July 4, 2022
On June 20, 2022, the cyberspace administration of China (“CAC“) issued the draft provisions of the Standard Contractual Clauses (”SCC”), which will govern and set out the legal framework for the cross-border transfer of personal information (“SCC Draft”). The SCC Draft is influenced by the European General Data Protection Regulation (“GDPR”) and clarifies how entities should legally secure personal information transfers outside China.
Until now, any transfer of personal information out of China would be subject to a government authorization and security assessment (e.g., clinical trials’ results required the grant of government permission, SaaS solutions with hosting servers out of China required a government confirmation, etc.). Thus, enabling a contractual safeguard as an option for transferring personal information might be helpful for many businesses.
Article 38 of the new Law of the Personal Information Protection Law of the People’s Republic of China (“PIPL”) sets out three mechanisms to ensure a lawful transfer of personal information outside of China: (i) successful completion of a security assessment conducted by the government; (ii) obtaining certification by an authorized governmental certification scheme; or (iii) implementing a standard contract with a third party based outside of China and receiving the data. In an explanatory note, the CAC states that the parties relying on the SCC may negotiate additional terms and attach them as an additional annex to the contract. However, it is unclear whether the SCC template may be revised or will need to be signed “as is.”
Companies must meet all of the following requirements otherwise, the SCC cannot be used (if such requirements are not met, CAC’s security assessment must be conducted):
The key factors for determining whether a transfer triggers a security assessment of cross-border data transfer or whether the transfer can be subject to the SCC are as follows:
If the data transfer does not satisfy any of the above conditions, the entity cannot rely on SCC. Instead, a CAC-conducted security assessment must be carried out for overseas data transfer.
It should be noted that concerning conditions 2 and 3 above, the PIPL defines “processing of personal information” in a manner that includes “storage” and “cross-border provisions,” taking into account that most entities have their own user base and engage in cross-border activities, this might trigger a security assessment, and many entities will not be able to rely on the Chinese SCC Draft.
Furthermore, similar to the four annexes attached to the European Standard Contractual Clauses under the GDPR, according to the SCC Draft, the Chinese SCC must include the following provisions:
Within 10 days after the SCC shall be effective, the entity is required to submit a file to the CAC accommodating the following: (i) the executed SCC; and (ii) a report that includes the personal information protection impact assessment conducted concerning the transfer, which is required to be carried out before transferring personal information overseas. The requirement is similar to the transfer impact assessment (“TIA”) requirement obtained under the GDPR.
The European SCC do not need to be filled with the Commissioner (as opposed to other binding rules that should be under Chapter V of the GDPR). However, the Chinese SCC will need to be filled with the CAC, and a new SCC shall be signed and filed with the CAC if the following changes occur:
The CAC has a significant authorization to suspend personal information transfers of entities in cases of non-compliance with the law, which constitutes a higher incentive for compliance rather than the traditional risk assessment of fines reception by the competent authority.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
Please let us know if you have any further questions,
APM Technology and Regulation Team.