The EU SCC requires the foreign recipient to agree to cooperate with the relevant EU regulatory authority, to respond to inquiries, to be audited, and to comply with protective measures (such as compensation for damages and other compensatory measures) required by the regulatory authority. Under Article 17 of the EU SCC, the parties to a contract may, to a limited extent, choose the applicable law (in most cases, that’s the law of an EU member state), but the choice of applicable law must recognize the rights of third-party beneficiaries concerned with the data subject. With regard to dispute resolution, Article 18 of the EU SCC provides that disputes between the contracting parties shall be resolved by judicial proceedings before the courts of the EU member state chosen at the time of conclusion of the contract.

The China SCC has similar provisions with the above-mentioned provisions of the EU SCC. The China SCC stipulates that the overseas recipient must agree to subject itself to supervision and management of the Chinese regulatory authority, including but not limited to meeting the requirements, cooperating with the inspection, and complying with the measures taken or decisions of the regulatory authority, as well as accepting the claims made by the personal information subject in China. In terms of applicable law, Article 9 (II) of the China SCC stipulates that Chinese law shall be the applicable law. With regards to dispute settlement, Article 9 (IV) of the China SCC provides that the parties may choose to submit the dispute to a Chinese court of competent jurisdiction at the time of conclusion of the contract, or to submit the dispute to an arbitration institution in a member country of the New York Convention.

[Note] 

[1] To date, the European Commission has recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organizations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection. See https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

[2] On July 16, 2020, the Court of Justice of the European Union held in the “Schrems II case" that the surveillance legislation of the United States violated the Charter of Fundamental Rights of the European Union and did not provide effective judicial relief for EU individuals, so the “Privacy Shield" agreement between Europe and the United States was invalid. The judgment stressed the need to ensure that “the same level of protection as the EU" is provided when safeguards such as standard contract clauses are used for data transfer, and emphasized the necessity for further analysis and case-by-case assessment. See https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf.

[3] A data controller is a legal or natural person, an institution, a public authority or any other body that, alone or together with others, determines the purpose and processing of personal data. A data processor means a legal or natural person, an institution, a public authority or any other body that processes personal data on behalf of a data controller.