Background

On 30 June 2022, the Cyberspace Administration of China (“CAC“) issued the Draft Provisions on Standard Contracts for the Export of Personal Information (“Draft Provisions“) for public consultation. The Draft Provisions open a lawful path for cross-border data transfers under Article 38 of the Personal Information Protection Law (“PIPL“). The deadline for feedback is 29 July 2022.

The Draft Provisions contain a draft Standard Contract for the Export of Personal Information (“PRC SCCs“), which we shall compare in detail below to the Standard Contractual Clauses for the Transfer of Personal Data to Third Countries under Regulation (EU) 2016/679  issued by the European Commission on 4 June 2021(those standard contractual clauses, the “EU SCCs“; and that regulation, the “GDPR“).

Note on the Terms used

We note that the lexicons used by the PIPL and GDPR vary somewhat. The terms we use to discuss the Chinese SCCs and EU SCCs (collectively or generally, “SCCs“) reflect the terms used in the PIPL and GDPR, respectively. A table of equivalent concepts is provided below:

PIPL GDPR
Personal Information Processor Data Controller
Entrusted Processor* Data Processor
Personal Information Protection Impact Assessment or PIPIA Data Protection Impact Assessment or DPIA
Personal Information Subject Data Subject
Sensitive Personal Information Special Categories of Personal Data
Overseas Recipient Data Importer
Regulator Supervisory Authority

*This is a concept that can be understood in the context of Article 21 of the PIPL but is not explicitly defined in the PIPL.

Use scenarios

The PRC SCCs may only be used in the following relevant cross-border transfer scenarios:

  • Non-critical information infrastructure operators;
  • The Personal Information Processor has handled the personal information of less than 1 million people ;
  • Since January 1 of the previous year, the cumulative amount of personal information provided overseas has not reached 100,000 people ;
  • Since January 1 of the previous year, the cumulative amount of sensitive personal information provided overseas has not reached 10,000 people.

For more information about relevant cross-border data transfers, please see China Releases Draft Standard Contract for Cross-border Data Transfers by Samuel Yang.

It is unclear if the PRC SCCs are customisable. However, Article 38 of the PIPL clearly states that contracts should be “in compliance with the standard contract provided by the national cyberspace authority…” Which could mean that the PRC SCCs should remain unchanged and be used as an intact document.

General observations

We note that the PRC SCCs consist of 9 articles and 2 appendices, while the EU SCCs consist of 18 clauses and 3 appendices. However, such a high-level comparison does not necessarily indicate the substance of either document.

The PRC SCCs can be considered a single document that applies to all relevant cross-border data transfers. They apply to all processors of personal information and do not define Entrusted Processors.

In contrast to the PRC SCCs, the EU SCCs can be considered 4 documents covering 4 different cross-border data transfer scenarios. Those transfer scenarios are: controller to controller; controller to processor; processor to processor; and processor to controller. Users of the EU SCCs require some familiarity with its layout as use requires the selection and deletion of clauses to match the transfer scenario.

Direct Comparison

We have produced the table below to help readers understand the structures of the PRC SCCs and EU SCCs. The table matches various topics identified within each document to specific provisions.

Topic PIPL SCCs GDPR SCCs AnJie’s Comments
Definitions and interpretation. Article 1

Clause 1.

Clause 4.

The PRC SCCs provide 7 definitions and a catch-all. Some definitions refer directly to the PIPL, while others are China-specific. For instance, “Relevant laws and regulations” refers to Chinese laws and regulations only.

While the EU SCCs lack a specific definitions section, Clause 1 therein contains some generic definitions found in most agreements, while Clause 4, an interpretation clause, refers readers to the GDPR for terms defined there.

One thing to note is that Entrusted Processors, a concept that is defined in the context of Article 21 of the PIPL, are not described or referred to in the PRC SCCs. To express this in GDPR terms, the Chinese SCCs do not explicitly recognise the existence of Data Processors.

Sensitive personal information and special categories of personal data Article 1. Module One, Clause 8.6.

The EU SCCs provide an explicit definition without cross-references to the GDPR, while the PRC SCCs refer to the definition under the PIPL.

We note that the relevant definitions under the PIPL and GDPR vary significantly, with the PIPL employing an open risk-based definition (PIPL, Article 28) and the GDPR employing what appears to be a very narrow and closed definition limited by examples.

In practice, this means that sensitive personal information under the PRC SCCs will include other things that are not included in the EU SCCs. For instance, your bank details are not special categories of personal data under GDPR but would be sensitive personal information under the PIPL.

