Insight,

Comparative Analysis of China SCC and GDPR SCC

CN | EN
Current site :    CN   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

On June 30, in order to regulate cross-border data transfer activities (hereafter "CBDT Activities"), and protect and facilitate the free flow of personal information in a secure environment, the Cyberspace Administration of China (hereafter "CAC") released the long-awaited Standard Contracts Clauses Rules (hereinafter "CAC SCC Rules") and the accompanying Standard Contracts Clauses (hereinafter "CAC SCC") for public consultation. As a regulation implementing Article 38 of the Personal Information Protection Law (hereinafter “PIPL”), CAC SCC Rules is in line with the previously released draft Cross-border Data Transfer Security Assessment Measures (hereinafter “Security Assessment Measures”), the draft Network Data Security Administrative Regulation (hereinafter “Network Data Regulation"), and other regulations related to CBDT Activities’ governance, improving the enforceability of Article 38 of the PIPL.

Given that CBDT Activities usually involve the interplays among multi-jurisdictional data protection requirements, this article intends to preliminarily analyze the similarities and major differences between the CAC SCC and the standard contract clauses under the General Data Protection Regulation (hereinafter "GDPR SCC"), which may be of interest to multinational companies.

I.Overview of the CAC SCC Rules

In order to provide a whole-lifecycle mechanism to apply the CAC SCC, the CAC SCC Rules set out the applicability of the CAC SCC, the requirement of conducting personal information impact assessment (hereinafter “PIIA”), the ax ante registration obligation with the provincial CAC office and other legal requirements.

(i)The Applicability of the CAC SCC

Article 4 of the CAC SCC Rules specifies the applicability of the CAC SCC. Only the personal information handler (hereinafter “PI handler”) satisfies all of the following conditions and shall use the CAC SCC as the legal basis for carrying out CBDT Activities:

1)Not a critical information infrastructure operator;

2)Processes less than 1 million individuals' personal information;

3)Has not cumulatively transferred 100,000 individuals' personal information abroad since the last fiscal year;

4)Has not cumulatively transferred 10,000 individuals' sensitive personal information abroad since the last fiscal year.

The above applicability is consistent with the Security Assessment Measures. Thus, PI handlers who do not meet the above requirements likely need to rely on other legal basis stipulated in Article 38 of PIPL such as going through the security assessment or obtaining the personal information protection certificate.

(ii)PIIA’s Requirements

Pursuant to Article 55 of the PIPL, when conducting CBDT Activities, the PI handler of concern shall conduct a PIIA beforehand regarding aspects such as the purpose and means of CBDT Activities; whether the principles of lawfulness, legitimacy, and necessity are satisfied; what the impacts on the rights and interests of individuals concerned are; and whether the adopted measures are lawful, effective, and may appropriately identify risks.

Similarly, the CAC SCC Rules not only elaborates on the PIIA obligation required by the PIPL but also requests PI handlers to submit the PIIA report when filing the executed CAC SCC with the provincial CAC office.

(iii)Registration Obligation to the Provincial CAC Office

Article 7 of the CAC SCC Rules requires PI handlers to register the executed CAC SCC with the provincial CAC office within 10 days of its effectiveness. We understand that this registration obligation is a typical means of ax ante supervision for competent authorities to achieve agile supervision on CBDT Activities and promptly deal with data security risks that may arise. However, worth mentioning that, it seems that the registration obligation will not directly affect the CBDT Activities progress. In other words, the relevant CBDT Activities are only premised upon the effectiveness of the CAC SCC but not the registration progress. Besides, considering that changes might occur in the ongoing performance of the CAC SCC, Article 8 of the CAC SCC Rules further indicates situations that CAC SCC shall be re-signed and re-registered, such as changes to 1) the purpose, scope, category of personal information and so forth involved in the CBDT Activities or 2) laws and policies concerning data protection in the destination.

At the same time, Article 9 requires competent authorities to comply with the duty of confidentiality, in order to prevent the unlawful disclosure and abusive use of the privacy, personal information, trade secret, and other confidential information involved during the registration progress.

(iv)Major Aspects of CAC SCC

According to Article 6 of the CAC SCC Rules, CAC SCC shall stipulate provisions such as the basic information of the contractual parties and details of CBDT Activities; technical and organizational measures taken to deal with security risks; the impact of relevant policies and regulations of the destination on the performance of CAC SCC; protection methods for personal information subject (hereinafter “PI subject”); as well as other standardized terms of the contract such as remedies, termination, liability, and dispute resolution, etc. The aforementioned provisions are in line with the Security Assessment Measures as well.

In terms of the specific clauses of the CAC SCC, being consistent with Article 6 of the CAC SCC rules, there are 9 clauses stipulating the rights and obligations respectively for the PI handler, overseas recipient, and PI subjects.

With regard to the PI handler, SCC CAC accurately reflects the legal obligations imposed by the PIPL for CBDT Activities, including but not limited to notifying the PI subject of the overseas recipient’s basic information and details of the CBDT Activities, obtaining separate consent as the legal basis, and ensuring the overseas recipient meets the data protection requirements under PIPL, etc.

