On 30 June 2022, China’s Cyberspace Administration (CAC) published draft Standard Contractual Clauses (SCCs) for transfers of personal data outside of China. The SCCs were open for public consultation until 29 July 2022. In this article, we will provide you with an overview on the proposed SCCs and show you how they differ from the SCCs of the European Union.
The Chinese draft SCCs
The draft SCCs are based on Art. 38 of China’s Personal Information Protection Law (PIPL), which provides that one tool for the lawful transfer of personal data outside of China is a standard contract approved by the government.
The drafts of China’s SCCs show some similarities to the EU SCCs, but they also include a number of distinctive differences.
Applicability of China’s SCCs
The draft SCCs can only be used to transfer personal data outside of China, if the exporting organisation:
- is not a critical information infrastructure operator (e.g. major telecommunications provider);
- processes the personal data of fewer than one million individuals;
- has transferred personal data of fewer than 100,000 individuals since 1 January of the previous year;
- has transferred sensitive personal data of fewer than 10,000 individuals since 1 January of the previous year.
If at least one of the above conditions is not met, the transfer must undergo a security assessment by the government.
Hence, the draft SCCs are only applicable to, and therefore, can only be used by certain organisations. In contrast, EU SCCs can, in general, be used by all controllers and/or processors to transfer data, provided they can comply with the SCCs in practice. Therefore, compared to the EU SCCs, the Chinese draft SCCs appear to be applicable in rather limited cases. Especially companies in industries where data plays a key role, would often not be able to rely on the SCCs under the draft’s thresholds.
Transfer impact assessment and notification requirement
While no prior authorisation by the CAC is required to use the SCCs for data transfers, data exporters are required by the draft to submit the SCCs they entered into to the CAC within ten days of the effective date of the contract. A comparable notification obligation does not exist if EU SCCs are used.
Moreover, before any data can be transferred, a personal information protection impact assessment (PIPIA) has to be conducted. When notifying the authority, this PIPIA also has to be submitted.
This impact assessment is similar to the data protection impact assessment (DPIA) required by the GDPR. The assessment shall include e.g. the following elements:
- if the method and purpose of processing personal data are lawful, justifiable and necessary;
- the impact on rights and interests of individuals and security risks;
- if the adopted security measures are legitimate, effective, and appropriate in relation to the degree of risk.
In addition, the Chinese SCCs have stricter requirements for onward transfers than under the EU SCCs. Onward transfers are prohibited, unless all of the following conditions are met:
- there is an actual business need to provide the information;
- the data subject has been informed about the onward transfer and separate consent has been obtained;
- the overseas recipient enters into an agreement with the third party and the third party meets the standard of equivalent protection and would assume joint liability; and
- the responsible party is provided with a copy of the agreement with the third party.
One of the main differences between the EU’s SCCs and China’s draft SCCs is that the CAC plays a more central role under the draft SCCs. Moreover, due to the limited scope of the draft SCCs, their practical relevance also seems to be lower than in the EU.
The consultation process can be expected to be completed in fall 2022. We will keep you updated on changes that might be implemented in the final version of the SCCs.