Transparency. Article 2, Item 2

Module One, Clause 8.2.

Module Two, Clause 8.3.

Module Three, Clause 8.3.

The PRC SCCs require personal information processors to inform Personal Information Subjects about the particulars of all overseas recipients.

In contrast, the EU SCCs only explicitly require Data Controllers to inform Data Subjects about the particulars of an overseas recipient where the said recipient is another Data Controller.

Data minimisation. Article 2, Item 1. Module One, Clause 8.3.

Under the PRC SCCs, the burden of ensuring data minimisation is on Personal Information Processors that act as transferors. In contrast, the EU SCCs appear to only burden Data Controllers that act as Data Importers.

Placing the obligation on the party that initially controls that information seems to be a better way of controlling the risks associated with such transfers as a Data Importer cannot abuse data they lack. However, to manage this potential conflict in legal obligations, we imagine that, in the near future, many PRC-EU DPAs will include mutual commitments concerning data minimisation.

Personal Subject or Data Subject (collectively or generally, “Subject”) rights.

Article 2, Item 3.

Article 2, Item 8.

Article 3, Item 2.

Article 5.

Article 6, Item 1.

Clause 3.

Module One, Clause 8.3.

Module Three, Clause 8.3.

Clause 10.

Subject rights vary between the PRC and the EU. Additionally, Subject rights under the PRC SCCs are enforceable against both parties, while under the EU SCCs, the matter of enforceability depends on the nature of the underlying cross-border data transfer scenario.

Both SCCs require a recipient to provide notices or information on its website detailing the contact details for a person who can handle inquiries and how enquiries should be handled.

Both SCCs treat Subjects as third-party beneficiaries with a right to view the relevant SCCs. Moreover, both SCCs allow the principal contracting parties to charge fees or refuse to comply with unreasonable Subject requests.

Due diligence on the recipient. Article 2, Item 4 Clause 8.

Personal Information Processors must, under the PRC SCCs, “use reasonable efforts” to ensure that “the overseas recipient can fulfil its obligations“.

Likewise, the EU SCCs require a Data Exporter to use “reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations…

The use of a reasonable efforts standard by both SCCs is interesting. We note that other parts of both SCCs stipulate best efforts standards, suggesting that the due diligence standards of care are lower than those for other matters.

Secure processing.

Article 2, Item 4.

Article 3, Item 5.

Module One, Clause 8.5.

Module Two, Clause 8.6.

Module Three, Clause 8.5.

Module Four, Clause 8.2.

Generally, the provisions of both SCCs aim to bring about the same or similar outcomes, namely appropriate technical and organisational measures. While the EU SCCs elaborate more on things that should be considered to bring about such outcomes, such additional details are arguably unnecessary.

Concerning access controls, there appears to be broad equivalence between the SCCs. However, the PRC SCCs explicitly require Overseas Recipients to have “a minimum authorised access control policy…

 

Provision of laws and technical standards. Article 2, Item 5. N/A Personal Information Processors must provide Overseas Recipients with a copy of “relevant legal provisions and technical standards” upon request. This does not appear to have an equivalent within the GDPR. Should the exercise of such a right occur in practice, we imagine that foreign recipients might need translations. Procuring such translations, especially technical standards, could be expensive in practice. Contracting parties should consider this in their pricing and negotiations.
Cooperation with regulatory authorities and acceptance of their oversight.

Article 2, Item 6.

Article 3, Item 12.

Module One, Clause 8.9.

Clause 13.

Under the PRC SCCs, both contracting parties agree to respond to the Regulator’s enquiries. Moreover, the Overseas Recipient must agree to cooperate with the Regulator’s inspections, obey the Regulator and provide them with proof that “necessary actions have been taken.” We imagine the PRC SCCs could cause issues if EU blocking statutes exist (which we understand is the case).

Under the EU SCCs, the Data Importer only agrees to make documents available to the Supervisory Authority. While this requirement is less onerous than that found under the PRC SCCs, we note that under the Data Security Law, Article 36, “Any organisation or individual within the territory of the PRC shall not provide any foreign judicial body and law enforcement body with any data stored within the territory of the PRC without the approval of the competent authority of the PRC.

Impact assessment.

Article 2, Item 7.

Article 4.

Clause 14.

