I. Introduction

With international trade flows boosting, international commercial arbitration is becoming increasingly accepted among parties as an efficient means of resolving international economic and trade disputes, due to its confidentiality, flexibility, speed and enforceability. In the event of non-compliance with an arbitral award by the losing party, it is critical for the winning party to be able to enforce the award against the losing party in accordance with relevant governing law.

There are widespread concerns among the disputed parties on whether the arbitral awards issued outside China can be effectively enforced through Chinese courts. The concerns are mostly due to the lack of knowledge of the Chinese legal system and its practice. This article will provide an overview of the procedure for enforcing foreign arbitral awards under the Chinese legal scheme. It will also briefly touch on the potential grounds for Chinese courts declining to enforce foreign arbitral awards.

Ⅱ.LegalScheme for Recognition and Enforcement in China

The legal framework governing recognizing and enforcing foreign arbitral awards in China is three-tiered, namely, international treaties or agreements signed by China, legislation passed by the National People’s Congress (NPC) and its Standing Committee, and the Opinions or Notices issued by the Supreme People’s Court of China (SPC).

  • New York Convention

In 1958, the Convention on the Recognition and Enforcement of Foreign Arbitral Awards (“New York Convention”) was signed at the United Nations Conference. There are over 150 contracting states to the New York Convention which provides conditions for contracting states to recognize and enforce foreign arbitral awards. It officially came into force in China on 22 April 1987.

China made two reservations when joining the New York Convention. One is that the Convention applies only to the recognition and enforcement of awards made in the territory of another contracting State. It is known as “reciprocity reservation”. The other one is that the Convention is to be made only to the differences arising out of legal relationships, whether contractual or not, that are considered “commercial” under national law. It is known as “commercial matters reservation”.

  • The Civil Procedure Law

The Civil Procedure Law of PRC sets down the principles for the recognition and enforcement of foreign arbitral awards within China’s civil procedural legal system. Article 290 of the Civil Procedure Law stipulates that where an arbitral award of a foreign arbitration institution needs recognition and enforcement by Chinese courts, the parties involved should apply directly to an Intermediate People’s Court at the location of the respondent’s residence or the location of the respondent’s properties. The court would handle the matter under international treaties (i.e. New York Convention) concluded by China or under the principle of reciprocity. Once granted after review and examination by a Chinese court, the enforcement shall be executed under the procedure stipulated in the Civil Procedure Law.

  • Notices issued by SPC

To facilitate the implementation of the New York Convention in China, SPC issued a Notice on Enforcement of the Convention on the Recognition and Enforcement of Foreign Arbitrational Awards in 1987 (the “1987 Notice”), which clarifies the rules applicable to the New York Convention including jurisdiction, filing deadlines, standards of review for recognition and enforcement, etc.

To further clarify the rules on recognizing and enforcing foreign arbitrational awards, a Notice on Relevant Issues of the People’s Court Dealing with Foreign Arbitration was issued by SPC in 1995 and was further revised in 2008 (the “2008 Notice”). It clarifies the circumstances under which Chinese courts may refuse to recognize or enforce foreign arbitral awards. Additionally, it also strengthens the supervision of local courts on recognizing and enforcing foreign arbitral awards by establishing an internal reporting system. Under this reporting system, when an intermediate court is inclined to refuse to recognize or enforce a foreign arbitral award, it is required to report to the People’s High Court (appellate court) for further review. If the People’s High Court has the same inclination, the case has to be submitted to SPC for final review and examination before a refusal of the application can be issued. From this Notice, we can conclude that the attitude of Chinese courts is still dominated by ruling in favour of recognition and enforcement of foreign arbitral awards.

Ⅲ.Recognition and Enforcement Procedure

The party to an arbitral award can file the application with an Intermediate People’s Court that has jurisdiction. If the respondent is a natural person, the party seeking recognition and enforcement shall apply with the Intermediate People’s Court of the place where the respondent is domiciled in China. If the respondent is a legal entity, the application shall be filed with the Intermediate People’s Court in the location where the principal place of business of such legal entity is situated. Alternatively, the application can be filed with the Intermediate People’s Court of the place in which the respondent’s property is located.

Technically speaking, recognition and enforcement are two separate proceedings that can be dealt with by the same court. In practice, the recognition proceedings are heard by the Civil Division of the Intermediate People’s Court which manages cross-border legal issues. Upon a successful application for recognition, the Enforcement Division of that court will handle the enforcement procedure thereafter.

Pursuant to Article 4 of New York Convention, the applying party should supply the Chinese court with the authenticated award (or certified copy), the original agreement that includes the arbitral clause or an arbitration agreement (or certified copy). If the said award or agreement is not made in Chinese, the applying party shall provide a translation of these documents. The translation shall be certified by an official or sworn translator or by a diplomatic or consular agent.

Regarding the time limit for the application, pursuant to Civil Procedure Law[1] and the Interpretation on Civil Procedure Law[2] issued by SPC, the application shall be submitted within two years, calculated from the last day of the performance period specified in the arbitral award. If the award did not contain any performance period, the party should be given a reasonable period to perform. Thus, it would be more reasonable to calculate from the second day of service of the arbitral award on the party, rather than from the date of issuing the arbitral award[3].

It is worth noticing that there have been cases in practice where enforcement applications have been dismissed outright for exceeding the application deadline. Therefore, it is recommended that the successful party in the arbitration takes the initiative to apply for recognition and enforcement of the award as soon as it becomes available, leaving the losing party little time to create obstacles for the enforcement.

IV.Property Preservation Measure During Recognition and Enforcement Procedures

As a temporary measure taken by the Chinese courts in civil disputes, the function of property preservation is to guarantee the effective enforcement of judgments by freezing and seizing the assets of the respondent before the final decision/judgment is delivered, to prevent the respondent from transferring its assets during the proceedings.

Even though property preservation is a common method utilized in civil litigation in China, it remains controversial whether the courts should grant this interim measure in recognition and enforcement of foreign arbitral awards proceedings. Neither New York Convention nor domestic laws or notices issued by SPC has provided clear guidance on this issue. Due to the blankness of international and domestic laws on this issue, some courts have rejected the property preservation application with the view that such an application lacks legal grounds[4]. Nevertheless, there are cases where the courts have granted property preservation applications in recognition and enforcement of foreign arbitral awards proceedings, taking into account the original design intention of the property preservation system.[5]

In practice, different courts may make different rulings and it is a case-by-case situation. We anticipate direct guidance will be provided through legislation at the domestic level to resolve the dilemma.

V.Grounds of Denial: Conditions Affecting Enforcement

Article 4 of the 1987 Notice and Article 5 of the New York Convention set out the following circumstances in which the courts may refuse an application for recognition and enforcement of a foreign arbitral award:

First, the arbitration agreement or clause is entered into by a person with limited capacity or is void under the applicable laws. Second, there are violations of due process in arbitral proceedings. For example, the party against whom the award is invoked was not given proper notice of the appointment of the arbitrator or of the arbitration proceedings or was unable to present his case for reasons not attributable to that party. Third, the dispute settled by the award was exceeding arbitral authority. If the award deals with a difference not contemplated by or not falling within the terms of the submission to arbitration, the court may refuse to recognize or enforce the award. Fourth, the improper composition of the arbitral tribunal would result in a denial of recognition or enforcement of an arbitral award. Fifth, the award has not yet become binding on the parties or has been set aside or suspended by a competent authority of the country in which that award was made. Sixth, recognition and enforcement of an arbitral award may be refused if the subject matter over which the two parties disagree is not capable of settlement by arbitration under the law of China.  For example, disputes arising from marriage, adoption, and guardianship are expressly excluded from arbitration by the Arbitration Law in China. Seventh, the application shall be refused if the recognition or enforcement of the award would be contrary to the public policy in China.

The first five circumstances will only be examined by the courts upon the request of a party. However, the last two circumstances (arbitrability and public policy) are reviewable by the Chinese courts ex officio.

Unlike litigation proceedings, when hearing cases of application for recognition and enforcement of foreign arbitral awards, the Chinese courts only examine procedure issues, i.e. whether there is a valid arbitration agreement or clause, whether there are any procedural violations, whether it violates PRC public policy, etc. The Chinese court will not review substantive issues, such as the rights and obligations of the parties. Ensuring the legality of the signed arbitration agreement or clause and the procedure of the arbitration proceedings is therefore crucial to the recognition and enforcement of foreign arbitral awards in China.

VI.Conclusion

Based on our research from the judgement database, there are 243 cases involving recognizing and enforcing foreign arbitral awards from 2001 to 2022, of which only 43 cases resulted in the refusal of recognition or enforcement. The case results yielded show that the refusal is mainly due to procedural defects, with the largest case number involving ineffectual arbitration agreements or procedure defects. The less frequently invoked ground is the violation of public policy.

In recent years, the courts in China have adhered to the strict application principle in refusing to recognize and enforce foreign arbitral awards to create an “arbitration-friendly” environment. It is foreseeable that the judicial environment in China will become more and more favourable to the development of arbitration under the influence of a series of initiatives to support the development of arbitration in China, especially by SPC.

 


[1] Article 246

[2] Article 545

[3] As per the explanation provided by SPC in the Response to the Application for Recognition and Enforcement of Arbitral Award by McCaw Nepton Limited

[4] See Korea Line Corporation v. HNA Group Co., Ltd. (2016) Xiong 72 Xie Wai Ren No.1

[5] See OUELIPPO HEALTH CARE LIMITED v. LIN Gaoshen (2019) Hu 01Xie Wai Ren No.5

Preface

The revised Anti-Monopoly Law of the People’s Republic of China (“New AML”) entered into force on August 1, 2022. The New AML introduces in the second paragraph of Article 60 that “where the monopolistic conduct of an undertaking damages social and public interest, the people’s procuratorate at or above the level of city with subordinate districts may file a public interest civil lawsuit with the people’s courts”, thereby clarifying for the first time the application of civil public interest litigation in anti-monopoly cases at the legalization level.

On the very same day the New AML took effect, the Supreme People’s Procuratorate (“SPP”) issued the Notice on Actively and Soundly Carrying out Public Interest Litigation Prosecution Works in the Antitrust Field in accordance with the Anti-monopoly Law (“Notice”). The Notice underscores that the people’s procuratorate should actively and soundly carry out Public Interest Litigation Prosecution works in the field of anti-monopoly with the focus on the Internet, public utilities, medicine, and other sectors of livelihood security. This article, with a view to facilitating companies to foresee the relevant risks, intends to introduce the system of civil public interest litigation brought by the people’s procuratorates (“Prosecutorial Civil Public Interest Litigation”) and the focal issues of its application in the anti-monopoly field.

Major Issues:

  • The procedural law basis ofProsecutorial Civil Public Interest Litigation.
  • How to determine the jurisdiction of the procuratorates and courts over the anti-monopoly case of Prosecutorial Civil Public Interest Litigation?
  • What procedures shall be completed by the procuratorates in reviewing the anti-monopoly case of Prosecutorial Civil Public Interest Litigation?
  • What investigative techniques can the people’s procuratorate take in Prosecutorial Civil Public Interest Litigation?
  • The differences between hearings in Prosecutorial Civil Public Interest Litigation and thosein the anti-monopoly administrative investigation.
  • The claims that the people’s procuratorate can filein the anti-monopoly case of Prosecutorial Civil Public Interest Litigation.
  • Whether the people’s procuratorate can request the anti-monopoly enforcement authority to initiate an investigation on monopoly behavior.
  • The platform economy has come under the spotlight of Prosecutorial Civil Public Interest Litigation, hence more attention is required on company compliance works in this field.

I. The Procedural Law Basis of Prosecutorial Civil Public Interest Litigation

Pursuant to Article 20(4) of the Organic Law of the People’s Procuratorates of the People’s Republic of China (“Organic Law of the People’s Procuratorates”), the scope of authority enforced by the people’s procuratorates includes “filing public interest lawsuit in accordance with the law”. Article 58 of the Civil Procedure Law of the People’s Republic of China (“Civil Procedure Law”) stipulates in principle regarding the civil public interest litigation, providing that, “For conduct that pollutes the environment, infringes upon the legal interests of vast consumers, or otherwise damages the public interest, the authority or relevant organization as prescribed by law may institute an action in a people’s court. Where the people’s procuratorate finds in the performance of functions any conduct that undermines the protection of the ecological environment and resources, infringes upon consumers’ lawful rights and interests in the field of food and drug safety, or any other conduct that damages social interest, it may file a lawsuit with the people’s court if the authority or organization prescribed in the preceding paragraph does not file a lawsuit. If the authority or organization prescribed in the preceding paragraph files a lawsuit, the people’s procuratorate may support the filing of a lawsuit.”[1]

The aforesaid legal provisions establish the procedural law basis for people’s procuratorates to initiate civil public interest litigation. On this basis, the Supreme People’s Court (“SPC”) and the SPP issued the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law for Cases regarding Prosecutorial Public Interest Litigation (2020 Amendment) (“Interpretation of Prosecutorial Public Interest Litigation”) in March 2018; the SPP issued the Rules for the Handling of Public Interest Litigation Cases by the People’s Procuratorates (“Rules for Handling Cases”) in June 2021, which drawn up detailed provisions on the issues concerning the filing, investigation, prosecution, and trial of Prosecutorial Civil Public Interest Litigation. Furthermore, the SPC has promulgated a series of judicial interpretations and regulations for the proceedings of specific civil public interest litigation cases, including the Interpretation of the Supreme People’s Court on Several Issues Concerning the Application of Law in the Trial of Environmental Civil Public Interest Litigation (“Judicial Interpretation of Environmental Civil Public Interest Litigation”), the Interpretation of the Supreme People’s Court on Several Issues concerning the Application of Law in the Trial of Civil Public Interest Actions regarding Consumption (“Judicial Interpretation of Consumer Civil Public Interest Litigation”).

II. Jurisdiction of Anti-monopoly Civil Public Interest Litigation Case

Jurisdiction of the People’s Procuratorates over Anti-monopoly Civil Public Interest Litigation

Pursuant to the first paragraph of Article 14 of the Rules for Handling Cases, “When people’s procuratorates handle civil public interest litigation cases, the primary people’s procuratorates in the place of occurrence of the illegal act, the place of resultant injury, or the place of residence of the violator of law have jurisdiction over the opening of cases.” Pursuant to Article 15 of the Rules for Handling Cases, “People’s procuratorates at or above the districted city level have jurisdiction over significant and complicated cases within their jurisdictions. A public interest litigation case in which the scope of public interest injury involves not less than two administrative divisions may be under the jurisdiction of their common higher people’s procuratorate.”

The SPP provided special provisions under the Notice on the jurisdiction of the people’s procuratorates over the anti-monopoly case of civil public interest litigation:

  • The people’s procuratorates at or above the level of city with subordinate districts in the place of occurrence of the illegal act, the place of resultant injury, or the place of domicile of the offenders shall have jurisdiction over the anti-monopoly cases of civil public interest litigation.
  • The people’s procuratorates at the provincial level or the SPP shall directly file cases of significance, sensitivity, and/or complexity such as cases involving the compliant operation of leading Internet companies, Internet industrial policies, industry standards, and international competition.

Jurisdiction of the People’s Courts over Anti-monopoly Civil Public Interest Litigation

Regarding the jurisdiction of the people’s court in the anti-monopoly case of Prosecutorial Civil Public Interest Litigation, while there remain no specific regulations or published cases, we understand that, based on the relevant provisions of Prosecutorial Civil Public Interest Litigation and antitrust civil litigation, theoretically, the following conclusions can be reached.

  • As regards the anti-monopoly civil public interest litigation in the first instance filed by people’s procuratorates at the level of city with subordinate districts, the jurisdiction shall lie with the intellectual property courts or intermediate people’s courts.
  • With respect to the anti-monopoly civil public interest litigation in the first instance instituted by provincial people’s procuratorates, the jurisdiction shall fall upon the high people’s courts.
  • As for the anti-monopoly civil public interest litigation in the first instance brought by the SPP, the jurisdiction of the Intellectual Property Tribunal of the SPC shall prevail.
  • All the anti-monopoly civil public interest litigation of second instance shall be under the jurisdiction of the Intellectual Property Tribunal of the SPC in theory.

The relevant provisions are as follows:

  • Pursuant to thefirst paragraph of Article 5 of the Interpretation of Prosecutorial Public Interest Litigation, “for a first-instance civil public interest litigation case filed by a people’s procuratorate at the city (branch or prefecture) level, the intermediate people’s court at the place where the infringement occurs or in the domicile of the defendant shall have jurisdiction over the case.” Pursuant to Article 16 of the Rules for Handling Cases, “where the jurisdiction over opening cases by a people’s procuratorate does not correspond to the jurisdiction over litigation by the people’s court either in the level or geographical area, the people’s procuratorate with jurisdiction may open a case, and if a litigation case needed to be filed, the case shall be transferred to the people’s procuratorate with the same level corresponding to the jurisdiction of people’s court.”
  • Pursuant to Article 3 of the Provisions of the Supreme People’s Court on Several Issues concerning the Application of Law in the Trial of Civil Dispute Cases Arising from Monopoly Conduct (“Judicial Interpretation of Monopoly Civil Disputes”) and Article 1 of the Several Provisions of the Supreme People’s Court on the Jurisdiction of Civil and Administrative Cases of Intellectual Property of the First Instance, first-instance monopoly-related civil dispute cases shall be under the jurisdiction of intellectual property right courts, intermediate people’s courts of the cities where the people’s governments of provinces, autonomous regions and municipalities directly under the Central Government are located and cities under separate state planning as well as intermediate people’s courts designated by the Supreme People’s Court.
  • Pursuant to Articles 19 and 20 of Civil Procedure Law, exceptions exist in the hierarchical jurisdiction of anti-monopoly civil litigation in the first instance: 1) cases with significant impact within the jurisdiction shall be under the jurisdiction of the highpeople’s courts; 2) monopoly civil cases with national significance or cases that the SPC considers should be heard by it, shall be heard by the SPC.
  • Pursuant to Article 2(1) of Provisions of the Supreme People’s Court on Several Issues Concerning the Intellectual Property Tribunal, appeals filed against the judgments and rulings of first-instance civil cases of monopoly conducts rendered either by high people’s courts, intellectual property courts or intermediate people’s courts shall be herd by the Intellectual Property Tribunal of the SPC.

III. Procedures for the People’s Procuratorate to Review Civil Public Interest Litigation Cases

According to the relevant provisions of Interpretation of Prosecutorial Public Interest Litigation and Rules for Handling Cases, the main procedures for the people’s procuratorate to handle civil public interest litigation cases include:

  • Registration and filing of case clues.The people’s procuratorate adopts a unified registration and filing management system for public interest litigation clues, among which major case clues shall be filed with the people’s procuratorates at a higher level. Based on Article 24 of Rules for Handling Cases, “the sources of clues to public interest litigation cases include: (1) accusations and reports filed by natural persons, legal persons, and unincorporated organizations with people’s procuratorates; (2) discoveries made by people’s procuratorates in handling cases; (3) discoveries made on administrative enforcement information sharing platforms; (4) transfers from state authorities, social groups, deputies to the People’s Congress, and members of the People’s Political Consultative Conference; (5) report from the news media, public opinion and others; and (6) other discoveries in the performance of duties.”
  • Evaluation and preliminary investigation of case clues.Upon obtaining the case clues, the people’s procuratorates shall evaluate the authenticity and verifiability of the public interest litigation case clues, and if necessary, proceed with the preliminary investigation to form a Preliminary Investigation Report.
  • Stage of filing cases. Where a people’s procuratorate deems after an assessment that the national interest or public interest is injured and that there might be an illegal act, it shall file a case for investigation. Where procurators propose to file or not file a case after evaluating the clues to a case, they shall fill out a Case Opening Approval Form, append thereto a Preliminary Investigation Report after preliminary investigation, and make a Decision to File a Case or Decision Not to File a Case after report to the chief procurator for decision.
  • Stage of A people’s procuratorate shall, prior to an investigation, formulate an investigation plan to determine the outline, methods, and steps of the investigation and a list of evidence to be collected, among others. The evidence for a people’s procuratorate to handle public interest litigation cases includes documentary evidence, physical evidence, audio-visual recordings, electronic data, witness testimony, statements by the parties concerned, forensic expert opinions, other expert opinions, and transcripts of inspection.
  • Pre-litigation announcement.Where the people’s procuratorate intends to file a public interest lawsuit after investigation, it shall make an announcement according to law for a period of 30 days. After 30 days, the people’s procuratorate may file a lawsuit with the people’s court in the absence of an eligible subject to file a lawsuit. For instance, in the first civil public interest litigation case for the protection of juveniles on the Internet in 2021, the People’s Procuratorate of Yuhang District of Hangzhou City, Zhejiang Province, performed the pre-litigation announcement procedure before bringing a lawsuit against a viral domestic short video company.
  • Filing a litigation case.To file a civil public interest litigation case, a people’s procuratorate shall submit the following materials: (1) the written complaint of the civil public interest litigation, with duplicates thereof provided based on the number of defendants; (2) the preliminary evidentiary materials proving that the act of the defendant has damaged the public interest; (3) the evidentiary materials proving that the public announcement procedure and other pre-litigation procedures (if applicable) have been performed.

IV. Investigative Techniques the People’s Procuratorate Can Take in Civil Public Interest Litigation Cases

Pursuant to Article 35 of Rules for Handling Cases, “when handling public interest litigation cases, a people’s procuratorate may conduct investigations and collect evidence in the following manners: (1) consulting, retrieving, and copying case materials related to law enforcement and litigation files, among others; (2) questioning the staff of administrative organs, offenders, administrative counterparts, interested persons, witnesses, among others; (3) collecting documentary evidence, physical evidence, audio-visual recordings, electronic data, and other evidence from relevant entities and individuals; (4) seeking the advice of professionals, relevant departments, or industry associations; (5) commissioning appraisal, assessment, audit, inspection, testing, and translation; (6) inspecting physical evidence and scenes; (7) other necessary manners of investigation. A people’s procuratorate shall not adopt such compulsory measures as restricting personal freedom and placing under seal, seizing, or freezing property when conducting investigations and collecting evidence.”

For example, in July 2020, the People’s Procuratorate of Yuhang District of Hangzhou City, Zhejiang Province, when handling the child molestation case against Xu XX, found clues to a civil public interest litigation case on the infringement of children’s personal information by a company in Beijing and carried out a preliminary investigation with Internet technology. The procuratorate built on the comprehensive evidentiary materials, including the amount of personal information collected and processed by the application and testimony from the application users, to prove the fact that the application had collected and processed children’s personal information. The supporting evidentiary materials cited by the procuratorate include: screenshots of the user‘s service agreement, privacy protection policy, application interface, and testimony to prove that the child users of this application can register to use it without the consent of their guardians; evidence obtained through the adoption of “blockchain” forensics equipment to verify that the application collects and handles children’s personal information by means of implied consent of guardians, one-time authorization of general consent and other methods. In addition, the prosecution collected and fixed the evidence of infringement upon the personal information rights of hundreds of children to establish the harmful consequences. The prosecution also had the confession made by Xu and others to demonstrate the causal relationship between the infringement and the damage consequences.

V. Hearings in Prosecutorial Civil Public Interest Litigation

Pursuant to Article 44 of Rules for Handling Cases, “a people’s procuratorate may organize a hearing in accordance with rules, attend to the opinions of the hearing officers, administrative authorities, violators of law, persons subject to administrative action, victim representatives, and other relevant parties, and learn the relevant issues. The written material formed at the hearing is an important reference for the people’s procuratorate to handle the public interest litigation case in accordance with the law.”

For example, in a series of criminal cases with incidental civil public interest litigation filed by the People’s Procuratorate of Pingjiang County, Hunan Province against Zhang XX et al. on illegal fishing of aquatic products and destruction of ecological resources, the procuratorate, for a better effect of punishment as well as education, so as to guide the public to consciously protect the ecological environment, decided to hold a pre-litigation public hearing on September 24, 2020, in Meixian Town, where the similar cases frequently occurred. The hearing was attended by the deputies to the People’s Congress, members of the CPPCC, People’s Supervisors, and representatives of local people, who served as the hearers. The discussion centered on the critical issues of whether the illegal fishing behavior in this series of cases undermines public welfare, the damaging effect of the behavior concerned on aquatic ecological resources, the ecological restoration approach, and the punishment.

What should be noted in this respect is that, unlike anti-monopoly administrative investigation practice, in which the antitrust enforcement authority “should” inform the party involved of its right to request a hearing, the people’s procuratorates are not obliged to hold a hearing during the review of a case, but “may” hold a hearing based on the investigation of a specific case.

  • Pursuant to the first paragraph of Article 63 of Law of the People’s Republic of China on Administrative Penalty, “before making the following decisions on administrative penalties, an administrative authority shall notify the party of the right to request a hearing, and where a party requests a hearing, the administrative authority shall organize a hearing:(1) a large amount of fines; (2) confiscation of a large amount of illegal income or a large value of illegal property; (3) downgrade of qualification, or revocation of license; (4) suspension of production, closure of business, or restriction of operation; (5) other severe administrative penalties; (6) other circumstances as prescribed in laws, regulations, and rules.” Since antitrust administrative penalties typically result in significant fines, confiscation and other penalties, the rule that “shall notify the party of the right to request a hearing” is usually triggered in practice.
  • Pursuantto the first paragraph of Article 4 of Provisions of the People’s Procuratorates on the Hearing Work for Case Examination, “when the people’s procuratorate handles the examination of the necessity of custody, decision not to prosecute, criminal petition case, civil litigation supervision case, administrative litigation supervision case, or a public interest litigation case, if there is a significant social impact or a major dispute in the determination of facts, the application of the law, the handling of the case, and therefore needs to listen to the opinions of the parties and other relevant personnel in person, a hearing may be held upon the approval of the Procurator-General.” Based on the Rules for Handling Cases and the foregoing provisions, the People’s Procuratorate has the authority which is not an obligation to decide whether to hold a hearing in Prosecutorial Civil Public Interest Litigation.

VI. Claims that the People’s Procuratorate Can File in Civil Public Interest Litigation

Different from a private civil lawsuit, the premise of the people’s procuratorate to file a public interest civil lawsuit is that the behavior of the defendant damages the “public interest”. As to the claims that the People’s Procuratorate can file in civil public interest litigation, especially whether compensation for damages can be claimed, that depends on the type of case and the specific circumstances.

  • Pursuant to Article 18 of the Judicial Interpretation of Environmental Civil Public Interest Litigation, “for any conduct that pollutes the environment and damages the ecology, which has damaged the public interest or has the major risk of damaging the public interest, the plaintiff may request the defendant to assume the civil liabilities including but not limited to the cessation of the tortious act, removal of the obstruction, elimination of the danger, restoration to the original state, compensation for damages, and apology.” Pursuant to Article 21 of the Judicial Interpretation of Environmental Civil Public Interest Litigation, the “compensation for damages” refers to “the damages resulting from the loss of service functions from the time when damage is caused to the ecology and environment to the completion of remediation and the losses resulting from permanent damage to ecological and environmental functions”.
  • Pursuant to the first paragraph of Article 13 of the Judicial Interpretation of Consumer Civil Public Interest Litigation, “in a consumer civil public interest litigation, the plaintiff requests that the defendant should assume such civil liabilities as ceasing the infringement, removing obstacles, eliminating dangers, and offering apologies, the people’s court may support such request.”While the law explicitly provides that consumers are entitled to “compensation for damages”, the aforesaid judicial interpretation does not specifically incorporate “compensation for damages” in the scope of claims in consumer civil public interest litigation cases. The people’s procuratorates have claimed punitive damages in certain civil public interest litigation cases filed with respect to the protection of rights and interests of consumers, which were upheld by the people’s courts.

Pursuant to the first paragraph of Article 60 of the New AML, “the business operators that carry out the monopoly conduct and cause damages to others shall bear the civil liability according to law.” Pursuant to Article 14 of the Judicial Interpretation of Monopoly Civil Disputes, “where a defendant’s monopoly conduct has caused any losses to the plaintiff, the people’s court may, in light of the plaintiff’s claims and the finding of facts, order the defendant to cease infringement, compensate for losses, and otherwise assume civil liability in accordance with law. According to the plaintiff’s claim, the people’s court may include the plaintiff’s reasonable expenses on investigation and prevention of the monopoly conduct in the scope of compensation for losses.”

The questions of what claims the people’s procuratorate can bring up in the anti-monopoly case of Prosecutorial Civil Public Interest Litigation, whether losses compensation may be covered and how to calculate losses, etc., remain to be subsequently confirmed in subsequent detailed regulations, judicial interpretations, and practice.

VII. The People’s Procuratorate may Issue Prosecutorial Recommendations to the Anti-monopoly Enforcement Authority

Pursuant to Article 21 of the Interpretation of Prosecutorial Public Interest Litigation, “where the people’s procuratorate finds in the performance of functions that any administrative authority assuming supervision and administration functions in such fields as the protection of the ecological environment and resources, food and drug safety, protection of state-owned property, and the assignment of the right to use state-owned land exercises functions in violation of any law or conducts nonfeasance, which infringes upon national interest or public interest, it shall issue prosecutorial recommendations to the administrative authority, and urge it to perform functions in accordance with the law. The administrative authority shall, within two months upon receipt of a written prosecutorial proposal, perform its duties and make a written response to the people’s procuratorate. If there is a such emergency where the damages of the state interests or public interests continue to expand, the administrative authority shall make a written response within 15 days. Where the administrative authority fails to perform its duties according to the law, the people’s procuratorate shall file a lawsuit with a people’s court.”

Based on the foregoing provision, theoretically, if the people’s procuratorate obtains clues concerning monopoly conduct and, upon assessment, found it “infringes upon national interest or public interest”, it may, in addition to considering filing a civil public interest lawsuit, simultaneously issue prosecutorial recommendations to the anti-monopoly enforcement authority (i.e., the State Administration for Market Regulation and the corresponding provincial market supervision administration). The anti-monopoly enforcement authority, upon receipt of the prosecutorial recommendation, shall verify and respond in writing to the people’s procuratorate within the period stipulated in law.

The people’s procuratorate has previously issued prosecutorial recommendations to the market supervision authorities in many places on issues such as the protection of personal information and consumer rights. For example, in the case conducted by the People’s Procuratorate of Lucheng District of Wenzhou City, Zhejiang Province to urge the protection of patients’ personal information, Zhang XX et al., suspected of criminal offenses, were held criminally liable in accordance with the law, however, the companies involved were not punished accordingly for Zhang XX and Lu XX’s marketing of their business by taking advantage of their illegally obtained personal information of maternity and others. On August 29, 2019, the People’s Procuratorate of Lucheng District of Wenzhou City, Zhejiang Province, issued a pre-litigation prosecutorial recommendation to the Administration for Market Regulation of Lucheng District of Wenzhou City, Zhejiang Province (“ Lucheng District AMR”), urging it to investigate and deal with the illegal acts conducted by the relevant company, and to take effective methods to intensify the crackdown on illicit operations infringing upon consumers’ personal information within their respective authority. In July 2020, after the receipt of the prosecutorial recommendation, Lucheng District AMR imposed an administrative penalty on the concerned photographic company, ordering rectification of the parties concerned, confiscating illegal proceeds of RMB 4,000, and imposing a fine of RMB 34,000; the training company involved was ordered to make rectification and fined RMB 30,000. Meanwhile, Lucheng District AMR carried out district-wide specific actions and associated publicity campaigns against the misappropriation of consumer personal information.

The New AML only explicitly stipulates that the people’s procuratorates can initiate civil public interest litigation cases against monopoly conducts that undermine the public interest of society but the issue of prosecutorial recommendations to administrative authorities and administrative public interest litigation are within the statutory power as specified in the Organic Law of the People’s Procuratorates and relevant provisions. Consequently, for monopoly behaviors found by the people’s procuratorate in the exercise of its power to be detrimental to the public interest of society, in addition to filing civil public interest litigation, it may as well propose to the SAMR or the corresponding provincial market supervision authority to launch an anti-monopoly investigation. Undertakings who conduct monopoly behavior may take the risk of being the target of civil public interest litigation and administrative investigations and penalties simultaneously.

VIII. The Platform Economy has Come under the Spotlight of Prosecutorial Civil Public Interest Litigation

On August 1, 2022, while the AML took effect, the SPP issued the Notice, which underscores that the people’s procuratorate should actively and soundly carry out Public Interest Litigation Prosecution works in the field of anti-monopoly with the focus on the Internet, public utilities, medicine, and other sectors of livelihood security. Prior to the publication of the Notice, the SPP had repeatedly clarified its intention to strengthen the jurisdiction on prosecutorial public interest litigation in the platform economy.

  • On March 8, 2022, Jun ZHANG, the Chief Procurator of the SPP, proposed in the Work Report of the SPP in 2022 people’s procuratorate would “reinforce anti-monopoly, anti-profiteering and anti-unfair competition justice, with the view of supporting and directing the standardized and healthy growth of capital.”
  • On March 3, 2021, at a press conference of the SPP, Weilie HU, the Chief Procurator of the Eighth Prosecutorial Department of the SPP, mentioned the promotion of Internet platform anti-monopoly and anti-unfair competition public interest litigation to strengthen the regulation on the platforms’ behavior of “either-or choice”, false propaganda, credit speculation by scalping, bidding for ranking, illegal sales promotion, illicit data collection, illegal push notification and other acts that may disrupt the order of market competition.
  • On January 25, 2021, Xinjian ZHENG, member of the Procuratorate Committee of the SPP and the Chief Procurator of the Fourth Prosecutorial Department of the SPP, delivered at a press conference that the SPP is proactively guiding all the provinces to improve the handling of public interest litigation cases related to the protection of citizens’ personal information, anti-monopoly and anti-unfair competition on Internet platforms.

Since 2020, numerous Prosecutorial Civil Public Interest Litigations have been filed in emerging areas including the platform economy, covering issues of consumer rights defense, safeguard of minors, data security, personal information security, etc. For instance, on April 22, 2021, the SPP released 11 typical cases of public interest litigation on personal information protection handled by people’s procuratorates, addressing issues such as unauthorized collection, use, and leakage of users’ personal information. Based on the Performance of the Fifth Anniversary of the Comprehensive Implementation of Public Interest Litigation released by the SPP in June 2022, between November 2019 and June 2022, the nationwide people’s procuratorates dealt with more than 100,000 cases in emerging fields, among which 4,000 cases in the field of personal information protection and 180 cases in the field of anti-monopoly and anti-unfair competition.

Against the background of the current normalization of strict antitrust regulation, with the introduction of the Prosecutorial Civil Public Interest Litigation system in the New AML, a growing volume of antitrust cases of Prosecutorial Civil Public Interest Litigation are likely to emerge in future judicial practice, particularly in fields closely relevant to people’s livelihood, such as platform economy, public utilities, and pharmaceuticals. Therefore, we recommend that companies in the relevant fields prioritize antitrust compliance, promptly review their business practices to identify any antitrust compliance risks, and closely update information regarding antitrust legalization and practice.


[1]Note: Besides civil public interest litigation, the people’s procuratorates are as well entitled to initiate administrative public interest litigation, as provided for in the fourth paragraph of Article 25 of the Administrative Litigation Law of the People’s Republic of China, that “where the people’s procuratorate finds in the performance of functions that any administrative authority assuming supervision and administration functions in such fields as the protection of the ecological environment and resources, food and drug safety, protection of state-owned property, and the assignment of the right to use state-owned land exercises functions in violation of any law or conducts nonfeasance, which infringes upon national interest or public interest, it shall offer prosecutorial recommendations to the administrative authority, and urge it to perform functions in accordance with the law. If the administrative authority fails to perform functions in accordance with the law, the people’s procuratorate shall file a lawsuit with the people’s court in accordance with the law.” Nevertheless, the administrative public interest litigation system falls outside the scope of this article, hence this article will not elaborate further on it.

*Appreciation goes to our firm’s interns Xin XU, Jiawei LIU, and Yuxuan LIU for their contributions to this article.

On the 7 July 2022, the Cyberspace Administration of China (“CAC“) promulgated the Measures for the Security Assessment of Outbound Data Transfers (“Measures“), which are due to take effect on 1 September 2022.

The Measures contain 20 Articles that we have grouped into the following 11 themes:

  1. Purpose and scope – Articles 1 & 2
  2. Important data – Article 19
  3. Security Assessment triggers – Article 4 & 14
  4. Data transfer legal documents – Article 9
  5. Ex-Ante Self-assessments – Article 5
  6. Security Assessment applications – Article 6
  7. Security Assessments – Article 3, 8, 10, 11 & 14
  8. Security Assessment timescales – Article 7, 12 & 13
  9. Confidentiality obligations – Article 15
  10. Liability – Article 16, 17 & 18
  11. Effective date and transitional period – Article 20

We explore each theme below before discussing some issues raised at a press conference held by the CAC on 7 July 2022.

Purpose and scope

Article 1 of the Measures states that their purpose is “to regulate outbound data transfer activities, protect personal information rights and interests, protect national security and social and public interests, and promote a safe and free flow of data across borders

Article 2 then provides that the measures apply to Security Assessments of outbound data transfers involving important data and personal information collected and generated by data processors through their operations in China. Accordingly, it seems that the Measures do not apply extraterritorially to personal information collected and generated by data processors from outside of China.

Important data

Important data is presently an unclear legal concept with no overarching definition. At a conceptual level, it seems that the legal obligations relating to important data lie somewhere in the middle of a spectrum between personal information and state secrets.

The Measures define important data in the context of outbound data transfers only. At this time, only one other source of law defines important data, namely the Several Provisions on Vehicle Data Security Management (Trial) (“Trial Provisions“). We compare the definition in the Measures with that in the Trial Provisions, omitting its enumerated examples, below. 

The Measures:

For the purposes of these Measures, the term “important data” means any data, the tampering, damage, leakage, or illegal acquisition or use of which, if it happens, may endanger national security, the operation of the economy, social stability, public health and security, etc.

The Trial Provisions:

The term “important data” refers to any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may lead to endangerment of national security or public interests, or infringement of the lawful rights and interests of an individual or organisation, including…

One might note that both definitions are risk-based but, except for endangering national security, the risks identified vary slightly. What this means in practice and how multiple definitions of important data will interact are unclear.

As the CAC was involved in the drafting of both regulations, the differences seem to highlight the following core definition:

Data that may harm the interests of the nation, public, or persons if breached.

Security Assessment triggers

A data processor must apply to provincial CACs for a Security Assessment in advance of outbound data transfers in the following circumstances:

  • transfers of important data;
  • it is a Critical Information Infrastructure operator (“CIIO“);
  • it is a personal information processor that has processed the personal information of more than 1,000,000 individuals;
  • it has made cumulative outbound transfers of the personal information of more than 100,000 individuals since 1 January of the previous year;
  • it has made cumulative outbound transfers of the sensitive personal information of over 10,000 individuals since 1 January of the previous year; and
  • the transfer falls within other situations prescribed by the CAC.

Whether a company might be identified as a CIIOs remain unclear in many industries. Nevertheless Article 10 of the Regulations on the Security Protection of Critical Information Infrastructure, states that the authorities will inform a company that it is CIIO once identification takes place. Therefore, for practical purposes, companies can consider themselves as not being CIIOs until the authorities tell them otherwise.

It is understood that many companies, and multinationals in particular, would prefer to see a rise in the transfer thresholds that trigger Security Assessments.

Data transfer contracts

The Measures state that contracts, which it refers to as legal documents, between the data exporter and data importer for outbound data transfers should cover:

  • the purpose and method of the outbound data transfer, the data scope, and the data processing purpose and method;
  • the data retention location and duration, and obligations when the data retention period expires, the transfer purpose completes, or the agreement ends;
  • restrictions against onward data transfers to others;
  • security measures to be adopted when a material change occurs concerning the overseas recipient, the destination country’s legal, regulatory and cybersecurity environment, or a force majeure event occurs which makes it difficult to ensure data security;
  • remedial measures, liability for contractual breaches and dispute resolution mechanisms for breaching data security protection obligations; and
  • requirements for proper emergency disposal and ensuring that individuals can safeguard their personal information rights and interests when their data is exposed to risks, such as being tampered with, damaged, leaked, lost, relocated, or illegally acquired or used.

On a related note, on 30 July 2022, the CAC issued the Draft Provisions on Standard Contracts for the Export of Personal Information, which also deal with outbound data transfers and contain a draft Standard Contract for use in situations that would not trigger a Security Assessment under the Measures. While contracts drafted under Article 9 may have some similar features to the draft Standard contract, companies should not automatically assume that signing a Standard Contract would meet the requirements of the Measures or vice versa.

Please see China Releases Draft Standard Contract for Cross-border Data Transfers by Samuel Yang and Cross-Border Data Transfers: A Comparison of the EU And Chinese Standard Contractual Clauses by Samuel Yang and Chris Fung for more information about the draft Standard Contract.

Ex-Ante Self-assessments

After a Security Assessment is triggered, but before a Security Assessment application occurs, a data processor is obliged to conduct a Ex-Ante Self-assessment. Data processors are required to address the following matters during Ex-Ante Self-assessments:

  • the legality, legitimacy, and necessity of the outbound data transfer and the overseas recipient’s data processing in relation to the purpose, scope, method, etc.;
  • the outbound data’s quantity, scope, type and sensitivity, and the risk the outbound data might pose to national security, public interests, and the lawful rights and interests of individuals and organisations;
  • whether the overseas recipient’s responsibilities and obligations, and their management measures, technical measures and capabilities to perform such responsibilities and obligations can ensure the security of the outbound data;
  • the risk of the outbound data suffering data breaches, including unauthorised onward transfers, during and after the outbound data transfer, and whether individuals have unobstructed channels to safeguard their rights and interests in their personal information and other data;
  • whether the data security protection responsibilities and obligations are sufficiently stipulated in the data transfer contract or other documents; and
  • any other matters that might affect the security of the outbound data.

Some of the factors described above are also covered by personal information protection impact assessments (“PIPIAs“) required under the Personal Information Protection Law (“PIPL“). We believe it would be cheaper and more efficient for companies to combine all assessment factors under both the PIPL and the Measures within a single consolidated Ex-Ante Self-assessment.

Security Assessment applications

Applications for Security Assessments should contain:

  • a completed Security Assessment application form;
  • a copy of the Ex-Ante Self-assessment report;
  • a copy of the outbound data transfer contract; and
  • any other materials the CAC requires.

Security Assessments

Article 3 of the Measures provide that Security Assessments of outbound data transfers should combine ex-ante assessments and ongoing supervision, and Ex-Ante Self-assessment and Security Assessment.

The substantive content of CAC Security Assessments overlap significantly with Ex-Ante Self-assessments, except in relation to the following:

  • the impact of data security protection policies, legislation and the cybersecurity environment of the country or region where the overseas recipient is located in relation to the security of the outbound data, and whether the overseas recipient’s data protection level meets the requirements of Chinese laws, administrative regulations and mandatory national standards;
  • compliance with Chinese laws, administrative regulations and departmental rules; and
  • other matters the CAC deems necessary to assessed.

We note that item 1) above seems to describe something like transfer impact assessments under the EU’s GDPR and that data processors are not required to cover such things in their Ex-Ante Self-assessment report.

Given the limited resources of government departments, it is doubtful that they would make such assessments on a case-by-case basis. Therefore, we wonder how such assessments are made, whether a central transfer impact assessment list exists at this time (which one might regard as China’s answer to adequacy decisions), whether such a list will become publicly accessible, and how it will be managed and updated.

The CAC may terminate Security Assessments if it requires additional materials, and a data processor refuses to submit them.

Article 14 of the Measures states that the results of a Security Assessment are valid for two years unless retriggered by any of the following situations:

  • any change to the outbound data transfer’s purpose, method or scope, the data type, or the overseas recipient’s data processing purpose or method which will affect the security of the outbound data or extend retention periods;
  • any change to data security protection policies, legislation, the cybersecurity environment or any other force majeure event where the overseas recipient is located,
  • any change in the actual control of the data processor or overseas recipient or any change to the data transfer agreement affecting the security of the outbound data; or
  • any other circumstances that may affect the security of the data.

Data processors will need to apply for a reassessment after expiration. The CAC have stated that: “When the validity period expires and it is necessary to continue to carry out data export activities, the data processor shall re-apply for evaluation 60 working days before the validity period expires.”

Security Assessment timescales

Security Assessment applications should be submitted to provincial CAC offices, which should conduct a completeness check of the application documents within 5 working days. Thereafter, the national CAC will then review the application documents and decide whether to accept the application within 7 working days, after which the central CAC will begin a substantive review, which should take a maximum of 45 working days from the date of issuing a written acceptance of the application. Accordingly, in normal circumstances, the entire process of applying for and undergoing a Security Assessment might take up to 57 working days (approximately 2.5 months).

However, the Measures allow the CAC to extend the deadline for completing a Security Assessment “as appropriate” if the “case is complicated or there are materials to be supplemented or corrected…” This power to extend deadlines has not explicit upper limit.

Should a data processor object to Security Assessment results, it must apply for a reassessment within 14 working days of receiving the assessment results. Article 15 provides that the results of a reassessment are final.

Confidentiality obligations

Institutions and staff that participate in Security Assessments are legally bound to keep confidential any information that they learn during their Security Assessment work. This includes state secrets, personal privacy, personal information, trade secrets, confidential business information, and other data.

Liability

Where any organization or individual discovers that a data processor has conducted any outbound data transfer in violation of the Measures, they may report it to the CAC.

In the event that the CAC finds out that an outbound data transfer which passed a Security Assessment no longer comply with the Measures while implementing data transfers, it has the power to notify the data processor to stop making such transfers. Should the data processor need to continue making such transfers, it should make “rectification as required” before applying for a reassessment.

The implications of the CAC’s ability to stop previously approved transfers for non-compliance with the measures are unclear at this time. However, it may be the case that the CAC has an implied power of interpretation and construction in relation to data transfer contracts and can determine whether they are being correctly performed.

