What you need to know about China’s Draft SCCs for Data Export

On 30 June 2022, the Cyberspace Administration of China (“CAC”) released a draft of the long-awaited standard contract for personal information export and an accompanying regulation (“Standard Contract Regulation”) for public consultation.

In this article, we highlight the key provisions of the draft standard contract and relevant regulation and set out our observations on the proposed measures.

Background

Article 38 of the Personal Information Protection Law (“PIPL”) (For our comments on the PIPL, please click here) provides for three routes for personal information processors (“PI Processors”)[1] to export personal information (“PI”), namely:

• passing a governmental security assessment that is required for critical information infrastructure (“CII”) operators and organisations that process personal information reaching a certain threshold amount (“Thresholds”) specified by the CAC (“Governmental Assessment”);
• attaining a personal information protection certification (“Certification Regime”) by an institution accredited by the CAC; or
• entering into a standard contract (“Standard Contract”) with the foreign recipient, which is to be formulated by the CAC.

The CAC released the Measures of Security Assessment for Data Export (“Security Assessment Measures”) in July 2022, which set out in more detail the Thresholds and the procedures of the Governmental Assessment. (For our comments on the Security Assessment Measures, please click here).

In June 2022, the National Information Security Standardization Technical Committee released the Technical Specification for Certification of Personal Information Cross-border Processing (“Certification Specification”), which is the first attempt to provide more guidance on implementing the Certification Regime (For our comments on the Certification Regime, please click here).

Whilst the Governmental Assessment is compulsory for certain PI processors, most other PI processors will not be able or willing to go through the process for various reasons. The Certification Regime appears to be designed for intra-group transfers between entities of the same group or organisation, but the Certification Specification has not provided enough authority or guidance for the regime to be operational. The requirements under Certification Specification may also render the Certification Regime less attractive to multinational companies and international organisations.

The Standard Contract is therefore expected to be the most commonly-used route for data export by the PI processors. The draft Standard Contact and the draft Standard Contract Regulation provide us with a preview on the proposed regime in China.

Key provisions and observations

I. When to use Standard Contract?

Under the PIPL, the PI Processor may consider using the Standard Contract as its route for exporting PI, only if the proposed export is not subject to the Governmental Assessment.

The Security Assessment Measures lay down detailed scenarios where the Governmental Assessment applies to data export, which include:

1. export of important data;
2. export of personal information by CII operators;
3. export of personal information by a data processor that processes personal information of 1,000,000 individuals or more;
4. export of personal information by a data processor that from 1 January of last calendar year in aggregate exports (i) personal information of 100,000 individuals or more or (ii) sensitive personal information of 10,000 individuals or more; and
5. such other circumstances as designated by the CAC.

Therefore, the PI Processor will not be able to use the Standard Contract in the above scenarios, where personal information is exported. This is also confirmed by the Standard Contract Regulation.

II. Who can use Standard Contract?

The draft Standard Contract Regulation refers to the exporter as the “PI Processor”, which is in line with the PIPL. Apparently, neither the PIPL nor the draft Standard Contract Regulation contemplates that the restrictions on data export will apply to exporters who are entrusted by the PI Processor with processing PI (“Entrusted Parties”), the equivalent of a data processor under the GDPR. The Security Assessment Measures take a similar position where only an exporter that is a PI Processor is eligible for the Governmental Assessment. It is not clear whether it is the intention of the authorities or a loophole that the Entrusted Parties will be exempted from the data export regulatory regime.

Unlike the standard contractual clauses (“SCCs”) approved by the European Commission, the draft Standard Contract does not provide for different modules suitable for transfers between different types of exporters and importers according to their roles as a PI Processor or an Entrusted Party in the data processing activities. On the other hand, the draft Standard Contract does not differentiate the role of the data importer as a PI processor or an entrusted party. The data importer is defined as the organisation or individual located outside China who receives PI from a PI processor.

In summary, a data exporter that is a PI Processor may use the Standard Contract to export personal information to a data importer that is either a PI Processor or an Entrusted Party.

One question that will arise is who will be appropriate signatories to the Standard Contract, for example, when the PI Processor exports personal information via an Entrusted Party in China or when the data importer receives the PI via an Entrusted Party outside China. Should all the parties involved in the processing activities sign the Standard Contract or should the parties that transfer and receive the data do that? In the absence of clear guidance from the authorities, we expect to see different interpretations in practice.

III. PIPIA and Transfer Impact Assessment

Personal information protection impact assessment (“PIPIA”)

The PIPL requires a PI Processor to conduct a PIPIA for, amongst others, exporting PI and keep a record for that. The draft Standard Contract Regulation further provides for key aspects that a PIPIA for data export must cover, including:

1. the legality, legitimacy and necessity of the purpose, scope and means of the processing by the data exporters and the data importers;
2. the amount, scope, types and sensitivity of the PI to be exported and the risks to the PI rights and interests of individuals;
3. the responsibilities and obligations of the importers and whether their organisational and technical measures and capability can ensure security of the PI to be exported;
4. risks of the PI being leaked, destructed, altered without authorisation or abused and the effectiveness of the channels for individuals to exercise their rights to PI;
5. the impact of the PI protection policies, laws and regulations of the country or region where the data importers are located upon the performance of the Standard Contract; and
6. other matters that may impact security of PI export.

So far, the authorities have not published any guidelines on how to conduct the PIPIA. The National Information Security Standardization Technical Committee has published two drafts of guidance on PI export security assessment but has yet to finalise the guidance. It also published recommended national standards on conducting personal information security impact assessment in 2020, but with the effectiveness of the PIPL in 2021 these standards will need to be updated if those were to be used for the purpose of the PIPIA.

Transfer Impact Assessment (“TIA”)

The concept of a TIA originates from the European Court of Justice in its Schrems II decision, where a data exporter is required to, with the assistance of the importer, (i) verify whether the law of the third country of destination ensures adequate protection (under the EU law) of PI being transferred pursuant to the SCCs; and (ii) provide additional safeguards to those offered by the clauses if the protection is not adequate.

European Data Protection Board in its guidance requires a data exporter to assess whether the laws and practices in the third country of destination may impinge on the effectiveness of the safeguards adopted by the data exporter and specifies the necessary components of the assessment.

Under clause 14 of the new SCCs approved by the European Commission in 2021, the data exporters and importers are required to warrant that (i) the laws and practices of the third country of destination do not prevent the data importer from fulfilling its obligations under the SCCs; and (ii) they have taken specific factors into consideration and agree to document the assessment for inspection by the authorities. The importers must also represent that it has made its best efforts to provide the data exporter with the relevant information. As a result, the TIA has become a standard process for export of PI from the European Economic Area (“EEA”) to a country outside the EEA that is deemed to not have provided adequate level of protection.

Under the draft Standard Contract Regulation, the PIPIA will also include assessment of the impact of the PI protection policies, laws and regulations of the country or region where the data importer is located upon the performance of the Standard Contract.

Clause 4 of the draft Standard Contract requires the data exporters and importers to warrant that:

1. they are not aware of any PI protection policies, laws or regulations of the country where the data importers are located will prevent the data importers from performing the Standard Contract, including any requirement to provide PI to or grant authorisation of access to PI granted to the public authorities; and
2. they have taken into account the following considerations when giving the warranty in item i above, including:

a. details of the export, including, amongst others, whether the importers have received request from public authorities to provide PI and how the importers responded to the requests;

b. the key factors of the PI protection policies, laws and regulations of the country or region where the data importers are located, including

i. the PI protection laws, regulations and applicable standards;

ii. the regional or global PI protection organisations such country or region has joined and the undertakings it has given; and

iii. the mechanism for implementing PI protection, e.g. whether there are PI protection supervisory authority and relevant judicial bodies; and

c. the security management system and technical security capability of the data importers.

The data importers must represent that they have used their best efforts to provide necessary information to the data exporters. Both the data exporters and importers must record the assessment process and results in writing, which gives rise to a formal contractual obligation to conduct a TIA.

The requirements for TIA under the GDPR and the draft Standard Contract Regulation are quite similar, except that in China the TIA will likely be made part of the PIPIA for data export. The exporters are expected to file the signed Standard Contract and the PIPIA report with the provincial level CAC within ten business days of the Standard Contract taking effect.

IV. Third-party beneficiary

The data exporters must undertake in the Standard Contract to notify the individuals that they have been made third-party beneficiaries unless they expressly refuse within 30 days of being notified. The data exporters will now need to make sure that they have included in the privacy notice content on third-party beneficiaries and contact details, via which the individuals express their objection.

In addition, as third-party beneficiaries, individuals are given the rights to enforce the obligations of the data exporters and importers under the Standard Contract. In particular,

1. Individuals have the rights under the PIPL and other relevant laws, such as the right to information, right to restrict or refuse processing, etc;
2. Individuals have the right to exercise rights (in above item i) in respect of the PI exported by requesting the data exporters (with assistance of the importers) or data importers to take actions;
3. The data importers must respect and realize the rights exercised by the individuals within a reasonable time period and notify the individuals of the relevant information in a conspicuous and clear manner; and
4. Individuals have the right to request either the exporters or the importers to perform any obligations relevant to their PI rights, which include the majority of the obligations under the Standard Contract.

To enforce their rights in a dispute with the data exporters or the importers, individuals may elect to (i) file a complaint with the supervisory authority or (ii) lodge a lawsuit against the parties to the Standard Contract in accordance with the Chinese laws. Individuals are entitled to damages from the party that infringes the rights of the individuals as a result of a breach of the Standard Contract.

Where the individuals decide to bring a lawsuit against the parties to the Standard Contract, the court of competent jurisdiction will be determined by the Chinese civil procedure laws. It is worth noting that the enforcement of a Chinese court judgement may be difficult outside China and that the exporters are liable for losses caused to the individuals by the data importers under the draft Standard Contract. As such, the individuals are more likely to bring civil actions against the data exporters.

V. Onward transfers by data importers

Data importers are obliged not to provide the PI to a third party located outside China unless the data importers have:

1. genuine business needs;
2. notified individuals of the details of the transfers and obtained their separate consent or written consent unless otherwise exempted by laws and regulations;
3. entered into a written agreement with the third party to ensure that the protection level of the third party is no lower than that as prescribed by the Chinese laws and regulations and agreed to be held jointly and severally liable for any harm to the individuals; and
4. provided a copy of the written agreement to the individuals.

The use of the word “provide” seems to indicate that both the data importer and the third party receiving the PI are PI processors. This interpretation is in line with the way that PIPL uses the word “provide” to indicate sharing by a PI processor with a separate one.

The Standard Contract goes on to require the data importer that is an Entrusted Party of the data exporter to obtain consent of the data exporter before sub-entrusting a third party for processing.

It appears that the Standard Contract imposes different requirements on data importers that are separate PI Processors and those that are the Entrusted Parties of the data exporter.

VI. Other notable provisions

Reporting obligations of data importers

In the event of a data breach, the data importers are obliged to not only notify the data exporters but also the supervisory authority of China in accordance with the Chinese laws. Individuals must also be notified where required by applicable laws and regulations.

The provisions have extended the reporting obligations under the Chinese law to the data importers irrespective of whether the data importers are subject to any extraterritorial effect of the laws.

Arbitration as dispute resolution

The draft Standard Contract allows the parties to settle their dispute via arbitration, and the parties can also agree upon the arbitration institutions and venues. Notably, the parties may choose an arbitration institution of a country that is a party of the Convention on the Recognition and Enforcement of Foreign Arbitral Awards, which allows for the possibility of having their case heard by a foreign arbitration institution.

Data exporters’ right to information

Data importers are obliged under the draft Standard Contract to provide necessary information to the data exporters to prove the data importers’ compliance with the contract, including allowing the data exporters to access relevant documents or audit the relevant data processing activities. In practice, the parties may would like to further define the scope of the data exporters’ right to information to avoid any potential dispute.

Conclusion

The release of the draft Standard Contract and the relevant regulation marks a step closer toward establishing China mechanism for exporting PI via Standard Contract. Whilst the draft Standard Contract of China bears many similarities with the SCCs under the GDPR, the data importers and exporters should pay attention to the worth-noting differences and consider its compatibility with the current cross-border transfer tools.

[1] A personal information processor is defined as an organisation or individual that independently determines the purposes and means of the processing, akin to the concept of data controller under the General Data Protection Regulation (“GDPR”) of the European Union.