The PRC and EU SCCs require a transferring party to conduct impact assessments for cross-border data transfers. Whilst the obligations of the SCCs do not wholly align, we believe that, in practice, a single assessment form or template could be used to ensure compliance with both sets of SCCs.

As the GDPR and EU SCCs predate the PIPL and the PRC SCCs, we expect that many such forms or templates will likely be variations of styles used in the EU.

Compliance and record keeping.

Article 2, Item 9.

Article 3, Item 10-12.

Module One, Clause 8.9.

Module Two, Clause 8.9.

Module Three, Clause 8.9.

Module Four, 8.3

Under the PRC SCCs, Personal Information Processors are burdened with proving that they have fulfilled their contractual obligation. In the case of disputes between the contractual parties, it is unclear if this would function as a reverse burden of proof. However, such a reverse burden of proof could exist in disputes with Subjects.

Overseas Recipients under the PRC SCCs must provide Personal Information Processors with evidence of their compliance, access to files and documents, facilitate audits, and accept the Regulator’s supervision. Overseas recipients must retain their records for at least 3 years.

Under the EU SCCs, obligations vary depending on the cross-border data transfer scenario, but in all cases involve being able to demonstrate compliance (sometimes to the other party) and making documents available to the regulator upon request. Modules Two to Four require recipients to facilitate audits and, for Modules Two and Three only, specify that audits may occur onsite.

Transfer particulars.

Article 3, Item 1.

Appendix 1

Clause 6.

Clause 8.1.

Annex I.

Annex II.

Both SCCs rely on an Appendix or Annex to state the particulars of a specific cross-border transfer. They are broadly comparable, except that the PRC SCCs require a clear statement on the quantity of personal information transferred and suggest using the personal information categories listed in recommended national standard GB/T35273.
Access by government authorities at destination. Article 3, Item 7. Clause 15.

The EU SCCs describe how to handle legally binding requests or demands from foreign authorities with jurisdiction over personal information in the destination country. This is a prudent measure to help entities manage conflicting legal systems.

Unfortunately, the PRC SCCs contain no explicit provisions about dealing with legally-binding requests or demands from foreign authorities with jurisdiction over personal information in the destination country. We note that there is an express and general prohibition against providing “personal information to third parties located outside the PRC.” This could cause issues in practice and might deter entities from transferring their data abroad.

Data retention and deletion.

Article 3, Item 4.

Appendix 1.

Module One, Clause 8.4.

Module Two, Clause 8.5.

Module Three, 8.5.

The provisions under both SCCs are broadly comparable with the exception that, under the PRC SCCs, an Entrusted Processor who is an Overseas Recipient must provide an audit report after deletion or anonymisation.
Data breaches. Article 3, Item 6.

Module One, Clause 8.5.

Module Two, Clause 8.6.

Module Three, Clause 8.6.

Module Four, 8.2.

Under the PRC SCCs, the requirements for handling all data breaches involve taking remedial measures, “immediately” notifying the Personal Information Processor and the Regulator, notifying Subjects if required by law, and documenting all facts about breaches. We do not believe that “immediately” is to be taken literally. However, some industries in China, such as insurance,  have reporting requirements that can be as short as one hour. As such, the meaning of immediately should not be assumed, and a service level agreement may be desirable for some industries.

Obligations concerning data breaches under the EU SCCs can vary depending on the cross-border data transfer scenario and risk level. For instance, transfers between Data Controllers attract the most onerous obligations in the event of high-risk data breaches. In contrast, transfers from Data Processors to Data Controllers only require the Data Processor to notify and assist the Data Controller.

Onward transfers. Article 3, Item 7.

Module One, Clause 8.7.

Module Two, Clause 8.8.

Module Three, Clause 8.8.

There are transparency requirements for onward transfers under the PRC and EU SCCs. See above for more details.

To make an onward transfer under the PRC SCCs, the following conditions must exist: (i) the transfer is necessary, though what that entails precisely is unclear at this time; (ii) the transfer is disclosed to Subjects and, if necessary, with their consent; (iii) the transfer must be subject to a written agreement that provides protection not lower than the standards in PRC law and the assumption of joint and several liabilities for harm to Subject; and (iv) a copy of the onward transfer agreement must be provided to the Personal Information Processor.

Under the EU SCCs, onward transfers much be subject to the EU SCCs or to “a country benefitting from an adequacy decision“, a third party that ensures appropriate safeguards. The transfer is necessary for litigation purposes, or the transfer is required to protect the vital interests of others.

