China's standard contract for cross-border data transfers released: key implications, Alex Roberts, Tiantian Ke

Knowledge

Welcome to the Knowledge Portal. You can browse, search or filter our publications, seminars and webinars, multimedia and collections of curated content from across our global network. Create an account and set your email alert preferences to receive the content relevant to you and your business, at your chosen frequency.

China’s cyber regulator – the Cyberspace Administration of China (CAC) – today released the final form of the long-awaited Personal Information Export Standard Contract (Standard Contract), together with the Measures on the Standard Contract (Measures).

The Standard Contract and the Measures will take effect on 1 June 2023. A six-month grace period applies from the effective date for organisations to paper in-scope cross-border data transfers.

As a vital tool among the three main mechanisms under the Personal Information Protection Law (PIPL), multi-national corporations have been waiting for this critical development to legitimise international data transfers from China to overseas recipients.

We look at key aspects of final Standard Contract, draw comparisons with the earlier draft, and highlight some of the key implications for business.

Short-hand: China’s SCCs are out and you have 9 months to paper (or repaper!) almost all data exports from mainland China!

No substantial changes compared with the draft version

Compared with the earlier draft released for public consultation in June 2022, the structure and key requirements of the Standard Contract and the Measures remain generally aligned.

Structure: the Standard Contract only has one form, allowing it to be entered into between a personal information processor (akin to a “data controller” under the GDPR) and an overseas recipient. The consistency of the structure compared with the earlier draft standard contract means some question marks remain:
- Can an offshore personal information processor subject to the extraterritorial application of the PIPL similarly adopt the Standard Contract?
- Given the uniformity of terms applicable to offshore personal information processors compared to the light-touch of the GDPR-equivalent clauses, can/will tech and other service providers push for additional contractual protections outside the transfer agreement?
- Since the current structure of the Standard Contract does not allow a China-based entrusted party (akin to a “data processor” under the GDPR) to use the Standard Contract with its overseas recipients, how does it legitimise its necessary transfer activities with the overseas recipients?
Contractual terms: the key terms of the Standard Contract focus on matters including:
- Basic information and contractual obligations of both parties and the technical and management measures taken by them to prevent security risks;
- Details of the export activities including purposes and means of the processing, means of transfer, scale, types, and sensitivity of the exported personal information, information on the onward transferees, and the retention period after the export – detailing data scale and chains of recipients could be operationally difficult for some;
- Impact of policies and regulations on the protection of personal information in the country or region of the overseas recipient on the performance of the Standard Contract – yes mini-TIAs for China data exports are inevitable;
- the rights and related remedies of personal information subjects; and
- other general terms such as termination and liability for breach of contract and dispute resolution.
Limited flexibility: The CAC requires the Standard Contract to be concluded in strict accordance with the form the CAC released. While a data exporter may agree other terms with the overseas recipient in the second appendix to the Standard Contract, these additional terms must not conflict with the Standard Contract. Multinationals global data transfer programs may need to flex rather than the terms governing Chinese data exports.
Filing requirements: Although personal information processors may transfer personal information to the overseas recipients once their Standard Contracts take effect, they will need to file both their Standard Contracts and accompanying reports on personal information protection impact assessments (which are required to be conducted under the PIPL before any cross-border transfer of personal information) with local CACs within ten days from the effective date of the Standard Contracts. The template for self-assessment reports released by the CAC for submissions for regulator-led security assessments may be useful here, but we fear that enterprises will not want to pen 200 pages for each report, as we have seen for some MNCs seeking compliance with this parallel regime.

Important clarification on the separate consent requirement

Albeit there do not seem to have substantial changes since June last year, we observe some positive changes – some of which seem to reflect industry feedback outlined in ASIFMA’s submission letter to the CAC (which we held the pen) during the public consultation process.

One key change that brought a gasp of relief is that the Standard Contract helpfully clarifies that a separate consent must only be obtained when the cross-border transfer of personal information relies on individuals’ consent. This should be the first time that the application of the separate consent requirements has been officially clarified in a governmental document – i.e., if the cross-border transfer of personal information is not based on an individual’s consent but other legal bases set out in the PIPL, then the organisation does not have to obtain a separate consent specific to the data export activities. Customer interfaces and contracts can finally be adjusted with confidence.

Notifying a government access request – a possible conflict of law situation?

One new obligation for an overseas recipient is the obligation to immediately notify the personal information processor, if the recipient receives a data access request from a local government department or judicial authority. Conflicts of laws between two jurisdictions will likely occur since this new notification obligation does not provide any carve-outs: where a notification is prohibited under the law of the overseas jurisdiction, failing to make the notification to the Chinese party would likely constitute a breach of contract, while notifying the Chinese party in accordance with the contractual terms may lead to a violation of the overseas regulatory requirements.

Next steps

Further clarification from the CAC is still needed for many enterprises operating internationally to fully implement their data transfer strategies. In its final form, the Standard Contracts will almost certainly present challenges for all international businesses.

With only three months before the Standard Contracts and the Measure take effect, businesses relying on the Standard Contracts approach for their exports of personal information from China will need to put processes in place rapidly to meet the grace period deadline and the filing requirements.

For a deeper analysis on the substance of updated China Standard Contract and its comparison with the EU SCCs, stay tuned for our next update!

{

The Chinese authorities are pushing implementation of these transfer regimes forward, and the regulatory sanctions for cyber and data non-compliance are increasing.

https://www.linklaters.com/en/insights/blogs/digilinks/2023/january/china---at-a-glance-summary-of-the-new-data-transfer-regime