Violations of the Measures are punishable under the Cybersecurity Law, the Data Security Law, the PIPL, and other laws and regulations depending on the data processor, the data types and the nature of the violation. We note that violations of the PIPL attract the highest penalties, specifically, up to CNY 50 million or 5% of the violator’s revenue in the previous year. We note that on 21 July 2022, DiDi Global was fined CNY 8 billion for various data security violations. This suggests that the CAC is willing to issue large fines for violations of data laws.

Effective date and transitional period

The Measures will come into force on September 1, 2022. Data processors may only make relevant outbound transfers from 1 September 2022 after passing a Security Assessment. More specifically the CAC has stated: “The data processor can carry out data export activities in strict accordance with the declared items after receiving the written notification of passing the assessment.”

First, the application will not be accepted. For those that do not fall within the scope of the security assessment, after receiving a written notification from the national cybersecurity and informatization department, the data processor may carry out data export activities through other legal channels prescribed by law. The second is to pass the safety assessment. The data processor can carry out data export activities in strict accordance with the declared items after receiving the written notification of passing the assessment. The third is failing to pass the safety assessment. If the data export security assessment is not passed, the data processor shall not carry out the declared data export activities.

For outbound data transfers carried out before 1 September 2022, “rectification” shall be completed within 6 months after 1 September 2022. It is unclear if this means that the data processor must pass the Security Assessment within this 6-month grace period, or perhaps the submission of an application for Security Assessment within this period would be sufficient. Nevertheless, given these deadlines, possible delays, the 2022 spring festival holidays and other factors, we recommend that data processors should endeavour to submit their applications for Security Assessments as soon as possible.

Summary

The requirements for Security Assessment apparently add a layer of onerous compliance burdens to the operations of many businesses. The various thresholds of personal information that trigger Security Assessments are low and may affect many multinational companies doing business in China. These new requirements also create some uncertainty, particularly among entities that depend on cross-border transfers of data to conduct business. This uncertainty will not be resolved until the Measures take full effect and the processing of Security Assessments becomes standardised in practice.

Businesses that will likely be subject to the Security Assessment regime should act now –  take stock of their data flows, renegotiate their cross-border data transfer contracts and ensure that their data protection practices align with the requirements of the Measures and other Chinese laws and regulations. Businesses that operate in areas of higher risk may also wish to begin creating contingency plans in case they are prohibited from transferring certain data out of China.

Disclaimer

Nothing in this article is intended to be legal advice to its readers. This article was written for the purposes of academic discussion only. The views of its authors do not reflect the views of regulators.

Background

On 1 November 2021, the Personal Information Protection Law of the People’s Republic of China (“PIPL”) took effect and became the first Chinese law dedicated to protecting the personal information rights of individuals. However,     due to a lack of implementation regulations and clarity, many companies face a situation where they are unsure how to comply with the PIPL in some areas.

Nowhere is this more of an issue than with Article 38 of the PIPL, which provides several conditions (or legal paths)  that must be met before a cross-border data transfer may occur. According to Article 38, entities may send personal data to foreign recipients by taking one of the following legal paths:

Legal Path 1  Government Security Assessment: A security assessment organised by the national cyberspace authority has been passed by the entity in accordance with Article 40 of this Law;

Legal Path 2  Standard Contract: A contract in compliance with the standard contract provided by the national cyberspace authority has been concluded with the overseas recipient, establishing the rights and obligations of  both parties.

Legal Path 3  Certification: the entity has acquired a certification of personal information protection by a           professional certification institution in accordance with the regulations of the national cyberspace authority; and

On Legal Path 1 (Government Security Assessment), please see China Issues Cross-border Data Transfer Security Assessment Rules. For Legal Path 2 (Standard Contract), please see China Releases Draft Standard Contract for  Crossborder Data transfers and Crossborder data transfers: A Comparison of the EU and Chinese Standard

Contractual Clauses.

This article discusses China’s new rules on Legal Path 3 (Certification).

TC260 Issues Rules for Legal Path 3 (Certification)

On 24 June 2022, the National Information Security Standardization Technical Committee (also known as “TC260”)   issued its  “Technical Specifications for the Certification of CrossBorder Processing of Personal Information              (“Specifications”). The  Specifications state the criteria that MNCs or other economic or business entities and            overseas processors should meet to obtain certification as described in Article 38 of the PIPL (i.e., Legal Path 3). At a high level, TC260’s  Specifications seem to describe something like the Binding Corporate Rules (“BCRs”) under the  GDPR.

Please note that the Specifications are not compulsory. In other words, parties to cross-border personal information transfers can decide if they want to go through this Legal Path 3 and obtain certification or go through other Legal    Paths as they think appropriate to legitimatise their cross-border data transfers. However, if they choose to put   themselves under this certification regime, the rules under the Specifications are binding on them and relevant   certification institutions.

Applicability of the Specifications

The  Specifications describe certification scenarios, certification applicants and those who should bear responsibility  for cross-border personal information transfers. Within an MNC, one of its entities in China can apply for certification and undertake to assume legal responsibility for the MNC’s global organisation, while for an overseas entity having a not substantial presence in China, its specialised agency or designated representative in China can apply for   certification and undertake to bear legal responsibility for the overseas entity.

Legally Binding Documents

Parties to cross-border personal information processing activities must sign legally binding and enforceable  documents (“LBDs”) to ensure that the rights and interests of individuals are fully protected. At a minimum, LBDs should contain:

  1. The relevant parties involved in cross-border personal information processing;
  2.  The purpose of cross-border personal information processing and the types and scope of personal information;
  3.   Measures to protect the rights and interests of individuals;
  4.  Undertakings by each party to comply with uniform personal information processing rules and ensure that thelevelof personal information protection is not lower than the standards stipulated by relevant Chinese laws and regulations on the protection of personal information;
  5. Undertakings to accept the supervision of certification bodies;
  6.    Provisions stating that relevant Chinese laws and regulations on the protection of personal information governthe arrangements;
  7.  Details of the organisational bodies that will bear legal responsibility within China; and
  8.  Provisionsforcompliance with other legal and regulatory obligations.

Uniform Processing Rules

Uniform processing rules, described in 4. above, must contain:

  •   Theparticularsof cross-border personal information processing, including the type, sensitivity, quantity, etc., of personal information;
  • The purpose, method, and scope of cross-border personal information processing;
  •   Thestartand end time of overseas storage of personal information and the processing method after expiration;
  • Transitcountries involved in cross-border personal information processing;
  •   Resources and measures required to protect the rights and interests of individuals; and
  •    Rulesforcompensation and disposal of personal information security incidents.

DPO

Both the data exporter and foreign data importer must appoint a person to take charge of personal information protection. The persons in charge must have relevant knowledge and experience and be a part of the decision-  making level of their entity. Their duties include:

  •    Clarifyingorganisationalpersonal information protection objectives, basic requirements, work tasks, and protection measures;
  •  Ensuring the availability of human resources, financial support and materials for personal information protection withinthe organisation;
  •    Guidingandsupporting relevant personnel in carrying out the organisation’s personal information protection efforts and ensuring that personal information protection efforts achieve the expected goals; and
  •    Reportingto the organisation’s leaders on personal information protection and promoting the continuous improvement of personal information protection efforts.

Personal Information Protection Organisation

Both the data exporter and foreign data importer should set up personal information protection internal organisations that are tasked with preventing “unauthorised access and leakage, falsification and loss of personal information” and undertaking the following duties:

  •    Formulatingandimplementing plans for cross-border personal information processing;
  •    Organising and carrying out personal information protection impact assessments (“PIPIAs”);
  •    Supervisingcross-borderpersonal information transfers under rules agreed to by the relevant parties; and
  •    Acceptingandhandling requests and complaints from data subjects.

Personal Information Protection Impact Assessments (PIPIAs)

Specification is provided on what a PIPIA should contain in cross-border transfer scenarios. In particular, a PIPIA must cover:

  1.   Whethertheprovision of personal information to overseas countries complies with laws and administrative regulations;
  2. The impact on the rights and interests of individuals;
  3.   Theimpactof the legal environment and network security environment of overseas countries and regions on the rights and interests of individuals;
  4.  Other matters necessary to safeguard the rights and interests of personal information.

Items 2. and 4. above mirror the requirements of the PIPL, while Items 1. and 3. are more specific to cross-border     transfer impact assessments and suggest the need for specialised country-by-country transfer impact assessments   similar to those used for GDPR purposes. For Item 3 ., we note that the precise meanings of “legal environment” and “network security environment” are currently unclear.

Individual Rights

Individuals have various rights over their personal information under the PIPL. Those rights include a right to access, right to correct, right to complete, right to erasure, right of portability and right to refuse processing. In addition to  those rights, the  Specifications provide that individuals are beneficiaries of LBDs and have the right to request a       copy of the relevant LBD provisions relating to individuals’ legal rights and interests.

Being a beneficiary to LBDs might, theoretically, increase the range of rights available to individuals over and above those found in the PIPL. This is especially so if MNCs operating in multiple jurisdictions take a unified highest            standard approach to personal information protection at a global level.

The right to access relevant LBD provisions raises issues from a confidentiality perspective. Thus, it would be wise to stipulate such matters in a standalone document to ensure that disclosures to individuals remain appropriate.

The  Specifications also provide that individuals should be allowed to litigate in the Chinese courts of their habitual place of residence against the parties to the cross-border data transfers.

Obligations of the Parties to CrossBorder Data Transfers

The provisions within the  Specifications on processor obligations generally reflect the terms of the PIPL. However, further requirements are imposed on parties to cross-border data transfers, including:

  •    Whensituationsarise where it is difficult to ensure the security of personal information transferred across borders, such processing must be “promptly terminated”.
  •   Theresponsibleparty in China should compensate individuals for breaches arising in the context of cross-border data processing activities.
  •   Thepartiesto cross-border data transfer activities should undertake to follow Chinese data protection laws,     accept their application and enforcement, and cooperate with Chinese regulators’ enforcement activities, such as answering their inquiries and accepting routine inspections.

Conclusions

The  Specifications make Legal Path 3 (Certification) of Article 38 of the PIPL possible – though not fully actionable as China has not published a list of certification institutions to handle certification applications from entities.  Nevertheless, the Specifications have provided a skeleton of the certification regime for cross-border data transfers. We believe that the Chinese authorities may issue regulations, and TC260 may also issue further guidance to  substantiate this certification regime.

It should be noted that, while an entity can choose between Legal Path 3 (Certification) and Legal Path 2 (Standard Contract) to legitimatise its cross-border data transfers, Legal Path 1 (Government Security Assessment) is not

optional – as long as statutory triggers exist, an entity will have to participate in a Security Assessment by the CAC

(For more information see China Issues Crossborder Data Transfer SecurityAssessment Rules).

At this stage, it is difficult to forecast if Legal Path 3 (Certification) would be more popular than Legal Path 2   (Standard Contract). In addition to signing a cross-border data transfer contract, the Specifications essentially require that both the data exporter and the overseas data recipients are subject to a set of unified data protection rules   which are aligned with Chinese laws and subject to Chinese regulators’ supervision. We believe the compliance  efforts would be more costly than “simply” signing the Standard Contract. However, it is possible that this   certification path might be welcomed by some companies who see certification as a type of status or quality mark to signal to consumers that their personal information will be protected to higher standards.

As cross-border data transfers are a rapidly developing area of law, MNCs and overseas processors processing the personal information of people in China are advised to monitor developments in this area closely .

On 30 June 2022, the Cyberspace Administration of China (“State Internet Information Department” or “CAC“)  issued the Draft Provisions on Standard Contracts for the Export of Personal Information (“Draft Provisions“) for public consultation. The deadline for feedback is 29 July 2022.

The Draft Provisions contain a draft Standard Contract for the Export of Personal Information (“Standard Contract“).  The Standard Contract consists of nine articles and two appendices.

This article provides an in-depth analysis of the articles in the Draft Provisions and their potential impact on multinational companies.

Provisions on Standard Contract on the Export of Personal Information (Draft for Public Consultation)

Article 1: These Provisions are formulated on the basis of the “Personal Information Protection Law of the People’s Republic of China” so as to standardise personal information export activities, protect personal information rights  and interests, and promote the safe and free flow of personal information across borders.

Article 2: Where personal information processors conclude contracts with overseas recipients to provide personal    information outside the territory of the People’s Republic of China in accordance with subparagraph (3) of the first   paragraph of Article 38 of the “Personal Information Protection Law of the People’s Republic of China”, they shall   follow these Provisions to sign a standard contract for the export of personal information (hereinafter referred to as “Standard Contracts“). Other contracts concluded between the personal information processor and the overseas  recipient related to the outbound activities of the personal information shall not conflict with the standard contract.

Analysis of Articles 1 and 2:

1. Articles 1 and 2 explain the purpose and legal basis for formulating the Draft.

2. Article 2 provides: “Other contracts concluded between a personal information processor and an overseas recipient related to the outbound activities of personal information must not conflict with the Standard Contract. ”

3. This means that, in addition to signing the Standard Contract with an overseas recipient, a Chinese enterprise that chooses to use a Standard Contract also needs to:

a) check other contracts it has signed with the overseas recipient related to the export of personal information to ensure that they do not conflict with the Standard Contract, and supplement or modify such other contracts according to the actual situation; and

b) clearly state in other contracts that in the event of a conflict with the terms of the Standard Contract, the Standard Contract prevails.

Article 3: Those carrying out personal information export activities on the basis of standard contracts shall adhere to a combination of independent contracting with file management to prevent security risks to the export of personal  information and ensure the orderly and free flow of personal information in accordance with the law.

Analysis of Article 3:

1. According to the expression “independent contracting” in Article 3, signing a Standard Contract is not a mandatory legal obligation. However, enterprises should note that for all data export paths permitted under Article 38 of the Personal Information Protection Law (“PIPL”), Chinese enterprises and overseas recipients must either sign (i) Standard Contracts, (ii) other similar contracts or (iii) legally binding and enforceable documents. See our analysis of Articles 4 and 5 below for details.

2. For the “file management” requirement, see our analysis of Article 7 below.

Article 4: Where personal information processors meet all the following criteria, they may provide personal information overseas by signing a standard contract:

(1) Non-critical information infrastructure operators;

(2) Handling less than 1 million persons’ personal information;

(3) Cumulative provision of personal information of less than 100,000 people overseas since 1 January of the previous year;

(4) Cumulative provision of sensitive personal information of less than 10,000 people outside the country since 1 January of the previous year.

Analysis of Article 4:

  1. Under Article 4, a processor of personal information who meets the relevant requirements “may”, as opposed

to “must“, sign a Standard Contract to legalise the export of personal information. This is because Article 38 of the PIPL stipulates several different legal paths for personal information to leave China. They include:

(1) Critical information infrastructure operators and personal information processors handling personal  information that reach the number of personal information processors provided for by the state network information departments for outbound conduct shall pass a security assessment organised by the state   network information departments;

(2) Conduct personal information protection certification through professional bodies in accordance with the provisions of the state network information departments;

(3) Conclude a contract with an overseas recipient in accordance with a standard contract formulated by the State Internet Information Department, stipulating the rights and obligations of both parties;

(4) Other requirements provided for by laws, administrative regulations, or the State Network Information Department.

  1. According to the above provisions, Chinese enterprises that are not “criticalinformation infrastructure              operators and personal information processors who process personal information to the amount prescribed by the State Internet Information Department” may (i) sign the Standard Contract or (ii) obtain personal                 information protection certification through a professional body to transfer personal information overseas.
  2.  Therefore, for Chinese enterprises that choose path (ii), signing a Standard Contract is not required. However, it shouldbe noted that although a Chinese enterprise that chooses path (ii) does not need to sign a Standard   Contract, it will still need to sign a “legally binding and enforceable document” with the overseas recipient in      accordance with the Technical Specification for the Certification of Cross-border Processing Activities of  Personal Information, which was officially issued by the National Information Security Standardization Technical Committee (also known as TC260) on 24 June 2022. Such a document should at least specify the following:
  3. a)Personaldata processors and overseas recipients carrying out cross-border personal information processing activities;
  4. b)Thepurpose of cross-border processing of personal information and the types and scope of personal information;
  5. c)Measuresto protect the rights and interests of Personal Information Subjects;
  6. d)Theoverseas recipient undertakes to comply with the unified rules for the cross-border handling of        personal information, and ensures that the level of personal information protection is not lower than the  standards stipulated by the relevant laws and administrative regulations of the People’s Republic of China on the protection of personal information;
  7. e)Theoverseas recipient undertakes to accept the supervision of the certification body:
  8. f)Theoverseas recipient undertakes to accept the jurisdiction of the laws and administrative regulations of the Peoples Republic of China on the protection of personal information;
  9. g)Clearlydefine the organisations that bear legal responsibility within the territory of the People’s Republic of China:
  10. h)Otherobligations stipulated by laws and administrative regulations that shall be 
  11. Article 4 clearly restricts the application of Standard Contracts and prohibits their use in circumstances where:
  12. a)     Criticalinformationinfrastructure operators export personal information;
  13. b)     Personalinformationprocessors have processed the personal information of more than 1 million people;
  14. c)     The cumulative export of personal information exceeds 100,000 people since 1 January of the previous year;and
  15. d)    Thecumulativeexport of sensitive personal information exceeds 10,000 people since 1 January of the previous
  16. 8.     Those circumstances are the personal information export activities of “criticalinformationinfrastructure            operators and personal information processors who handle the number of personal information specified by the state network information department“, as stated in Articles 38 and 40 of the PIPL. Such transfers should be      preceded by an application for a Security Assessment under the Measures for Security Assessment of Data         Export (Draft) (29 October 2021) rather than the signing of a Standard Contract.
  17. Several categories of Chinese enterprises that should apply for security assessments do not need to legalise    theirpersonal information exports by signing a Standard Contract. Instead, and according to the Measures for Security Assessment of Data Export (Draft for Comments), they should sign a contract with the overseas           recipient that includes but is not limited to the following:

(1) The purpose, method, and scope of data exported, and the purpose and method of processing data by overseas recipients;

(2) The place and period of time for which the data is kept overseas, as well as measures for handling     outbound data after the retention period is reached, the agreed purpose is completed, or the contract is terminated;

(3) Restrictive clauses restricting overseas recipients from transferring outbound data to other organisations or individuals;

(4) The security measures that the overseas recipient shall adopt when there is a substantial change in its actual control or business scope, or when the legal environment of the country or region in which it is       located makes it difficult to ensure data security;

(5) Liability for breach of contract and binding and enforceable dispute resolution clauses for breach of data security protection obligations;

(6) When risks such as data leakage occur, properly carry out emergency response, and ensure smooth channels for individuals to safeguard personal information rights and interests.

  1. Article4 is also consistent with Article 38 of the PIPL, which only stipulates that “personal information   processors” may sign the “Standard Contract“. However, it does not explicitly address whether “entrusted   processors” under the PIPL can or should sign the Standard Contract. For readers more familiar with the GDPR, “personal information processors” are roughly equivalent to data controllers, while the concept of “entrusted  processors” is roughly equivalent to data processors.
  2.   In servingclients, wehave observed that some business models involve data transfers from (i) a Chinese   personal information processor to (ii) a domestic entrusted processor to (iii) an overseas sub-processor.  Domestic personal information processors and domestic entrusted processors often disagree over which party should sign the Standard Contract with the overseas sub-processor.
  3.  Webelievedomestic personal information processors should usually bear the primary obligation for signing a  Standard Contract containing a clear mechanism describing the parties’ obligations and responsibilities with an overseas subcontractor to enable a domestic entrusted processor to provide data to said overseas  subcontractor.
  4.  Analternativeapproach would be for a domestic personal information processor, domestic entrusted processor and overseas subcontractor to sign a tripartite Standard Contract. However, this would require further clarity     regarding the mechanism for domestic entrusted processors to provide data to overseas subcontractors and each party’s contractual obligations and responsibilities.

Article 5: Before personal information processors provide personal information overseas, they shall carry out a personal information protection impact assessment in advance, focusing on the following content:

(1) The legality, legitimacy, and necessity of the purpose, scope, and methods of processing personal information by personal information processors and overseas recipients;

(2) The quantity, scope, type, and sensitivity of outbound personal information, and the risks that personal  information may bring to the rights and interests of personal information that may be brought about by the export of personal information;

(3) The responsibilities and obligations undertaken by the overseas recipient, as well as whether management and technical measures and capabilities for performing responsibilities and obligations can ensure the security of outbound personal information;

(4) The risk of personal information being leaked, damaged, altered, or abused after leaving the country, and  whether the channels for individuals to safeguard personal information rights and interests are unobstructed, and so forth;

(5)The impact of personal information protection policies and regulations on the performance of standard contracts in the country or region where the overseas recipient is located;

(6) Other matters that might affect the security of personal information leaving the country.

Analysis of Article 5:

  1.   Article5 refinesthe requirements for personal information protection impact assessments before exporting personal information under the PIPL by providing additional detail and specification.
  2.   It is worth noting that Chinese enterprises need to assess “theimpact of personal information protection policies and regulations of the country or region where the overseas recipient is located on the performance of standard  contracts“, which is not a small task. Going forward, Chinese enterprises will need to rely more heavily on advice from overseas legal professionals and assistance from overseas recipients.

Analysis of Article 6:

  1.   Article6 providesan overview of the Standard Contract. Regarding the specific content of the Standard

Contract, we will analyse and interpret it separately.

Article 7: Personal information processors shall file a record with the provincial-level internet information department for the area where they are located within 10 working days of the standard contract taking effect. The following materials shall be submitted for filing:

(1) standard contracts;

(2) personal information protection impact assessment reports.

The personal information processor is responsible for the authenticity of the materials filed. After the standard contract takes effect, the personal information processor may carry out personal information export activities.

Analysis of Article 7:

  1.     TheArticle7 filing provisions are new legal requirements without any precedent in the PIPL. The Standard Contract and the personal information protection impact assessment report on the export of personal       information will need to be filed with the government.
  2.     Consideringthatmany enterprises will need to make filings, national administrative resources are limited, and other factors, filing management within provincial CACs may only consist of formality reviews. Based on           informatisation trends in China, the CAC may establish an online filing system to facilitate filings.

Article 8: Where any of the following circumstances occur during the validity period of a standard contract, the personal information processor shall re- sign the standard contract and file it for the record:

(1) Where the purpose, scope, type, sensitivity, quantity, method, retention period, storage location, and purpose or method of handling personal information handled by overseas recipients change, or extend the period for personal   information to be retained abroad;

(2) Where changes in personal information protection policies and regulations in the country or region where the overseas recipient is located may affect personal information rights and interests;

(3) Other circumstances that might affect the rights and interests of personal information.

Analysis of Article 8:

  1.    Consideringtherequirements of Articles 5 and 6 above, the content of Article 8 seems reasonable at face value.
  2.    However, determiningwhetherthe “personal information protection policies and regulations ofthe country or  region where the overseas recipient is located” has “changed” and “may affect the rights and interests of  personal information” is a big challenge for even the largest multinational enterprises. It seems that Chinese      enterprises will be expected to keep abreast of changes in policies and regulations related to overseas personal information protection. This may require them to retain overseas legal professionals on an ongoing basis.
Article 9: Institutions and personnel participating in the filing of standard contracts shall preserve the confidentiality of personal privacy, personal information, commercial secrets, confidential business information, and so forth that  they learn of in the course of performing their duties, and must not leak or illegally provide or use them to others.

Analysis of Article 9:

  1.    Some enterprises, especiallymultinationalenterprises, may have concerns about whether the Standard Contract and the personal information protection impact assessment report filing mechanism may cause information leakages. Article 9 seems to be an attempt to pre-empt such concerns.
  2.   Theexpression”confidential business information” has also appeared in the Measures for the Security  Assessment of Data Export (Draft for Public Consultation). How the CAC will define it in practice remains to be seen.
Article 10: Where any organisation or individual discovers that a person handling personal information has violated these Provisions, they have the right to make a complaint or report to the provincial level Internet information  department.

Analysis of Article 10:

  1.    Complaintsandreports may come from a personal information processor’s (possibly disgruntled) employees or Personal Information Subjects.
  2.   Wespeculatethat, in the future, the CAC could publish lists of enterprises that have completed the filing procedures and that Personal Information Subjects could use such lists to determine whether a personal information processor has fulfilled its filing obligations to make targeted reports.
Article 11: Where provincial-level Internet information departments discover that personal information outbound     activities through the signing of standard contracts no longer meet the requirements for security management of personal information export in the course of actual processing, they shall notify the personal information processors in writing to terminate personal information export activities. Personal information processors shall immediately   terminate personal information export activities upon receipt of the notice.

Analysis of Article 11:

  1.   Asmentionedabove, many enterprises may need to make filings, and state resources are limited. As such, filing management by the CAC may only consist of a formality review. However, given the content of Article 11,  provincial-level CACs may also adopt methods such as spot checks, focusing on specific enterprises or industries

and making investigations based on whistle-blowing leads to conduct targeted substantive reviews of outbound personal information transfers.

Article 12: Where personal information processors follow these Provisions to conclude standard contracts with  overseas recipients to provide personal information overseas, and any of the following circumstances occur, the       provincial-level Internet information department is to follow the provisions of the “Personal Information Protection Law of the People’s Republic of China” to order corrections within a time limit; Where they refuse to make  corrections or harm the rights and interests of personal information, order them to stop activities of exporting  personal information, and punish them in accordance with law; Where a crime is constituted, criminal responsibility is to be pursued in accordance with law.

(1) Failing to perform filing procedures or submitting false materials for filing;

(2)Failing to perform the responsibilities and obligations stipulated in the standard contract, infringing on the rights and interests of personal information, causing harm;

(3) Other circumstances affecting the rights and interests of personal information arise.

Analysis of Article 12:

  1.    Itisworth noting that a “failure to sign the Standard Contract” is not a violation of these Provisions. However, as discussed above, the legal paths for exporting personal information are limited to those stipulated in Article 38   of the PIPL, which are:

(1) Critical information infrastructure operators and personal information processors handling personal  information that reach the number of personal information processors provided for by the state network information departments for outbound conduct shall pass a security assessment organised by the state   network information departments;

(2) Conduct personal information protection certification through professional bodies in accordance with the provisions of the state network information departments;

(3) Conclude a contract with an overseas recipient in accordance with a standard contract formulated by the State Internet Information Department, stipulating the rights and obligations of both parties;

(4) Other requirements provided for by laws, administrative regulations, or the State Network Information Department.

  1.    IfaChinese enterprise fails to sign a Standard Contract and fails to meet the requirements of other personal      information export routes, it will not be punished for violating the provisions of Article 12. However, it will have violated Article 38 of the PIPL and may need to bear legal liability.
Article 13: These Provisions shall take effect as of

Analysis of Article 13:

  1.   Wehopethat when the CAC issues the final version of the above provisions, it will fully consider the time required for enterprises to comply with the new regulations (legal analysis, translation, negotiation with  overseas recipients, etc.) and provide a reasonable time for enterprises to comply before the official         implementation date.

On 7 July 2022, the Cyberspace Administration of China (“CAC“) issued the Measures for the Security Assessment of  Outbound Data Transfers (“Measures“), which will take effect on 1 September 2022. The Measures underwent three rounds of public consultation in 2017, 2019 and 2021 before they were finalised.

In its final form, the Measures contain 20 articles. We have identified 11 topics within the Measures that cover:

No. Topic Articles
1. Purpose and scope 1 & 2
2. Important data 19
3. Security assessment triggers 4 & 14
4. Data transfer legal documents 9
5. Self-assessments 5
6. Security assessment applications 6
7. Security assessments 3, 8, 10, 11 & 14
8. Security assessment timescales 7, 12 & 13
9. Confidentiality obligations 15
10. Liability 16, 17 & 18
11. Effective date and transitional period 20

In the following, we shall discuss each of the topics that we have identified in turn.

Purpose and Scope  Articles 1 & 2

The stated purpose of the Measures is “to regulate outbound data transfer activities, protect personal information rights and interests, protect national security and social and public interests, and promote a safe and free flow of   data across borders” (Article 1).

Article 2 goes on to state that the measures apply to security assessments of outbound data transfers involving important data and personal information collected and generated by data processors through their operations in     China. Based on Article 2, it seems that the Measures do not apply to personal information collected and generated by data processors from outside of China.

Important Data  Article 19

The Measures contain a definition of important data in the context of outbound data transfers. Important data is a nebulous concept in Chinese laws and regulations which requires further elaboration by the CAC and relevant industry regulators. For now, the term has only been further defined in the field of automotive data and in a few    draft regulations. Below we compare the definition in the Measures with the core of the definition in the Several    Provisions on Vehicle Data Security Management (Trial) (“Trial Provisions“).

Measures for the Security         Assessment of Outbound Data Transfers Several Provisions on Vehicle Data Security Management   (Trial) Comments

For the purposes of these Measures, the term “important data” means any data, the tampering, damage, leakage, or illegal acquisition or use of which, if it happens, may endanger national security, the operation of the economy, social stability, public health and security, etc.

The term “important data” refers to any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may lead to endangerment of national security or public interests, or infringement of the lawful rights and interests of an individual or organisation, including the following data:

[Examples omitted]

Both definitions are risk-based, though the consequences that they consider differ slightly. We have made bold the more significant differences.

As the CAC was involved in the preparation of both regulations, the differences suggest that the definition of important data will generally be: data that, if breached, may endanger the interests of the nation, public or persons.

Security Assessment Triggers  Articles 4 & 14

An entity must declare intended outbound data transfers by a data processor to provincial CACs and seek security assessments if the data processor:

1)   intends to transfer important data;

2)   is a Critical Information Infrastructure operator (“CIIO“) intending to transfer personal information;

3)  is a personal information processor who has processed the personal information of over 1 million people;

4)  has cumulatively made outbound transfers of the personal information of over 100 thousand people since 1 January of the previous year;

5)  has cumulatively made outbound transfers of the sensitive personal information of over 10 thousand people since 1 January of the previous year; and

6)   falls within other situations prescribed by the CAC.

Whether companies will be regarded as CIIOs remain unclear in many industries. Despite the uncertainty in existing and future regulations,a more straightforward judgement would be that a company is not a CIIO unless it has been notified by a competent authority that it has been identified as a CIIO.

It is understood that many companies would prefer to see a rise in the threshold transfer volumes of personal information that trigger security assessments.

Security assessments can also be retriggered in one of the following circumstances:

1)  there is a change in the particulars of processing by the overseas recipient, which will affect the security of the data, or the period for retaining data is to be extended;

2)  there is any change in the data security protection policies and legislation and cybersecurity environment, or a force majeure event occurs where the overseas recipient is located,

3)  there is a change in the actual control of the data processor or overseas recipient or any change to the data transfer agreement, which will affect the security of the outbound data; or

4)   any other circumstance exists that may affect the security of the data.

Data Transfer Legal Documents  Article 9

The Measures state that the legal documents between the data exporter and data importer for outbound data transfers should cover:

1)   the purpose and method of the outbound data transfer, the scope of data, and the purpose and method of the data processing;

2)   the data retention place and period, and obligations when the retention period expires, the transfer purpose completes, or the agreement is terminated;

3)   restrictions against onwards transfers of outbound data to others;

4)  security measures to be adopted when material changes occur in relation to the overseas recipient, the  legal, regulatory environment and cybersecurity environment of the destination country, or a force majeure event occurs that makes it difficult to ensure data security;

5)   remedial measures, liability for breach of contract and dispute resolution in the event data security protection obligations are breached; and

6)  requirements for proper emergency disposal and ensuring the channels and ways for individuals to safeguard their personal information rights and interest when data is exposed to the risk of security breaches.

On a related note, the CAC also issued the Draft Provisions on Standard Contracts for the Export of Personal Information on 30 July 2022, which also deal with outbound data transfers and contains a draft Standard Contract   that was prepared for use in situations that would not trigger the security assessments under the Measures. While they certainly have some similarities, companies should not assume that signing the Standard Contract would meet the requirements in the Measures.

Selfassessments  Article 5

After a security assessment is triggered, but before a security assessment application is made, a data processor    should conduct a self-assessment. Data processors need to address the following factors during self-assessments:

1)   the legality, legitimacy and necessity of the transfer and the purpose, scope and manner of data processing by the overseas recipient;

2)   the quantity, scope, type and sensitivity of the outbound data, and the risks the outbound data might pose to national security, public interests, and the lawful rights and interests of individuals and organisations;

3)  whether the responsibilities and obligations undertaken by the overseas recipient and the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations can ensure the security of the outbound data;

4)   the risk of the outbound data suffering from data breaches, including unauthorised onward transfers, during and after the outbound data transfer, and whether individuals have smooth channels to safeguard their rights and interests in their personal information and other data;

5)  whether data security protection responsibilities and obligations are sufficiently stipulated in the data transfer agreement or other documents; and

6)   other matters that may affect the security of the outbound data transfer.

Some of the factors described above are also subjects of the personal information protection impact assessment  (“PIPIA“) required under the Personal Information Protection Law (“PIPL“). We believe it would be cost-effective for  companies to consider all assessment factors under both the PIPL and the Measures and make one consolidated self- assessment.

Security Assessment Applications  Article 6

Applications for security assessments should contain:

1)   an application form;

2)   a self-assessment report;

3)   a copy of the outbound data transfer agreement; and

4)   other materials required by the CAC.

Security Assessments  Articles 3, 10, 8, 11 & 14

According to Article 3 of the Measure, a security assessment of outbound data transfers should combine ex-ante assessment and ongoing supervision and self-assessment and security assessment.

The substantive content of a security assessment by the CAC overlaps significantly with the above-mentioned self- assessments, except for the following matters:

1)   the impact of data security protection policies and legislation and the cybersecurity environment of the         country or region where the overseas recipient is located on the security of the outbound data; whether the data protection level of the overseas recipient meets the requirements of Chinese laws and administrative   regulations and the mandatory national standards;

2)  the compliance with China’s laws, administrative regulations and departmental rules; and

3)   other matters to be assessed the CAC deems necessary.

We note that item 1) above seems to describe something which is similar to the “transfer impact assessment” in the EU and that data processors are not expected to cover such things in their self-assessment report. As government    departments have limited resources, we doubt that they will make such assessments on a case-by-case basis.  Accordingly, we wonder whether a central transfer impact assessment list exists at this time, whether it will become accessible in the future, and how it will be managed and updated.

The CAC can terminate security assessments if the CAC requires additional materials and a data processor refuses to submit them.

Under Article 14, the results of a security assessment are valid for two years unless a retriggering event occurs. Data processors will need to apply for a reassessment after expiration.

Security Assessment Timescales  Articles 7, 12 & 13

Security assessment applications need to be submitted to the relevant provincial CAC, which should confirm the        completeness of documents within a maximum of 5 working days. Then the application documents will be provided to the central CAC for substantive review, which should take a maximum of 45 working days from the date of issuing a written acceptance of the application. Accordingly, in normal circumstances, the entire process of applying for and undergoing a security assessment might take up to 50 working days (approximately 2.5 months).

However, the Measures allow the CAC to extend the deadline for completing a security assessment “as appropriate” if the “case is complicated or there are materials to be supplemented or corrected…”

If a data processor objects to the assessment results, it should apply for a reassessment within 14 working days of the receipt of the assessment results. According to Article 15, the results of a reassessment are final.

Confidentiality Obligations  Article 15

Institutions and staff that participate in security assessments must keep confidential, as required by law, any   information that they learn during their work. This includes any state secret, personal privacy, personal information, trade secret, confidential business information, and other data.

Liability  Articles 16, 17 & 18

Any person may report violations of the Measures to the CAC.

If the CAC discovers outbound data transfers that have passed a security assessment no longer conform to the  Measures during the implementation of data transfers, it may notify the data processor to terminate such transfers. If the data processor needs to continue making such transfers, it should make “rectification as required” before

applying for a reassessment. The full implications of this are unclear at this time, but it suggests that the CAC may     eventually interpret or construe data transfer agreements and decide whether they are being properly performed,   or they might attach conditions to the transfers following their assessments or both.

Violations are to be dealt with under the Cybersecurity Law, the Data Security Law or the PIPL, and other laws and     regulations depending on the data processor, the data and the nature of the violation. We note that violations of the PIPL may attract the highest penalties, specifically, up to CNY 50 million or 5% of the violator’s revenue in the  previous year.

Effective Date and Transitional Period  Article 20

The Measures take effect on 1 September 2022. This means that any relevant outbound transfers from 1 September 2022 should only be carried out after data processors have passed security assessments. For outbound data transfers carried out before 1 September 2022, “rectification” shall be completed within 6 months after 1 September 2022. It is unclear if this means that the data processor must pass the security assessment within this 6-month grace period, or perhaps the submission of an application for security assessment within this period would be sufficient.     Nevertheless, given these deadlines, possible delays, the 2022 spring festival holidays and other factors, werecommend that data processors should endeavour to submit their applications for security assessments as soon as  possible.

Summary

The requirements for security assessment apparently add a layer of onerous compliance burdens to the operations of many businesses. The various thresholds of personal information that trigger security assessments are low and   may affect many multinational companies doing business in China. These new requirements also create some  uncertainty, particularly among entities that depend on cross-border transfers of data to conduct business. This uncertainty will not be resolved until the Measures take full effect and the processing of security assessments becomes standardised in practice.

Businesses that will likely be subject to the security assessment regime should act now –  take stock of their data flows, renegotiate their cross-border data transfer contracts and ensure that their data protection practices align     with the requirements of the Measures and other Chinese laws and regulations. Businesses that operate in areas of higher risk may also wish to begin creating contingency plans in case they are prohibited from transferring certain   data out of China.

After 14 years of enforcement of China’s Anti-Monopoly Law (the “AML”) since 2008, the Standing Committee of the National People’s Congress of China has amended the AML after a two-year review with several rounds of deliberations and issued a new version (“the New AML”) on June 24, 2022. In addition to updating the rules regulating monopoly agreements and abuse of dominance, noteworthily, the New AML brings substantial changes to the merger control rules and procedures, such as introducing the “stop-the-clock” mechanism, establishing the categorized and classified merger control system and others.

Shortly after the promulgation of the New AML, a package of regulations sprang up, like bamboo shoots. On June 27, 2022, SAMR subsequently published several draft amendments of the implementation regulations for public comments, the draft implementation rules regarding notification threshold (“Threshold Rules”) and review of concentration of undertaking (“Review Rules”) are included. And uncoincidentally, with the aim to echo the categorized and classified merger control system in the New AML, SAMR Announcement Regarding Pilot Delegation of Anti-Monopoly Review of Certain Concentration of Undertakings Cases (the “Announcement”) was issued on July 15, 2022. The table below shows the status of the above four legislations.

No.

Laws and Regulations Status
1 The New AML Will take effect on August 1, 2022
2 Threshold Rules Under the way of soliciting public comments, ended July 26, 2022
3 Review Rules Under the way of soliciting public comments, ended July 26, 2022
4 The Announcement Will take effect on August 1, 2022

While the Threshold Rules and Review Rules are still at the stage of soliciting public opinions, we believe changes reflected in the above legislation and draft legislations have plentiful implications to companies operating business in or related to China. Therefore, this article intends to snapshot those key changes to China’s merger control regime, to the benefits of companies that are frequently obliged to file the antitrust notification in China.

1.Imminent change of the filing thresholds

The former turnover thresholds have remained unchanged since the AML was promulgated in 2008 despite significant economic growth in China. Therefore, it has been criticized for being too low and thus these comparably low thresholds increased the number of transactions that are obliged to be notified to SAMR each year. This time, SAMR proposes to increase the turnover threshold to adapt to the country’s economic development. In the meantime, it is noteworthy that a brand-new threshold category was introduced. Specifically, the proposed new filing thresholds are:

  • The aggregated global turnover of all concentration undertakings in the last fiscal year exceeds RMB 12 billion(approx. USD 1.8 billion) (increased from RMB 10 billion), and at least two of these undertakings each had a turnover of more than RMB 800 million (approx. USD 120 million) (increased from RMB 400 million) within the territory of the PRC; or
  • The aggregated turnover of all the concentration undertakings exceeds RMB 4 billion(approx. USD 600 million) (increased from RMB 2 billion) within the territory of the PRC, and at least two of these undertakings each had a turnover of more than RMB 800 million (approx. USD 120 million) (increased from RMB 400 million) within the territory of the PRC; or
  • An undertaking that has a Chinese turnover of more than RMB 100 billion(approx. USD 15 billion) in the last fiscal year; and the other undertaking in a merger or the target in an acquisition had a market value or market valuation of more than RMB 800 million (approx. USD 120 million), plus its turnover within the territory of PRC is more than one-third of its global turnover.

With the increase of the turnover thresholds, SAMR may be able to better focus its limited administrative resources on complex cases. Also, it can be estimated that certain small companies with low revenue could be relieved from the filing obligation if the increased turnover thresholds are adopted in the end.

Compliance tips:

  • Companies should be reminded to apply the new filing thresholds after they are finally determined and become effective and pay attention to the rules about transition period.
  • The newly introduced filing threshold would impose large companies with a Chinese turnover of more than RMB 100 billion an additional obligation. They should pay close attention to their transactions with innovative targets who have the required revenue and market value (market valuation) as the transactions in this kind could be largely notifiable before SAMR.

2.Categorized and classified merger control system

The New AML adds a declaratory provision that SAMR should complete and perfect a categorized and classified merger control system, strengthening the review of concentrations in critical areas concerning national development and livelihood.

The Announcement details the above provision and specifies that, SAMR is to start delegating part of its function on reviewing simple cases to five local antitrust regulators, namely the respective Administrations for Market Regulation (“AMR”) of Beijing, Shanghai, Guangdong, Chongqing and Shaanxi Province. The five local AMRs will start to handle simple case filings where one of the notifying parties, the proposed-established JV, or the relevant geographic markets defined have nexus in the respective region as early as August 1, 2022, when the New AML will take effect.

No. Local AMRs Responsible Regions
1 Beijing AMR Beijing, Tianjin, Hebei, Shanxi, Inner Mongolia, Liaoning, Jilin, Heilongjiang
2 Shanghai AMR Shanghai, Jiangsu, Zhejiang, Anhui, Fujian, Jiangxi, Shandong
3 Guangdong AMR Guangdong, Guangxi, Hainan
4 Chongqing AMR Henan, Hubei, Hunan, Chongqing, Sichuan, Guizhou, Yunnan, Tibet
5 Shaanxi AMR Shaanxi, Gansu, Qinghai, Ningxia, Xinjiang

The below chart illustrates the workflow among the notifying party(ies), SAMR and local AMRs who are delegated to review the merger filings.

Compliance tips:

  • This is SAMR’s first try to delegate its merger control review power to local AMRs. The review timeframe for the simple cases delegated should be further observed.
  • It is advisable for notifying parties to keep in mind pre-notification whether their cases can be applied to simple filing procedure and are likely to be delegated to local AMRs; whether the relevant markets defined and the market shares thereof, especially when being asked to segment the relevant markets whether the market shares in the segmented markets can still make the deal applicable for the simple filing procedure.
  • It is not crystal clear whether foreign-to-foreign cases will be delegated to local AMRs in the future, and further observation is necessary.
  • The delegation mechanism is intended to further improve the review efficiency. However, in the beginning stage, it is uncertain yet how long it may take the local authorities to complete the review given their limited experience. But in the long run, we believe this mechanism will further decrease the review time of simple cases.

3.Establishment of a “stop-the-clock” mechanism

The New AML introduces the ‘stop-the-clock’ mechanism to suspend the review process under three circumstances, including (i) where undertakings fail to provide necessary information or documentation; (ii) where new material facts which affect the review of the concentration need to be examined; and/or (iii) where conditions to be imposed on the proposed concentration need to be further evaluated and a relevant undertaking makes a request for suspension.

This amendment will afford SAMR more time and flexibility to review mergers, particularly cases subject to remedy negotiations. Prior to the amendment, the maximum period for review is 180 calendar days, however, in practice, SAMR is unable complete its review in most conditionally approved cases when the 180-day review period expires, thus the notifying parties frequently “pull and refile”. With this amendment, SAMR will have a tool to stop the review clock during the review process.

Compliance tips:

  • The New AML does not contain a maximum length of time in which the merger review can be suspended and the number of times SAMR can stop the clock.
  • It is advisable for notifying parties to leave sufficient time for antitrust clearance in the transaction documents and should be better to make agreement with transaction parties to closely collaborate in RFI responding and document submission.
  • For complex cases, the notifying parties are recommended to assess the potential competition concerns of the transaction before the filing, or even before proceeding substantive transaction negotiation. As such, with strategies to address the potential remedies beforehand, the notifying parties could speed up the case review process rather than being delayed by the “stop-the-clock”.
  • For simple cases, “stop-the-clock” is unlikely.

4.Heavy fines for not filing

Compared to the 2008 version of AML, the merger control-related penalty is significantly strengthened from the perspectives of both the pecuniary penalty and the negative impact on credit records. Under the New AML, the fines for failure to file are divided into two categories: (i) transactions which do not or are unlikely to restrict or eliminate competition; and (ii) transactions which do or are likely to restrict or eliminate competition. An undertaking will face up to a fine of RMB 5 million (approx. USD 0.75 million) if its transaction belongs to the first c category and will face up to 10% of its turnover in the last fiscal year if its transaction belongs to the second category.

In the meantime, Article 64 of the New AML states that “where an undertaking is subject to an administrative penalty due to a violation of this Law, the penalty shall be entered into the undertaking’s credit records pursuant to the relevant provisions of the Law, and the information shall be disclosed to the public.”

Compliance tips:

  • In addition to the largely incremental fines, undertakings are much concerned about the penalty in credit as it will affect a company’s corporate reputation and have a negative impact on the company’s future government procurement and bidding activities, etc. Hence, it is advisable for companies to be more prudent in determining whether a merger notification should be filed.
  •  Undertakings are also recommended to use their subsidiaries instead of parent company to conduct transactions and sign the transaction documents, trying to alleviate any negative credit impacts if penalties are unavoidable.

5.Focus on “killer acquisition”

The New AML clarifies – and arguably encourages – SAMR’s ability to investigate transactions falling under the turnover thresholds but which have or are likely to have the effect of excluding or restricting competition. It also clarifies that SAMR is entitled to impose conditions or prohibit such transactions, or in case the transaction has been closed, request the parties to unwind the transaction.

Regarding the specific procedure, Article 7 of the Review Rules states that if there is evidence that a transaction may exclude or restrict market competition even the mandatory turnover threshold is not met, SAMR has the right to notify by written notice the undertaking and require the undertaking involved to submit a notification within 180 days from the notification date. And further, SAMR clarifies that (i) if the transaction has not been implemented by the notification date, the undertakings must hold on the implementation until receiving clearance; whereas (ii) if the transaction has been implemented by the notification date, SAMR reserves the right to take necessary steps to restore market competition.

Compliance tips:

  • There’s no precedent about how SAMR will probe the “killer acquisition”. Future cases in this regard will need to be further observed.
  • Learning experiences from other jurisdictions in the EU and the US, industries such as high-tech, pharmaceuticals and platform economy could be the main target. Thus, to secure the certainty of the transaction, transaction parties in the above areas could better consult SAMR about whether transactions are notifiable even the pre-assessment showing that the mandatory filing thresholds are not satisfied.

In summary, this briefing provides an overview of the important changes and potential ones to China’s existing merger control rules and procedure. The public consultation for the Threshold Rules and the Review Rules will run until July 26, 2022, after which we expect further revisions to the draft. We are closely monitoring any changes and will provide further updates.

Background

On 30 June 2022, the Cyberspace Administration of China (“CAC“) issued the Draft Provisions on Standard Contracts for the Export of Personal Information (“Draft Provisions“) for public consultation. The Draft Provisions open a lawful path for cross-border data transfers under Article 38 of the Personal Information Protection Law (“PIPL“). The deadline for feedback is 29 July 2022.

The Draft Provisions contain a draft Standard Contract for the Export of Personal Information (“PRC SCCs“), which we shall compare in detail below to the Standard Contractual Clauses for the Transfer of Personal Data to Third Countries under Regulation (EU) 2016/679  issued by the European Commission on 4 June 2021(those standard contractual clauses, the “EU SCCs“; and that regulation, the “GDPR“).

Note on the Terms used

We note that the lexicons used by the PIPL and GDPR vary somewhat. The terms we use to discuss the Chinese SCCs and EU SCCs (collectively or generally, “SCCs“) reflect the terms used in the PIPL and GDPR, respectively. A table of equivalent concepts is provided below:

PIPL GDPR
Personal Information Processor Data Controller
Entrusted Processor* Data Processor
Personal Information Protection Impact Assessment or PIPIA Data Protection Impact Assessment or DPIA
Personal Information Subject Data Subject
Sensitive Personal Information Special Categories of Personal Data
Overseas Recipient Data Importer
Regulator Supervisory Authority

*This is a concept that can be understood in the context of Article 21 of the PIPL but is not explicitly defined in the PIPL.

Use scenarios

The PRC SCCs may only be used in the following relevant cross-border transfer scenarios:

  • Non-critical information infrastructure operators;
  • The Personal Information Processor has handled the personal information of less than 1 million people ;
  • Since January 1 of the previous year, the cumulative amount of personal information provided overseas has not reached 100,000 people ;
  • Since January 1 of the previous year, the cumulative amount of sensitive personal information provided overseas has not reached 10,000 people.

For more information about relevant cross-border data transfers, please see China Releases Draft Standard Contract for Cross-border Data Transfers by Samuel Yang.

It is unclear if the PRC SCCs are customisable. However, Article 38 of the PIPL clearly states that contracts should be “in compliance with the standard contract provided by the national cyberspace authority…” Which could mean that the PRC SCCs should remain unchanged and be used as an intact document.

General observations

We note that the PRC SCCs consist of 9 articles and 2 appendices, while the EU SCCs consist of 18 clauses and 3 appendices. However, such a high-level comparison does not necessarily indicate the substance of either document.

The PRC SCCs can be considered a single document that applies to all relevant cross-border data transfers. They apply to all processors of personal information and do not define Entrusted Processors.

In contrast to the PRC SCCs, the EU SCCs can be considered 4 documents covering 4 different cross-border data transfer scenarios. Those transfer scenarios are: controller to controller; controller to processor; processor to processor; and processor to controller. Users of the EU SCCs require some familiarity with its layout as use requires the selection and deletion of clauses to match the transfer scenario.

Direct Comparison

We have produced the table below to help readers understand the structures of the PRC SCCs and EU SCCs. The table matches various topics identified within each document to specific provisions.

Topic PIPL SCCs GDPR SCCs AnJie’s Comments
Definitions and interpretation. Article 1

Clause 1.

Clause 4.

The PRC SCCs provide 7 definitions and a catch-all. Some definitions refer directly to the PIPL, while others are China-specific. For instance, “Relevant laws and regulations” refers to Chinese laws and regulations only.

While the EU SCCs lack a specific definitions section, Clause 1 therein contains some generic definitions found in most agreements, while Clause 4, an interpretation clause, refers readers to the GDPR for terms defined there.

One thing to note is that Entrusted Processors, a concept that is defined in the context of Article 21 of the PIPL, are not described or referred to in the PRC SCCs. To express this in GDPR terms, the Chinese SCCs do not explicitly recognise the existence of Data Processors.

Sensitive personal information and special categories of personal data Article 1. Module One, Clause 8.6.

The EU SCCs provide an explicit definition without cross-references to the GDPR, while the PRC SCCs refer to the definition under the PIPL.

We note that the relevant definitions under the PIPL and GDPR vary significantly, with the PIPL employing an open risk-based definition (PIPL, Article 28) and the GDPR employing what appears to be a very narrow and closed definition limited by examples.

In practice, this means that sensitive personal information under the PRC SCCs will include other things that are not included in the EU SCCs. For instance, your bank details are not special categories of personal data under GDPR but would be sensitive personal information under the PIPL.

Transparency. Article 2, Item 2

Module One, Clause 8.2.

Module Two, Clause 8.3.

Module Three, Clause 8.3.

The PRC SCCs require personal information processors to inform Personal Information Subjects about the particulars of all overseas recipients.

In contrast, the EU SCCs only explicitly require Data Controllers to inform Data Subjects about the particulars of an overseas recipient where the said recipient is another Data Controller.

Data minimisation. Article 2, Item 1. Module One, Clause 8.3.

Under the PRC SCCs, the burden of ensuring data minimisation is on Personal Information Processors that act as transferors. In contrast, the EU SCCs appear to only burden Data Controllers that act as Data Importers.

Placing the obligation on the party that initially controls that information seems to be a better way of controlling the risks associated with such transfers as a Data Importer cannot abuse data they lack. However, to manage this potential conflict in legal obligations, we imagine that, in the near future, many PRC-EU DPAs will include mutual commitments concerning data minimisation.

Personal Subject or Data Subject (collectively or generally, “Subject”) rights.

Article 2, Item 3.

Article 2, Item 8.

Article 3, Item 2.

Article 5.

Article 6, Item 1.

Clause 3.

Module One, Clause 8.3.

Module Three, Clause 8.3.

Clause 10.

Subject rights vary between the PRC and the EU. Additionally, Subject rights under the PRC SCCs are enforceable against both parties, while under the EU SCCs, the matter of enforceability depends on the nature of the underlying cross-border data transfer scenario.

Both SCCs require a recipient to provide notices or information on its website detailing the contact details for a person who can handle inquiries and how enquiries should be handled.

Both SCCs treat Subjects as third-party beneficiaries with a right to view the relevant SCCs. Moreover, both SCCs allow the principal contracting parties to charge fees or refuse to comply with unreasonable Subject requests.

Due diligence on the recipient. Article 2, Item 4 Clause 8.

Personal Information Processors must, under the PRC SCCs, “use reasonable efforts” to ensure that “the overseas recipient can fulfil its obligations“.

Likewise, the EU SCCs require a Data Exporter to use “reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations…

The use of a reasonable efforts standard by both SCCs is interesting. We note that other parts of both SCCs stipulate best efforts standards, suggesting that the due diligence standards of care are lower than those for other matters.

Secure processing.

Article 2, Item 4.

Article 3, Item 5.

Module One, Clause 8.5.

Module Two, Clause 8.6.

Module Three, Clause 8.5.

Module Four, Clause 8.2.

Generally, the provisions of both SCCs aim to bring about the same or similar outcomes, namely appropriate technical and organisational measures. While the EU SCCs elaborate more on things that should be considered to bring about such outcomes, such additional details are arguably unnecessary.

Concerning access controls, there appears to be broad equivalence between the SCCs. However, the PRC SCCs explicitly require Overseas Recipients to have “a minimum authorised access control policy…

 

Provision of laws and technical standards. Article 2, Item 5. N/A Personal Information Processors must provide Overseas Recipients with a copy of “relevant legal provisions and technical standards” upon request. This does not appear to have an equivalent within the GDPR. Should the exercise of such a right occur in practice, we imagine that foreign recipients might need translations. Procuring such translations, especially technical standards, could be expensive in practice. Contracting parties should consider this in their pricing and negotiations.
Cooperation with regulatory authorities and acceptance of their oversight.

Article 2, Item 6.

Article 3, Item 12.

Module One, Clause 8.9.

Clause 13.

Under the PRC SCCs, both contracting parties agree to respond to the Regulator’s enquiries. Moreover, the Overseas Recipient must agree to cooperate with the Regulator’s inspections, obey the Regulator and provide them with proof that “necessary actions have been taken.” We imagine the PRC SCCs could cause issues if EU blocking statutes exist (which we understand is the case).

Under the EU SCCs, the Data Importer only agrees to make documents available to the Supervisory Authority. While this requirement is less onerous than that found under the PRC SCCs, we note that under the Data Security Law, Article 36, “Any organisation or individual within the territory of the PRC shall not provide any foreign judicial body and law enforcement body with any data stored within the territory of the PRC without the approval of the competent authority of the PRC.

Impact assessment.

Article 2, Item 7.

Article 4.

Clause 14.

The PRC and EU SCCs require a transferring party to conduct impact assessments for cross-border data transfers. Whilst the obligations of the SCCs do not wholly align, we believe that, in practice, a single assessment form or template could be used to ensure compliance with both sets of SCCs.

As the GDPR and EU SCCs predate the PIPL and the PRC SCCs, we expect that many such forms or templates will likely be variations of styles used in the EU.

Compliance and record keeping.

Article 2, Item 9.

Article 3, Item 10-12.

Module One, Clause 8.9.

Module Two, Clause 8.9.

Module Three, Clause 8.9.

Module Four, 8.3

Under the PRC SCCs, Personal Information Processors are burdened with proving that they have fulfilled their contractual obligation. In the case of disputes between the contractual parties, it is unclear if this would function as a reverse burden of proof. However, such a reverse burden of proof could exist in disputes with Subjects.

Overseas Recipients under the PRC SCCs must provide Personal Information Processors with evidence of their compliance, access to files and documents, facilitate audits, and accept the Regulator’s supervision. Overseas recipients must retain their records for at least 3 years.

Under the EU SCCs, obligations vary depending on the cross-border data transfer scenario, but in all cases involve being able to demonstrate compliance (sometimes to the other party) and making documents available to the regulator upon request. Modules Two to Four require recipients to facilitate audits and, for Modules Two and Three only, specify that audits may occur onsite.

Transfer particulars.

Article 3, Item 1.

Appendix 1

Clause 6.

Clause 8.1.

Annex I.

Annex II.

Both SCCs rely on an Appendix or Annex to state the particulars of a specific cross-border transfer. They are broadly comparable, except that the PRC SCCs require a clear statement on the quantity of personal information transferred and suggest using the personal information categories listed in recommended national standard GB/T35273.
Access by government authorities at destination. Article 3, Item 7. Clause 15.

The EU SCCs describe how to handle legally binding requests or demands from foreign authorities with jurisdiction over personal information in the destination country. This is a prudent measure to help entities manage conflicting legal systems.

Unfortunately, the PRC SCCs contain no explicit provisions about dealing with legally-binding requests or demands from foreign authorities with jurisdiction over personal information in the destination country. We note that there is an express and general prohibition against providing “personal information to third parties located outside the PRC.” This could cause issues in practice and might deter entities from transferring their data abroad.

Data retention and deletion.

Article 3, Item 4.

Appendix 1.

Module One, Clause 8.4.

Module Two, Clause 8.5.

Module Three, 8.5.

The provisions under both SCCs are broadly comparable with the exception that, under the PRC SCCs, an Entrusted Processor who is an Overseas Recipient must provide an audit report after deletion or anonymisation.
Data breaches. Article 3, Item 6.

Module One, Clause 8.5.

Module Two, Clause 8.6.

Module Three, Clause 8.6.

Module Four, 8.2.

Under the PRC SCCs, the requirements for handling all data breaches involve taking remedial measures, “immediately” notifying the Personal Information Processor and the Regulator, notifying Subjects if required by law, and documenting all facts about breaches. We do not believe that “immediately” is to be taken literally. However, some industries in China, such as insurance,  have reporting requirements that can be as short as one hour. As such, the meaning of immediately should not be assumed, and a service level agreement may be desirable for some industries.

Obligations concerning data breaches under the EU SCCs can vary depending on the cross-border data transfer scenario and risk level. For instance, transfers between Data Controllers attract the most onerous obligations in the event of high-risk data breaches. In contrast, transfers from Data Processors to Data Controllers only require the Data Processor to notify and assist the Data Controller.

Onward transfers. Article 3, Item 7.

Module One, Clause 8.7.

Module Two, Clause 8.8.

Module Three, Clause 8.8.

There are transparency requirements for onward transfers under the PRC and EU SCCs. See above for more details.

To make an onward transfer under the PRC SCCs, the following conditions must exist: (i) the transfer is necessary, though what that entails precisely is unclear at this time; (ii) the transfer is disclosed to Subjects and, if necessary, with their consent; (iii) the transfer must be subject to a written agreement that provides protection not lower than the standards in PRC law and the assumption of joint and several liabilities for harm to Subject; and (iv) a copy of the onward transfer agreement must be provided to the Personal Information Processor.

Under the EU SCCs, onward transfers much be subject to the EU SCCs or to “a country benefitting from an adequacy decision“, a third party that ensures appropriate safeguards. The transfer is necessary for litigation purposes, or the transfer is required to protect the vital interests of others.

Entrusted Processing & Data Processors. Article 3, Item 8. Modules Two, Three and Four. This is a significant area of divergence as the PRC SCCs does not significantly distinguish between types of entity that process personal information, while the EU SCCs treat Data Controllers and Data Processors very differently depending on the cross-border data transfer scenario.
Sub-processors.

Article 3, Item 8.

Appendix 1.

Clause 9.

Annex III.

Both SCCs seem to allow for sub-processing. However, the PRC SCCs do not explicitly address this particular issue, which means that sub-processing would be treated like any other onward transfer.

As for the EU SCCs, they require sub-processors to be bound by “in substance, the same data protection obligations as those binding the data importer” and allow for (i) specific prior authorisation or (ii) general authorisation from a list.

Automated decision-making. Article 3, Item 9. Clause 10.

Under the PRC SCCs, automated decision-making must be transparent, fair, and equitable. It may not be used to apply unreasonable differential treatment in terms of transaction conditions.

Under the EU SCCs, automated decision-making that produces effects concerning a subject or significantly affecting them may not occur unless the Subject consents to such processing or it is permitted under laws with appropriate safeguards.

Choice of law and jurisdiction.

Article 6, Items 2-5.

Article 9, Item 2.

Article 9, Item 5.

Article 9, Item 6.

Clause 11.

Clause 17.

Clause 18.

The EU SCCs stipulate the law of an EU member state or, for Data Processor to Data Controller Arrangements, the laws for a country that allows for third-party beneficiary rights. It gives jurisdiction to the courts of an EU member, including the place where a Subject habitually resides.

The PRC SCCs stipulate Chinese law.

If a Subject, as a third-party beneficiary to the contract, brings an action, they must comply with the Civil Procedure Law of the People’s Republic of China to determine jurisdiction, meaning a Chinese court with jurisdiction will be selected.

In the case of the contracting parties, the contract allows for dispute resolution in a Chinese court with jurisdiction or an arbitral institution in a country that is a member of the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards.

Termination and suspension. Article 7. Clause 16.

Under the EU SCCs, if the Data Importer breaches its obligations, the Data Exporter may suspend the contract until the breach is remedied or the contract is terminated. Several types of breaches or circumstances may trigger termination.

Under the PRC SCCs, Overseas Recipients have similar rights to Data Exporters under the EU SCCs, while Personal Information Processors enjoy 2 additional grounds: (i) breach by the Overseas Recipient of the laws in the country where it is based; (ii) bankruptcy, dissolution or liquidation. Additionally, termination may also occur at the election of either party if a Regulator has issued a decision that makes execution of the contract impossible or if both parties agree to the termination.

Liability for breach of contract. Article 8 Clause 12.

Under the PRC SCCs, “Liability between the parties is limited to the damages suffered by the non-breaching party.” At face value, this appears to exclude liability for lost profits.

Under both SCCs, Subjects are entitled to claim damages as third-party beneficiaries. Where more than one party causes a breach of Subject rights, both are jointly and severally liable to the Subject.

Precedence. Article 9, Item 1. Clause 5. Both SCCs claim to have precedence in the event of a conflict. This could cause difficulties in the event of a dispute involving both the EU and PRC.
Docking clause. Clause 7. No such mechanism exists under the PRC SCCs, which appear to be drafted for a scenario involving 2 contracting parties. Such a mechanism would be desirable for more complex processing scenarios.
Other matters agreed by the parties. Appendix 2 The PRC SCCs contain a blank page at their rear. This suggests that the CAC expects contracting parties to have additional needs. However, based on current cross-border data transfer practices, we suspect the PRC SCCs will function as an appendix or annex rather than the main agreement.

Implications

The PRC SCCs bear some similarities with the EU SCCs but differ on some key points. Multinationals with operations in the PRC and EU that wish to rely on SCCs may need to find ways to deal with those differences and conflicts or find alternative legal paths for their cross-border data transfers.

The likely alternative for many multinationals would be to obtain “certification of personal information protection” that has been “given by a professional institution in accordance with the regulations of the national cyberspace authority” under Article 39 of the PIPL. The National Technical Committee on Information Security of Standardization Administration (also known as “TC260”) has recently issued guidance on achieving such certification but more clarity is needed on things such as who are those “professional certification institutions” and how to start the certification journey.

Finally, for those who are able to use the PRC SCCs, we have observed that many multinationals annex the EU SCCs to their own customised global data transfer agreements, and we suspect the same will happen to the PRC SCCs in time.

Nearly fourteen years after its current Anti-Monopoly Law (“AML”) came into effect, China spares no efforts in strengthening antitrust enforcement and tightening relevant rules and regulations. Following the unprecedented Alibaba fines and a series of sector guidelines, that effort culminated this week, when the Standing Committee of the National People’s Congress (“NPC”) passed a new AML of amendments (“New AML”) to the current AML, with a few revisions to the previous draft (“Previous Draft”, together with an even earlier draft by State Administration for Market Regulation, the “Draft AML Amendment”) issued on 23 October 2021. Although a bill of law usually takes three rounds of deliberation before passage in China, it is possible to have a piece of legislation passed after two rounds where consensus could be achieved among relevant stakeholders; the New AML appears to be such an exception.

Beyond all doubt, the New AML, once becomes effective, will better arm the newly-established State Anti-Monopoly Bureau for a more challenging decade ahead. Having codified the current Chinese practices and adopted some foreign experience, the New AML aims to keep up with developments and market conditions that have transformed the way businesses are operated these days. While e-commerce and platform economy receive the most attention, sectors including people’s livelihood, finance, technology, and media are also highlighted. For many others, the new AML, while providing clearer procedure guidance, will take away the filing thresholds of safe harbour and impose harsher penalties for violations; antitrust and competition compliance will be put on the agenda, if not yet, for many undertakings, particularly those in key sectors.

I. The Main Aspects of the Draft AML Amendment

  • Focus on platform economy:Out of fear of the competitive expansion of tech giants, it is universally acknowledged that legislative actions need to be taken to address the perceived enforcement gaps between the old school antitrust rules and the new types of anti-competitive conduct that emerged in the digital era. After the 2021 Guidelines for Anti-Monopoly in the Field of Platform Economy (“Platform Guidelines”), the New AML provides both some general terms that prohibits the increasingly aggressive application of the abuse of dominance by platform entities and tailored clauses that list the exact forms of such conducts.
  • Tougher penalties with broadened targets: To secure the deterrence effects of the new AML, the New AML and Draft AML Amendmentpropose to increase the maximum level of fines for the relevant violations, especially gun-jumping, non-implementation of monopoly agreements and behaviours led by trade associations. Although the penal sum varies among different drafts, the final number set in the New AML is still several times of that under the current AML. Remarkably, the New AML creates a punitive penalty which multiplies fines by up to two to five times of the original penalty where the violation is serious. Those that do not generate any revenue in the previous financial years, too, cannot escape. In addition, it intends to impose liabilities on facilitators as well as legal representatives and the person in charge of or directly responsible.
  • Weakening stance against RPM: Distinct from its European and American counterparts, resale price maintenance (“RPM”) has long been an enforcement priority in China with a dichotomy method adopted by antitrust enforcers and Chinese courts; the Chinese antitrust enforcement authorities take the “prohibition + exemption”, a semi-per se illegal approach and Chinese courts choose a road that is akin to rule of reason. While the Supreme People’s Court of China attempted to justify the difference in its renowned Yutaijudgement, the New AML clearly discloses the Chinese policymakers’ preference toward the rule of reason approach by putting the burden of proof on the concerned undertakings to show that it does not eliminate or restrict competition and repositioning the definition of “monopoly agreement”.
  • Official introduction of safe harbour rules for monopoly agreements: Although safe harbour is not a new thing in China’s antitrust practice, previously it can only be found in some sector guidelines; the New AML now recognises the legitimacy of such block exemption in vertical agreement ina higher-level of law; details of the implementation rules, are yet to be established by the enforcement authority.
  • Expansion of the enforcement authority’s jurisdiction:Concerns over concentrations involving undertakings, notably in the digital or pharmaceutical sectors, that have or may have anti-competitive impacts in the relevant markets, albeit with limited income, have grown in the past few years. The New AML tries to fill the gap by conferring on enforcer authority to review transactions that fall below filing thresholds.
  • Establishment of a “stop-the-clock” mechanism:Currently, notifications filed in China have to be pulled and refiled after a maximum of 180 days review period; this process can be repeated in complicated cases, especially the ones approved with conditions. The New AML draws lessons from other jurisdictions and introduces the ‘stop-the-clock’ mechanism to suspend the review process under certain circumstances.

II. An In-Depth Look at the New AML

While largely in line with the previous draft, some proposed amendments, considering opinions from different sides, made under the New AML are novel; the detailed revisions are explained as follows:

  • Erosion of safe harbour:In the Previous Draft, a safe-harbour clause is introduced to provide a higher-level legal basis for exempting certain agreements, horizontal and vertical alike, with concerned parties’ market share lower than (unspecified) thresholds set by enforcement authorities. However, the New AML now limits the application of safe harbour to vertical agreements alone, which are usually considered to be less anti-competitive than horizontal agreements among competitors. That said, the safe harbour clauses under existing sector guidelines remain valid. The change implies a cautious and stringent position taken by the legislator.
  • Further refinement of platform economy rules:China makes no secret its ambition to tackle platform giants. A clause is included under the general provisions in the Previous Draft to prohibit undertakings from abusing data, algorithms, techniques, capital advantages and platform rules to eliminate or restrict competition. Despite the existence of the Platform Guidelines, the New AML further specifies some platform-specific anti-competitive conduct which mirrors the Platform Guidelines, on top of the general prohibition clauses under the chapter of abuse of dominance responding to the intensified antitrust scrutiny trend in the past year.
  • Soft landing of “killer acquisition” investigation:Some stakeholders and scholars suggested the rules for reviewing transactions falling below filing thresholds should be further clarified. The New AML addresses this by allowing the enforcement authority to request the parties to transactions to file; the enforcement authority shall initiate an investigation if the parties fail to do so. This rule should benefit both transaction parties and enforcement authorities; the parties will have more mobility while the enforcer could save constrained enforcement resources.
  • Altered enforcement authority:To reflect the elevation of the seniority of the market regulator’s antitrust unit, the State Anti-monopoly Bureau, the New AML now specifies the antitrust enforcement authority of the State Council to assume the power thereunder. The deputy ministerial-level enforcement authority, will now have more tools in its kits to carry on its duty.
  • Interplay between the judiciary and law enforcement:While the current AML and earlier versions of its draft amendment are almost enforcement-exclusive, the New AML supplements a general clause that requires the reinforcement of antitrust judicial activities and a fair and efficient approach by courts in hearing antitrust cases. It also calls for improving the interplay between the judiciary and law enforcement.

III. Looking Ahead

On 24 June 2022, the Standing Committee of the NPC officially passed the much-awaited AML Amendment. The potential impact on the competition landscape of the new AML, together with its supplementary rules, would be wide-ranging. Harsher penalties, expanded jurisdiction, altered procedures and standards are reasons why the new AML merits close attention from undertakings doing business in China and related to China; we will keep our clients apprised of any further updates.

 

What is Director and Officer Liability Insurance?

Directors and officers (“D&Os”) assume liability for many of their company activities, especially when their company is publicly listed. In many cases D&Os face significant legal exposure based simply on their signature, role and title, or status as a controlling person. This means that no matter how effectively, carefully, or in good faith their decisions are made, D&Os face the risk of being sued.

D&O insurance is designed to cover this risk. Namely, to protect executives, directors, as well as the companies they serve, against liability arising from actions taken in the course of doing business or managing the companies. This can include the legal costs and damages from being sued by plaintiffs or prosecuted by regulators, the costs of settling such actions, or other forms of liability.

D&O insurance first emerged on the Lloyds of London insurance market in the 1930s and while not mandatory, it is common with private and publicly traded companies alike.

With the listing of more and more Chinese companies in foreign markets, an increasing number of such companies now acquire D&O insurance. Within mainland China, due to revisions to the Securities Law of the People’s Republic of China and ensuing securities litigation, D&O insurance has also captured the attention of Chinese D&Os.

How Does Director and Officer Liability Insurance Work

When a crisis hits, a typical D&O policy covers both the corporate entity in addition to individual D&Os. Possible areas of coverage include insurance for investigations, tax liability, securities, and employment claims. Among these potential sources of liability, securities claims tend to raise the greatest exposure.

When a securities claim arises, D&Os are designed to cover “wrongful acts”. Depending on the language in D&O policies, this typically covers the kinds of mistakes, poor judgment, or negligence that lead to shareholder litigation. However, these “wrongful acts” normally do not include D&Os’ intentional or fraudulent acts.

What are the Limitations of Liability Insurance for D&Os?

D&O insurance does not cover against all types of liabilities. A number of exclusions exist to limit insurer liability, which can greatly affect coverage and settlements of shareholder litigation. Conduct exclusions exist to prevent benefits for intentional wrongdoing, like a criminal or fraudulent act, (including fraud on the market). In some cases, inappropriate conduct can lead to termination of coverage. Many policies also include a “prior knowledge” exclusion, which prevents claiming losses from lawsuits involving matters D&Os knew or should have known about prior to litigation. In some cases, the exclusion can only be triggered by a judicial ruling (“final non-appealable adjudication”, or some variant thereof).

In China, there is fierce debate over whether D&O covers losses resulting from government penalties. Decision-makers within China’s insurance market hope for court precedent that could clarify this issue, especially with regards to proper application of the insurable interest in D&O insurance.

What Laws Govern Chinese D&O Liability Insurance?

Chinese entities raising funds through IPOs abroad increasingly turn to PRC insurers for their D&O insurance needs. In many cases, such entities earn their revenue in China but are structured as a variable interest entity (“VIE”) headquartered in a tax haven such as the Cayman Islands or British Virgin Isles. When a foreign securities claim arises, these policies become notable in that they typically engage both Chinese and foreign law.

This leads to insurance policies that are veritable chimeras — a Cayman head (which might face bankruptcy proceedings following a fraud on the market claim), a Chinese body (governing the policy itself), and an American tail (for example, governing settlement allocation when a class action settles). To illustrate, whereas nowadays most securities litigation is heard before US district or state courts in New York, Chinese D&O policies usually set an arbitration center in Beijing or Shanghai as the forum for policy disputes, with PRC law as the governing law.

This can lead to extremely complex proceedings, where disagreements arise on how a Chinese court or tribunal should determine allocation of damages under US law. Oftentimes, Chinese arbitration of D&O claims involves US lawsuits where multiple defendants decide to settle with the plaintiffs. This leaves important issues of allocation unresolved, with no foreign court having definitively determined the portion of liability for each defendant, only some of whom are the insureds or covered under the D&O policy. Therefore, in addition to the underlying Chinese laws, it is crucial to also grasp rules surrounding the applicable laws of the jurisdiction where the VIE is headquartered and where the insured entity is listed, especially US securities laws.

Conclusion

Like their common law precursors, Chinese D&O policies protect against securities claims, including when D&Os commit “wrongful acts”. However, this cover does not extend to fraudulent or criminal conduct, and policies may also exclude wider categories of behaviour.

Importantly, litigating these policies rarely relies on only the laws of one jurisdiction, due to the fact that Chinese D&O policies typically interact with Chinese, US, and even Cayman or British Virgin Islands laws governing a VIE’s incorporation. They are instead more like chimeras, and far more complex than US publicly-listed companies’ domestic D&O policies.

AnJie’s insurance team

Ranked Band 1 by Chambers for insurance, AnJie is well known for its insurance & reinsurance practice. AnJie’s insurance team, as one of the largest in China, is composed of more than 50 seasoned, multilingual Chinese lawyers and foreign legal advisors. AnJie’s insurance partners are located in the firm’s Beijing, Shanghai, Shenzhen, Hong Kong, Haikou, and Nanjing offices, providing legal services to our clients across the nation and beyond. Since 2013, AnJie and its insurance team partners have been continuously recognized as Key Recommended Law Firms and Lawyers by leading international rating agencies and professional publications such as Chambers and Partners, Who’s Who Legal, Legal500, and Asialaw.


[1]Some policies also include fees for crisis management, including emergency consulting and public relations services.