Entrusted Processing & Data Processors. Article 3, Item 8. Modules Two, Three and Four. This is a significant area of divergence as the PRC SCCs does not significantly distinguish between types of entity that process personal information, while the EU SCCs treat Data Controllers and Data Processors very differently depending on the cross-border data transfer scenario.
Sub-processors.

Article 3, Item 8.

Appendix 1.

Clause 9.

Annex III.

Both SCCs seem to allow for sub-processing. However, the PRC SCCs do not explicitly address this particular issue, which means that sub-processing would be treated like any other onward transfer.

As for the EU SCCs, they require sub-processors to be bound by “in substance, the same data protection obligations as those binding the data importer” and allow for (i) specific prior authorisation or (ii) general authorisation from a list.

Automated decision-making. Article 3, Item 9. Clause 10.

Under the PRC SCCs, automated decision-making must be transparent, fair, and equitable. It may not be used to apply unreasonable differential treatment in terms of transaction conditions.

Under the EU SCCs, automated decision-making that produces effects concerning a subject or significantly affecting them may not occur unless the Subject consents to such processing or it is permitted under laws with appropriate safeguards.

Choice of law and jurisdiction.

Article 6, Items 2-5.

Article 9, Item 2.

Article 9, Item 5.

Article 9, Item 6.

Clause 11.

Clause 17.

Clause 18.

The EU SCCs stipulate the law of an EU member state or, for Data Processor to Data Controller Arrangements, the laws for a country that allows for third-party beneficiary rights. It gives jurisdiction to the courts of an EU member, including the place where a Subject habitually resides.

The PRC SCCs stipulate Chinese law.

If a Subject, as a third-party beneficiary to the contract, brings an action, they must comply with the Civil Procedure Law of the People’s Republic of China to determine jurisdiction, meaning a Chinese court with jurisdiction will be selected.

In the case of the contracting parties, the contract allows for dispute resolution in a Chinese court with jurisdiction or an arbitral institution in a country that is a member of the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards.

Termination and suspension. Article 7. Clause 16.

Under the EU SCCs, if the Data Importer breaches its obligations, the Data Exporter may suspend the contract until the breach is remedied or the contract is terminated. Several types of breaches or circumstances may trigger termination.

Under the PRC SCCs, Overseas Recipients have similar rights to Data Exporters under the EU SCCs, while Personal Information Processors enjoy 2 additional grounds: (i) breach by the Overseas Recipient of the laws in the country where it is based; (ii) bankruptcy, dissolution or liquidation. Additionally, termination may also occur at the election of either party if a Regulator has issued a decision that makes execution of the contract impossible or if both parties agree to the termination.

Liability for breach of contract. Article 8 Clause 12.

Under the PRC SCCs, “Liability between the parties is limited to the damages suffered by the non-breaching party.” At face value, this appears to exclude liability for lost profits.

Under both SCCs, Subjects are entitled to claim damages as third-party beneficiaries. Where more than one party causes a breach of Subject rights, both are jointly and severally liable to the Subject.

Precedence. Article 9, Item 1. Clause 5. Both SCCs claim to have precedence in the event of a conflict. This could cause difficulties in the event of a dispute involving both the EU and PRC.
Docking clause. Clause 7. No such mechanism exists under the PRC SCCs, which appear to be drafted for a scenario involving 2 contracting parties. Such a mechanism would be desirable for more complex processing scenarios.
Other matters agreed by the parties. Appendix 2 The PRC SCCs contain a blank page at their rear. This suggests that the CAC expects contracting parties to have additional needs. However, based on current cross-border data transfer practices, we suspect the PRC SCCs will function as an appendix or annex rather than the main agreement.

Implications

The PRC SCCs bear some similarities with the EU SCCs but differ on some key points. Multinationals with operations in the PRC and EU that wish to rely on SCCs may need to find ways to deal with those differences and conflicts or find alternative legal paths for their cross-border data transfers.

The likely alternative for many multinationals would be to obtain “certification of personal information protection” that has been “given by a professional institution in accordance with the regulations of the national cyberspace authority” under Article 39 of the PIPL. The National Technical Committee on Information Security of Standardization Administration (also known as “TC260”) has recently issued guidance on achieving such certification but more clarity is needed on things such as who are those “professional certification institutions” and how to start the certification journey.

Finally, for those who are able to use the PRC SCCs, we have observed that many multinationals annex the EU SCCs to their own customised global data transfer agreements, and we suspect the same will happen to the PRC SCCs in time.