China’s Standard Contractual Clauses at Long Last – Draft Contract for Cross-Border Data Transfers Unveiled, Alex Roberts, Tiantian Ke

Knowledge

Welcome to the Knowledge Portal. You can browse, search or filter our publications, seminars and webinars, multimedia and collections of curated content from across our global network. Create an account and set your email alert preferences to receive the content relevant to you and your business, at your chosen frequency.

On 30 June 2022, the Cyberspace Administration of China (CAC) released the long-awaited draft of Personal Information Export Standard Contract (Standard Contract), together with the Standard Contract Provisions (Provisions) for a one-month public consultation. Once implemented, the Standard Contract is anticipated to be a vital tool enabling international transfers of personal information out of mainland China.

Regulatory background

Influenced by the EU GDPR’s Standard Contractual Clauses (SCCs) approach, signing a Standard Contract with an overseas data recipient is integral to one of the three key transfer mechanisms under China’s Personal Information Protection Law (PIPL).

Legislating for activities in respect of the other two mechanisms remains unsettled. In particular, the CAC published the Draft Measures on Data Export Security Assessment (Security Assessment Measures) for public consultation in October 2021, but a new iteration is still awaited. Although the National Information Security Standardisation Technical Committee finalised guidance on the personal information cross-border processing certification regime just a few days ago, this guideline has no binding effect and lacks detail to make it operable.

Nevertheless, the draft Standard Contract, which was expected to be the most business-friendly method for data exports from China, had been absent – until yesterday!

One-stop-shop structure?

The Standard Contract only has one form, allowing it to be entered into between a personal information processor (PI Processor) as defined under the PIPL (i.e. a party which can independently decide on the processing purposes and means during personal information processing activities, which is akin to a data controller under the GDPR) and an overseas recipient. This appears to be a radically different approach to the GDPR’s four-modular approach which allows transfers from and to parties playing different roles (namely, controller to controller, controller to processor, processor to sub-processor, and processor to controller), or the two sets of recommended model contractual clauses adopted in Hong Kong SAR.

Can the proposed one-stop-shop structure under the Standard Contract work in practice, covering various processing scenarios?

In particular, the PIPL also adopts a concept similar to a data processor under the GDPR, i.e. an “entrusted party” that processes personal information on behalf of a PI Processor. If a China-based entrusted party (e.g. a data analytics service provider) intends to export personal information to an overseas recipient to perform the processing entrusted by the PI Processor, can the Standard Contract be used by the entrusted party to enable these exports? The current terms of the Standard Contract do not neatly adapt to the fact that the entrusted party is conceptually an extension of the PI Processor, leaving a dearth of options without additional compliance burden for the PI Processor.

Similarly, it remains to be clarified whether an offshore PI Processor subject to the extraterritorial application of the PIPL can utilise the Standard Contract. This is a key consideration where platforms, banks and other businesses that leverage advances in digital technologies to provide goods and services into China on a cross-border basis.

Conditions for use: not applicable to all types of data exports

The Provisions limit the use of Standard Contract to a PI Processor that (i) is not a critical information infrastructure operator, (ii) processes personal information of less than 1 million individuals, (iii) has not exported personal information of more than 100,000 individuals cumulatively since 1 January of the preceding year, and (iv) has not exported sensitive personal information of more than 10,000 individuals cumulatively since 1 January of the preceding year. Echoing the triggers for a mandatory data export security assessment proposed under the draft Security Assessment Measures, these conditions envisage that only businesses that would not be subject to a government-led security assessment could rely on the Standard Contract to export data.

While the conditions helpfully clarify gaps in other rules that the period over which data transfers must be aggregated should be limited to up to 24 months, existing concerns about these relatively low thresholds continue. Some international healthcare providers, medical device manufacturers, financial institutions and luxury goods brands may easily exceed the threshold amounts above, meaning they are unable to utilise the Standard Contract.

Substantive obligations: GDPR aligned?

Perhaps good news for multinational corporations that are compliant with GDPR standards and the EU SCCs is that a large extent of substantive obligations under the Standard Contract is aligned with the GDPR.

The key terms of the Standard Contract essentially focus on:

the basic information of the PI processor and overseas recipient;
the purposes, scope, types, sensitivity, quantity, means, retention period and storage location of personal information to be exported out of China – albeit that restrictions on overseas retention could cause a conflict of laws issue for overseas recipients;
the responsibilities and obligations of the contracting parties, and the technical and management measures taken by them to prevent security risks – query, however, if international security standards will be recognised;
the impact of the personal information protection policies and regulations of the country or region where the overseas recipient is located on compliance with the terms of the Standard Contract – similar to the post-Schrems II requirement of a transfer impact assessment on a personal data export outside the EU;
data subjects’ rights, and the ways and means to protect these rights; and
other general terms such as remedy, termination, liability and dispute resolution.

A certain level of flexibility can also be seen in the CAC’s draft. In particular, there is a blank Appendix II where the contracting parties to the Standard Contract can agree on extra provisions so long as these do not contradict the Standard Contract or prejudice the rights of data subjects. This should help multinationals reconcile China and international transfer agreements.

What’s next?

If the Provisions are to be implemented in the current form, PI Processors will need to file both their Standard Contracts and reports on personal information protection impact assessments (which are required to be conducted under the PIPL before any data exports) with local CACs within ten days from the effective date of the Standard Contracts. Platform businesses and other organisations likely to sign a significant volume of these agreements will need to put processes in place in advance.

As hinted to above, the Standard Contracts do present challenges for international businesses. Tech and other organisations that are likely to use this mechanism are encouraged to consider submitting comments to the CAC before the consultation period ends on 29 July 2022.

For a deeper analysis on the substance of China’s Standard Contract and its comparison with the EU SCCs, stay tuned for our future updates!

{

Since the ruling, companies have relied on individual legal agreements, known as standard contractual clauses to transfer data, but even here, the ECJ suggested they may need to create additional safeguards to make sure data is protected to EU standards.

https://on.ft.com/3NEv4kx