With regard to the overseas recipient, CAC SCC does not distinguish its specific data processing role but generally requires them to fulfill obligations such as processing personal information strictly in accordance with the contract, taking effective security measures, notifying PI subjects and supervisors when data leakage event occurs, and cooperating with PI handler in fulfilling its obligations under relevant laws, etc.

Moreover, in terms of PI subjects, CAC SCC provides safeguards to them by introducing the mechanism of “third party beneficiary”, which enables PI subjects to invoke and enforce the CAC SCC clauses against PI handler and overseas recipient, and excise its rights granted by PIPL, etc.

II. Comparison between CAC SCC and GDPR SCC

From the view of comparative law analysis, the GDPR SCC issued by European Data Protection Board is of significant reference on this topic. As per Article 46 of the GDPR, to reach out standard data protection clauses adopted by supervision authorities is regarded as an appropriate safeguard to legally transfer personal data outside of the European Economic Area. On this basis, by enacting Commission Implementing Decision on June 4, 2021 (hereinafter the “Decision”), the European Commission issued the updated modernized standard contractual clauses. This latest version of GDPR SCC is divided into 4 sections and 18 clauses, paying attention to aspects such as third party beneficiaries, data protection safeguards, protection of rights of data subjects, use of sub-processors, data subject rights and liabilities, etc.

Looking at the CAC SCC and GDPR SCC, we understand that, the former not only incorporates common practices that the EU and other jurisdictions have adopted but also sets out unique requirements by itself.

(i)Similarities between the CAC SCC and GDPR SCC

a. Third party beneficiary mechanism

CBDT Activities concern the fundamental rights of data subjects such as privacy and personal data protection. As a result, both CAC SCC and GDPR SCC established a mechanism for the third party beneficiary to ensure that the interests of data subjects would not be compromised during the transfer. The specific contents are compared as follows:

b. Subject to long-arm jurisdiction through contractual commitments

As we preliminarily understand, neither GDPR nor PIPL provides explicit provisions on whether the data importer in a third country and overseas recipients are directly subject to the GDPR or PIPL’s regulations under the CBDT-Activities scenario. In practice, the extraterritorial applicability of GDPR and PIPL has been discussed to a large degree. Nevertheless, both the GDPR SCC and CAC SCC throw light upon this issue, i.e., a data importer in a third country or overseas recipient shall make a commitment to submit itself to the jurisdiction of the EU or China by signing the standard contract. With regard to the practice in CAC SCC, we understand it is a response of China to those similar requirements from extraterritorial jurisdictions. Details are compared as follows.

c. Assess the influence of the local laws and practices on compliance with the contract

The fundamental purpose of CAC SCC and GDPR SCC is to ensure adequate protection, both the contractual parties shall make sure that the security of personal data will not be undermined during the CBDT Activities. As a result, the CAC SCC and GDPR SCC specifically impose a duty to assess the influence of the destination country’s laws and practices on the ability to comply with the contract. Details are compared as follows.

(ii)Major differences between the CAC SCC and GDPR SCC

a. Distinctive foundations to set out rights and obligations of contractual parties

The GDPR SCC combines general clauses with a modular approach to cater to various transfer scenarios and the complexity of modern processing chains. In addition to the general clauses, the data controller and data processor involved in the CBDT Activities should select the module applicable to their situation, so as to tailor their rights and obligations under SCC in relation to the data processing relationship. Overall, there are four modules available to adopt, namely: 1) "C-C module" for controller-to-controller transfer; 2) "C-P module" for processor-to-processor transfer; 3) "P-P module” for processor-to-processor transfer; and 4) "P-C module" for processor-to-controller transfer. On this basis, the data exporter and data importer shall assume different requirements based on their specific data processing roles.

In contrast, the CAC SCC currently adopts a one-size-fit-all approach to the same issue. Briefly, the CAC SCC does not provide different modules to be adopted under different data processing situations. Instead, it presumes that the PI handler shall act as the personal information exporter and shall undertake nearly all requirements under PIPL concerning CBDT Activities. The overseas recipient, as the personal information importer, in most cases bear the same obligations regardless of the processing roles, such as processing within the agreed-upon scope, adopting security measures, notifying the exporting party and supervisors in case of security incidents, etc. However, there is one carve-out for overseas recipient acting as the entrusted processor: It is exempted from directly providing notifications to PI subjects in case of security incidents. Details are compared as follows.

b. Distinctive approach to execute prior supervision

According to the Decision, contractual parties of GDPR SCC are free to include clauses therein in a wider contract and to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the GDPR SCC or prejudice the fundamental rights or freedoms of data subjects. Also, it shall obtain pre-approval from data protection authorities beforehand. In practice, such tailor-made GDPR SCC is referred to as “ad hoc contracts.” Nowadays, big-tech, such as Microsoft, Amazon Web Services, and Google, have already pioneered the idea of obtaining the approval of the data protection authorities for their own versions of data transfer agreements. The advantage of this approach is that companies may enjoy greater flexibility in the way they contractually commit to the protection of personal data, allowing them to adopt more realistic contractual obligations that they are less likely to breach. 

