Insight,

Are You Ready to Sign the China SCCs?

01 March 2023

Our People
CN | EN
Current site :    CN   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Much awaited, the finalized version of the Provisions on the Standard Contract for Personal Information Export (the “SCC Provisions”) were released On Feb 24, 2023. The SCC Provisions, containing a form Standard Contract for Personal Information Export (the “Standard Contract”, collectively with the SCC Provisions, “China SCCs”), will take effect on June 1, 2023. Being the “last piece of the puzzle”, the China SCCs are rolled out to implement the existing mechanism for cross-border transfer of personal information (“PI”) out of Chinese mainland (“PI Export”) under the Personal Information Protection Law (the “PIPL”).

I. Background

In the context of the existing PRC legislation and practice, there are broadly two scenarios for PI Export: (a) actual physical export of PI –  providing PI collected and generated in the course of operations in Chinese mainland to overseas recipients; and (b) remote access of locally stored PI– providing the right to access and process PI collected and generated in Chinese mainland to overseas recipients while maintaining the PI in Chinese mainland (except for public information and web page visits).

Under the PIPL, a PI processor may conduct PI Export upon undergoing one of the following three routes, as illustrated in the flowchart below:

  • passing the security assessment by the CAC (“Security Assessment”);
  • obtaining certification of data protection by a professional body recognized by the CAC (“Protection Certification”); and
  • entering into an agreement with the overseas recipient with provisions governing the rights and obligations of the parties based on a template contract to be released by the CAC.

Addressing to each of the foregoing routes, the CAC has subsequently released, respectively:

  • the Measures for Data Export Security Assessment (“Security Assessment Measures”), issued on July 7, 2022, and enacted on September 1, 2022;
  • the Cybersecurity Standards Practice Guide-Security Certification Specification for Personal Information Cross-Border Processing Activities (“Security Certification Specification”), issued and effective on June 24, 2022 and amended on December 16, 2022;  and
  • the SCC Provisions (Draft for Comment) and the draft Standard Contract, issued on June 30, 2022 and amended in December 2022.

With the release of the soon-to-be-enacted China SCCs, all three routes for PI Export as articulated by the PIPL are expected to come into full implementation[1]. International companies operating in Chinese mainland are facing new regulatory challenges.

II. General Overview of China SCCs

The SCC Provisions consist of 13 articles and the Standard Contract as an attachment. With the goal of “protecting PI and regulating PI Export”, the SCC Provisions provide the specific guidance for adopting the Standard Contract, including the scope of application and filing requirements, conduct of PI Protection Impact Assessments (“PI PIA”), as well as the grace period. This Chinese law governed contract spells out the obligations of the domestic PI exporter and overseas PI recipient, the assessment on the impact of PI protection policies and regulations in the country of origin in which the overseas PI recipient is located, rights and remedies of data subjects, termination and dispute resolution matters. Notably, data subjects are protected by the Standard Contract by way of third party beneficiary and may exercise its rights and claims against both PI exporter and overseas PI recipient.

Set out below are some key points in the China SCCs to watch out for:

1. Scenarios Triggering the Application of China SCCs

A PI processor may conduct PI Export by signing a Standard Contract only if the following four conditions are satisfied: (i) it is not an operator of critical information infrastructure; (ii) it processes the PI of less than 1,000,000 people; (iii) it has transferred the PI abroad of less than 100,000 people from January 1 of the last year; and (iv) it has transferred the sensitive PI abroad of less than 10,000 people from January 1 of the last year.

If any of the aforementioned conditions is not met, the PI processor shall adopt the Security Assessment for PI Export. The China SCCs explicitly prohibit PI processors from circumventing the requirements for Security Assessment by adopting the Standard Contract via segregation of the total volume of data subjects. This is not uncommon in practice – many MNCs may have multiple Chinese affiliates share one domestic server under one affiliate’s name, while all PI in that sever could possibly be accessible by the parent company overseas and thus constitutes PI Export under the PRC law.

2. Filing Requirements and PI PIA

Under the SCC Provisions, PI processors are not allowed to provide PI to overseas recipients until the Standard Contract becomes effective. That said, the SCC Provisions mandate PI processor to conduct a PI PIA before PI Export, and then file the executed Standard Contract and the PI PIA report with provincial CAC within 10 working days from the effective date of the Standard Contract. It’s not clear whether the CAC would conduct substantive review of the PI PIA report or the executed Standard Contract filed. For clarity, other commercial contracts accompanying the Standard Contract between the parties are not required to be filed with the local CAC with the Standard Contract.

Notably, the PI PIA report for PI Export should address issues that may affect security of the PI to be exported, including (i) the legality, legitimacy, and necessity of the purpose, scope, and method of processing PI by the PI processor and the overseas PI recipient; (ii) the volume, scope, category, and sensitivity of PI to be exported; (iii) the risks to the data subjects’ rights and interests; and (iv) the impact of PI protection policies and regulations in the country of origin in which the overseas PI recipient is located.

