China NewsDay- Shanghai May 21, 2023
Author: China-based lawyer Edward Lehman, 20+ years China legal affairs commentator at
www.cgtn.com
Introduction:
China-based lawyers with international law firm, and China lawyers, China based businesses, and foreign businesses with matters related to China all seem to be in a quandary as to changing nature of China data privacy laws policies, and regulations.
The Cyberspace Administration of China (CAC) released the long-awaited Measures for the Standard Contract for Outbound Transfer of Personal Information (China SCC Measures). These measures, along with the finalized version of the standard contract for outbound transfer of personal information (China SCC), are set to come into effect on June 1, 2023. This release has generated considerable interest and speculation regarding its impact on outbound transfers of personal information. To shed light on this topic, China NewsDay conducted a Q&A session with China-based lawyer Edward Lehman, a exapt lawyer and 20+ year legal affairs commentator to China State-run media and
www.cgtn.com
who shares his insights and key highlights of the newly released China SCC Measures.
Q: How does the China SCC compare to the EU Standard Contractual Clauses (EU SCCs)?
Edward Lehman (EL): The China SCC shares certain similarities with the EU SCCs under the GDPR. Both aim to protect the rights of data subjects and establish a jurisdiction for the exporting country through contractual obligations and security requirements. However, there are notable differences. While the EU SCCs follow a four-module approach, the China SCC takes a one-size-fits-all approach, without differentiating between controllers, processors, or sub-processors. This distinction sets them apart.
Q: What is the application scope of the China SCC?
EL: The China SCC applies to outbound transfers of personal information that do not meet the higher scrutiny threshold and are not classified as Important Data under Chinese law. According to the China SCC Measures, it applies if the personal information processor (PIP) meets certain requirements. These include not being a critical information infrastructure operator (CIIO), processing personal information of fewer than one million individuals, and exporting personal information and sensitive personal information cumulatively within specific quantitative thresholds.
Q: What compliance actions are required under the China SCC Measures?
EL: If the transfers do not meet the criteria mentioned earlier, data exporters must undertake a CAC security assessment or obtain a personal information protection certification. However, the China SCC offers a relatively easier and more straightforward option for exporting personal information. Nonetheless, PIPs must take additional steps to comply with Chinese data privacy laws. These include conducting a personal information protection impact assessment (PIPIA) and filing the standard contract with the local CAC.
Q: What are the key aspects of conducting a PIPIA?
EL: According to the Personal Information Protection Law (PIPL) and the China SCC Measures, a PIP must conduct a PIPIA before exporting personal information outside of China. The PIP needs to assess the risks associated with the export, including regulatory risks in the recipient country. The extent of assessment regarding the regulatory risks of the recipient country is still unclear. If it follows the Transfer Impact Assessments under the GDPR, assessing the recipient country’s legal regime could be time-consuming and subject to unpredictable regulatory risks.
Q: What is the filing process for the standard contract (SCC)?
EL: According to the China SCC Measures, a PIP must file its SCC with the local CAC within 10 working days after the SCC takes effect. This filing process is not a prerequisite for the SCC to become valid, but the local CAC may conduct substantive reviews to ensure compliance with the China SCC. The level of scrutiny and review process by the local CAC is currently unknown. Parties may consider keeping the China SCC separate from international data transfer agreements to allow for separate filing.
Q: What are the requirements for onward transfers of personal information to offshore third parties?
EL: Article III.8 of the China SCC imposes strict requirements for onward transfers to third parties outside of China. These requirements are less flexible compared to the EU SCCs. Onward transfers must be necessary for the business, accompanied by full disclosure to data subjects, subject to separate written consent, covered by a re-transfer agreement, and provide data subjects with a copy of the re-transfer agreement upon request.
Q: How are disputes resolved under the China SCC?
EL: The China SCC grants individual data subjects the status of third-party beneficiaries, allowing them to assert their rights or claims against the PIP and the offshore recipient. Dispute resolution can be through arbitration in China, arbitration in a New York Convention country, or litigation in China. However, even if the parties agree on arbitration in a New York Convention country, individual data subjects can file lawsuits in Chinese courts, potentially derailing the agreed dispute resolution mechanism.
Conclusion:
The release of the China SCC Measures provides a path for outbound transfers of personal information from China for China lawyers, international lawyers, China based businesses and foreign business that work with China. While sharing similarities with the EU SCCs, the China SCC adopts a unique approach. It is crucial for companies engaged in outbound transfers to understand and comply with the requirements, including conducting PIPIA, filing the SCC, and ensuring compliance with onward transfers. The relatively short timeline for rectification presents a challenge, emphasizing the need for prompt action.
For more information, please contact mail@lehmanlaw.com or visit
www.lehmanlaw.com