In contrast, the CAC SCC Rules is silent on whether such a flexible solution on CAC SCC is permitted, nor does it specify the procedure to get approval for the tailed-made clauses. Instead, it sets out the requirement for all the CAC SCC to be registered with the provincial CAC office upon its effectiveness within 10 working days.

Based on this observation, we primarily understand that, compared with the pre-approval mechanism adopted by GDPR for ad hoc contracts, the pre-registration requirement undertaken by CAC SCC Rules shall be merely regarded as a form of review mechanism, which lays down the foundation for CBDT Activities governance at a later stage. However, it does not indicate, directly or indirectly, that the CAC SCC is allowed to be revised, nor does it present that a pre-approval mechanism for tailor-made contracts is established in China.

c. Distinctive strategies towards requests from authorities in destination countries

Pursuant to Article 15 of the GDPR SCC, during the ongoing performance of the contract, in the event of receiving any legally binding request from a public authority, including judicial authorities, the data importer shall promptly notify the data exporter and data subjects, review the legality of the request and comply with data minimization principle when disclosing personal data.  

Similarly, the CAC SCC pays attention to performance in practice as well. Therefore, Clause 4.5 of the CAC SCC sets out that, if the overseas recipient is incapable of fulfilling its obligations under the CAC SCC due to the changes in local policies or regulations related to data protection in the country it locates (including the change of laws in or being taken by law enforcement actions), it shall immediately notify the PI handler of such changes. From our point of view, it is the consequence of failure to perform, rather than enforcement action itself, in this case, it will lead to the notification duty. In other words, overseas recipient under the CAC SCC is not obliged to communicate with the PI handler when receiving a binding request from local authorities, unless such request will lead to a failure of its performance of a contract.

Worth mentioning that, in terms of response mechanism to extraterritorial law enforcement action, Article 41 of PIPL stipulates that, without the approval of the competent authorities, the PI handler shall not provide personal information stored within the territory of the People's Republic of China to foreign judicial or law enforcement authorities. However, this requirement, when interpreted in a literal way, only applies to PI handler. As a result, it is reasonable to assume that, if the overseas recipient is involved in enforcement actions taken by local authorities in the destination, it may be difficult for the PI handler in China to be aware of such action and then promptly assess the impact on the CBDT Activities stemmed from it.

d. Distinctive attitudes towards extraterritorial governing law and jurisdiction

With regard to the governing law and jurisdiction, GDPR SCC conditionally allows the contracting parties to adopt governing law and jurisdictions in third countries. Nevertheless, Clause 9.2 of the CAC SCC limits itself to being governed by laws and regulations of the People's Republic of China only. Moreover, when disputes arise between the PI handler and the overseas recipient, they can only resolve the dispute through arbitration or litigation conducted in China as required under Clause 9.5 thereunder.

Moreover, pursuant to Article 4 of the Interpretation of Supreme People's Court on Several Issues Relating to Application of the Law of the People's Republic of China on Application of Laws to Foreign-related Civil Relations, where the laws of the People's Republic of China do not expressly provide that the parties concerned may choose laws applicable to foreign-related civil relations, and the parties concerned choose applicable laws, the People's Court shall determine that such choice of law is invalid. In this case, since the PIPL and other applicable laws do not provide such provisions, then as a supplement regulation of the PIPL, CAC SCC Rules accordingly limits the governing law in China, and presents a strict attitude towards exterritorial jurisdiction.

III.Conclusion 

Nowadays, technological developments are facilitating CBDT Activities, which are necessary for the expansion of international trades and cooperation. It is crucial to establish an administrative supervision mechanism to ensure that data sovereignty and the fundamental rights of data subjects would not be undermined during this process.

With the promulgation of the CAC SCC Rules, a systematic supervision model over CBDT Activities has been proposed in China. Nevertheless, during the public consultation period, we are looking forward to more insights from the general public into this issue, which may further enrich and complete the CBDT Activities governance in China.

LATEST THINKING
Insight
In recent years, the domestic cigar market in China has developed rapidly, with a growing demand for imported cigars among consumers. compliance regulatory-customs trade compliance,consumer retail

29 August 2024

Publication
In recent years, the introduction of “dual carbon” goals and the gradual refinement of market mechanisms have transformed the development pattern of China’s renewable energy industry, shifting from reliance on policy subsidies to a new phase driven by innovation.

28 August 2024

Insight
We talk a lot about global carbon trading markets – yet relatively little about the mechanism by which countries trade emissions reductions. That mechanism - Internationally Transferred Mitigation Outcomes (ITMOs) – is a strategic tool for nations to not only comply with their climate commitments but also to leverage their carbon sink resources effectively.

26 August 2024