The PI processor must re-conduct PI PIA, re-sign the Standard Contract or sign amendments, and re-filing with the CAC upon the occurrence of the following circumstances that may impact the PI Export during the term of the executed Standard Contract: (i) the purpose, scope, category, sensitivity, method and storage location of exported PI, or the purpose and method of PI processing by the overseas PI recipient has changed, or the retention period of PI stored overseas is extended; (ii) the rights and interests of data subjects will be affected by the changes in the policies and regulations on PI protection in the country of origin in which the overseas PI recipient is located; or (iii) other circumstances that may affect the rights and interests of data subjects.

3. Formality Requirements and Variation of the Standard Contract

The Standard Contract is an independent template contract governing the terms and conditions surrounding PI Export. Unlike other routes for PI Export, signing the Standard Contract for PI Export is not undergoing an approval mechanism, but only requires a subsequent filing. As such, the Standard Contract will take effect upon execution. Furthermore, the signatories may agree on additional terms, but SCC Provisions make it clear that such additional terms shall not conflict with the existing clause in the Standard Contract.

Unlike the EU Standard Contractual Clauses under the GDPR, the Standard Contract is a unified template contract with no variation for different PI Export scenarios. It does not differentiate PI Export scenarios engaged by PI processor (i.e., PI controller under the GDPR) or entrusted PI processor (i.e., PI processor under the GDPR). Nor will there be any variation for intra-group PI Export among affiliates or PI exported to external third parties.

4. Legal Consequence

Upon the occurrence of security incidents or if any potential high risks in the PI Export have been identified, the SCC Provisions have empowered the CACs at principal level or above to interview the PI processor and require rectifications to eliminate potential risks. Other than the foregoing, the SCC Provisions do not formulate any extra consequence, but direct to the PIPL and other relevant rules for legal consequence. Under the PIPL, violation of rules regarding PI Export may lead to rectifications, warning, confiscation of illegal gains, and suspend or terminate relevant services; if the PI processor refuses to make rectifications, then the PI processor and relevant responsible persons will face a fine.

5. Transitional Period for Previous PI Export

The China SCCs are retroactive and resemble the approach as envisioned by the Security Assessment Measures by providing a 6-month transitional period. PI exported before June 1, 2023 should complete the rectification within 6 months (i.e., by December 1, 2023). Given that the China SCCs also involve conduct and filing of the PI PIA, MNCs intending to adopt China SCCs are advised to plan ahead and have a clear work plan.

On a separate note, the introduction of the Standard Contract also sheds some light on the contracts to be submitted for Security Assessment and Protection Certification. This is because Security Assessment and Protection Certification also require filing of a contract between PI processor and overseas PI recipient as the application material.

III. Next Step

Despite the uncertainties and ambiguities amid certain clauses, the overall rules of the three PI Export routes are almost available to PI processors. During the transitional period between now and the effective date of the China SCCs on December 1, 2023, MNCs with business presence in Chinese mainland are advised to:

  • review the existing data practice, including the type, nature and quantity of the data generated in Chinese mainland and subject to export (if not yet done so), and choose an appropriate route for PI Export;
  • collect information to be filled out in the Standard Contracts and prepare the PI PIA reports;
  • consider adopting the Standard Contract directly for new contracts involving PI Export (even before the China SCCs take effect) to avoid amending them subsequently;
  • revisit the existing contracts involving PI Export to identify potential conflict between the Standard Contract and the prior signed terms.
 Scan the code to download the article

The rules pertaining to obtaining a Protection Certification are yet to be operationalized given that the CAC has not yet released a list of qualified institutions that can issue a certification.
Categories

Reference

  • [1]

    The rules pertaining to obtaining a Protection Certification are yet to be operationalized given that the CAC has not yet released a list of qualified institutions that can issue a certification.

MEET THE AUTHORS

LATEST THINKING
Insight
Data Breach Notification System and Compliance Essentials
Data misuse and data breaches are the two core risks of data security. Data misuse can be prevented through strict legal regulations that ensure standardized data processing. compliance and regulatory-cybersecurity and data compliance,telecommunications media entertainment and technology-data protection and privacy

28 April 2025

Insight
Chinese Court Found AI-Generated Pictures Not Copyrightable — Convergence with the U.S. Standard?
On March 19, 2025, the Chinese Zhangjiagang Court ruled in a recent AIGC copyright infringement case Feng v. Dongshan Company that, the plaintiff's AI-generated pictures lacked enough original authorship to be copyrightable and that the prompts were not copyrightable either.[1] Unlike the previous AIGC copyrightability cases where the local Chinese courts recognized the original authorship in the AI-generated work, this is the first Chinese case under which AI-generated pictures were denied copyright protection.intellectual property-trademarks and copyright,digital economy,artificial intelligence

25 April 2025

Insight
MNCs Investigated by SOE Supervision Office. Why? | Insight into PRC Supervision Law
On 28 November 2024, the newly amended Supervision Law of the People's Republic of China was adopted by the Standing Committee of China's National People's Congress (NPC) and is set to take effect on 1 June 2025. This amendment focuses on strengthening the oversight and restrictions on supervisory powers, with an emphasis on safeguarding citizens' rights. Dispute Resolution & Litigation-Compliance and Corporate Governance

21 April 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
CROSS-JURISDICTIONAL PRACTICE OFFICE
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies