In an effort to protect transfers of personal information from China to other countries, the Chinese Cyberspace Administration (CAC) implemented the Standard Contractual Measures for the Transfer of Personal Information Oversees and the corresponding Standard Contractual Clauses (SCCs), in effect since June 2023.
The Chinese SCCs are not only relevant for companies sending information out China, but also for foreign companies receiving data from the country, such as group data transfers or if the foreign enterprise is servicing Chinese companies.
The SCCs requirements are comparable to the General Data Protection Regulation of the European Union (GDPR) but differ in the details.
Signing the Chinese SCCs is therefore not enough for the data importer. Rather, the SCCs provide for various obligations for data importers that only partially correspond to those from the GDPR or the EU SCCs.
Before signing the Chinese SCCs, data importers must adapt or, if necessary, re-implement internal processes to comply with its requirements. Furthermore, there are formal peculiarities when signing the Chinese SCCs.
Background
The SCCs ensure that transfers of personal information from China to other countries is done in a secure and privacy-respecting manner, in accordance with the Personal Information Protection Law (PIPL).
An organization that sends personal information outside of China is required to adopt one of the three transferring mechanisms. Organizations exporting large amounts of information, including sensitive information, must undergo a security assessment by the CAC. Organizations transferring information to overseas subsidiaries or affiliated companies may obtain a Personal Information Protection Certification from a specialized body.
Beginning in June 2023, organizations that do not meet the criteria for the two above mechanisms, can leverage the China SCCs as a valid mechanism to transfer information outside China, provided they meet the requirements enumerated in the Measures for the Transfer of Personal Information Oversees (non-critical information infrastructure operator and not cross the thresholds for processing personal information or the threshold for transferring personal/sensitive information abroad.)
PIPL governs the processing of electronic or recorded personal information that is related to an identified natural person within China’s borders, or outside the territory of China if processing personal information of natural persons within the territory of China.
It provides protections for rights of individual natural persons (“data subjects”) whose personal information is being processed, and corresponding obligations for personal information processors, defined as organizations and individuals that independently determine the purposes and means of processing personal information.
The obligations from the law include entrusted persons (or data processors) to the extent that such persons may handle personal information on behalf of a personal information processor, for a specific purpose, and for the duration stipulated in an agreement between the parties.
The China SCCs are an extension of the PIPL.
Obligations of the Exporter
Chinese SCCs take a different approach than the EU SCCs, which are modular and outline obligations depending on the relationship between exporter and importer. The China SCCs outline the obligations of the exporter and the overseas recipient generally utilizing one template, not depending on their role and function.
According to the China SCCs, when transferring personal information, the exporter must comply with any requirements of notice to data subjects and consent for international transfers, if applicable.
The exporter is expected to make reasonable efforts to ensure that the overseas recipient undertakes technical and management measures to safeguard the personal information, provide any required documentation to the overseas recipient or the data subjects, and respond to regulatory agency requests.
The exporter is required to conduct personal information impact assessments prior to transferring information outside of China.
The assessment evaluates several aspects surrounding the transfer, such as legality, legitimacy, and necessity of the processing; scale, scope, and sensitivity of information, as well as the potential risks to the personal information and individuals; and obligations and capability of the overseas recipient to safeguard the personal information.
Obligations of the Overseas Recipient
Overseas recipients are expected to process personal information in accordance with the terms of the China SCCs and not exceed the agreed scope of processing unless separate consent is obtained from the personal information subject.
To safeguard personal information, the overseas recipient must adopt technical and administrative measures, limit access to the information on need basis, comply with the obligations to notify in the event of a data breach and undertake appropriate remedial measures.
When processing personal information as an entrusted party, the overseas recipient must adhere to the processing purpose and methods agreed upon with the exporter, paying particular attention to the requirements of minimization, purpose limitation, retention, and deletion.
Rights Of Data Subjects and Private Right of Action
The PIPL guarantees certain individual rights of data subjects. Though the exporter is primarily responsible for complying with individual requests, the overseas recipient is obligated to assist with responding to such requests, when applicable.
Additionally, the China SCCs recognize data subjects as third-party beneficiaries, and as such data subjects are entitled to directly seek performance of particular obligations by the parties to the SCCs. Data subjects may exercise a private right of action against the overseas recipient, and have their complaint handled by a regulator, or resolved by an applicable court.
Transfer Impact Assessment, Liability, and Enforcement
Parties are required to conduct a transfer impact assessment evaluating the legislation and practices in the country where the overseas recipient is located to confirm that their performance under the contract will not be affected.
This includes conducting necessary assessments of factors related to the processing of personal information, any relevant prior practices, and applicable laws and regulations, as well as the existence of effective mechanisms and remedies for data subjects. According to the China SCCs, both parties are liable for breach of the contractual clauses. Additionally, parties bear civil legal liability towards individual data subjects if they infringe upon their rights. If both parties are jointly liable, the data subject may seek relief from either or both parties.
Sanctions
Chinese data protection law provides for fines of up to 5% of the previous year's turnover for violations of the standards on third-country transfers. This makes the potential fines even larger than under the GDPR, where the maximum amount is 4% of the previous year's turnover.
Woodburn Accountants & Advisors is one of China’s most trusted business setup advisory firms.
Woodburn Accountants & Advisors is specialized in inbound investment to China and Hong Kong. We focus on eliminating the complexities of corporate services and compliance administration. We help clients with services ranging from trademark registration and company incorporation to the full outsourcing solution for accounting, tax, and human resource services. Our advisory services can be tailor-made based on the companies’ objectives, goals and needs which vary depending on the stage they are at on their journey.
Talk to an expert
Schedule a 30-mins complimentary, no-obligation call to see how Woodburn can help you. Book a call with our Head of Business Advisory - Kristina Koehler-Coluccia.
Topics we can advise on include:
Company Registration
Cloud Accounting & Financial Reporting
Cloud Payroll Services
Tax & Audit Services
Recruitment
Employer-of-Record
Visa Application
Trademark Registration
Switch to Woodburn
Partner with Woodburn (cross referral)
Our calls are automatically scheduled via Zoom - or via Teams, WeChat or WhatsApp upon direct request.
Our advisory calls are available from Monday-Friday from 8am to 5pm CEST and Wednesday until 9pm CEST.