This article provides practical guidance for the implementation of the newly released Chinese Standard Contract.
By丨Jihong Chen,Ruxi Sun
Anqi Jiang
1. Legislative background
On February 24, 2023, the Measures on Standard Contract for Cross-border Transfers of Personal Information (“Measures”) was released by the Cyberspace Administration of China (“CAC”) together with Standard Contract for Cross-border Transfers of Personal Information (“CN SCCs”) as attachment. The Measures will take effect on June 1, 2023.
Prior to the release of the long-awaited CN SCCs and the Measures, the Measures for the Security Assessment of Data Cross-border Transfer (“数据出境安全评估办法”, “Measures for the Security Assessment”) and the Practice Guideline for Cybersecurity Standards- Specification for Security Certification of Cross- Border Transfers of Personal Information V2.0 (“网络安全标准实践指南—个人信息跨境处理活动安全认证规范 V2.0”, “Specification V2.0”) were respectively released by the CAC on July 7, 2022 and by the TC260[1] on December 16, 2022. Along with the release of the CN SCCs and the Measures, all three cross-border data transfer (“CBDT”) mechanisms set out under Article 38 of the Personal Information Protection Law (“PIPL”), namely the CAC security assessment, the Certification and the aforesaid CN SCCs, have been settled for implementation.
2. How to choose the suitable CBDT mechanism?
Prior to cross-border transfer of personal information (“PI”)[2], Personal Information Handler ("PI Handler”)[3] should choose an applicable CBDT mechanism among the CAC security assessment, the Certification and the CN SCCs. The following flowchart is hereby summarized in a concise manner for PI Handlers to quickly nail down the CBDT mechanism suitable for various scenarios in basically four steps[4][5]:
The main comparisons among the three CBDT mechanisms are as follows:
3. 5 Steps to implement the CN SCCs mechanism
If a PI Handler chooses the CN SCCs as the CBDT mechanism, the following five steps can be taken for implementation:
4. How to carry out CBDT PIA?
Pursuant to Article 55 of the PIPL, PI Handlers shall carry out PIA in advance before cross-border transfer of PI. Article 7 of the Measures expressly provides that PIA report is mandatory for the CN SCCs record filing procedures. In other words, the CBDT PIA will have to be properly conducted beforehand by PI Handlers that adopt CN SCCs as the CBDT mechanism.
Given the template for CBDT PIA report under the CN SCCs mechanism has not been released by the regulatory authorities yet, PI Handlers can set out to address the PIA with reference to the legal requirements as specified in the PIPL, the Measures, the Measures for the Security Assessment and the Specification V2.0.
The key points of CBDT PIA therein include the following:
1) Legality, legitimacy and necessity of the purposes, scope, methods, etc. of the data processing by the PI Handler and the overseas recipient;
2) The scale, scope, categories and sensitivity of cross-border transferred data, and assessment of the risk to the legitimate rights and interests of personal information subjects that may be caused by cross-border PI transfer;
3) Whether the responsibilities and obligations promised and undertaken by overseas recipient, as well as the management and technical measures and capabilities to perform the responsibilities and obligations can ensure the security of the cross-border transferred PI;
4) The risk of PI being tampered with, destroyed, breached, lost, transferred, or illegally obtained or used during and after the cross-border transfer, and whether the channels for exercising personal information subjects’ rights and interests are unobstructed;
5) The influence of the PI protection related laws and regulations of the country or region where the overseas recipient is located on the performance of the CN SCCs;
6) Other matters that may affect the security of cross-border PI transfer.
5. Comparative Analysis of CN SCCs and GDPR SCCs
Generally speaking, the CN SCCs and the GDPR SCCs are both applied as the safeguard for CBDT, aiming to achieve the equivalent protection level, with the same fundamental principles and implementing mechanisms. However, owing to the different provisions of the PIPL and the GDPR, the different understanding of national security and public interests between China and the European Union (“EU”), as well as the differences of regulation and enforcement system, the CN SCCs and the GDPR SCCs have some substantial differences, including but not limited to the following aspects:
[Note]
[1] TC260= National Information Security Standardization Technical Committee of China
[2] Personal Information: refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized, (Art.4, PIPL)
[3] PI Handler: refers to any organization or individual that independently determines the purpose and method of processing in their activities of processing of PI, which is substantially equivalent to the concept of “controller” under the GDPR. (Art.73, PIPL)
[4] CIIO: refers to operator of the important network facilities and information systems in important industries and fields such as public telecommunications, information services, energy, transportation, water conservancy, finance, public services, e-government and national defense science, technology and industry, as well as other important network facilities and information systems which, in case of destruction, loss of function or leak of data, may result in serious damage to national security, the national economy and the people's livelihood and public interests. (Cybersecurity Law, Art.31, Security Protection Regulations for Critical Information Infrastructure (“关键信息基础设施安全保护条例”), Art.2)
[5] Important Data: refers to the data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, etc. (Art.19, Measures for the Security Assessment of Data Cross-border Transfer)
[6] PIA: refers to Personal Information Protection Impact Assessment, which is substantially equivalent to DPIA under the GDPR. (Art. 55, PIPL)
Jihong Chen
Beijing Office
Equity Partner
Practices:IP Licensing & Enforcement, Cybersecurity & Data Protection, Antitrust & Competition
Industry Sectors:Financial Services, Telecommunications and Technology
Ruxi Sun
Beijing Office
Intellectual Property Department
Anqi Jiang
Beijing Office
Intellectual Property Department
《China’s 3 Data Cross-border Transfer Mechanisms In a Nutshell》
《Commentary on the Chinese Personal Information Protection Law》
《China’s Data Security Law: Analysis and Compliance Guidance》
《New Legislative Trend of Tightening ICV Data Regulation in China》
《Commentary on the New Draft Personal Information Protection Law》
特别声明
以上所刊登的文章仅代表作者本人观点,不代表北京市中伦律师事务所或其律师出具的任何形式之法律意见或建议。
如需转载或引用该等文章的任何内容,请私信沟通授权事宜,并于转载时在文章开头处注明来源于公众号“中伦视界”及作者姓名。未经本所书面授权,不得转载或使用该等文章中的任何内容,含图片、影像等视听资料。如您有意就相关议题进一步交流或探讨,欢迎与本所联系。