With the Cyberspace Administration of China’s (“CAC”) release last week of the Guidelines for Filing of Standard Contracts for Cross-border transfers of Personal Information (“Guidelines”), organisations processing Mainland China personal data must now turn their attention to the China Standard Contractual Clauses (“China SCCs”) route for legitimizing their cross-border data transfers (“CBDTs”) of Mainland China personal data.
In short, the process is no longer a simple filing: in particular, the Personal Information Impact Assessment (“PIIA”) which must be filed alongside the China SCCs now seems closer to the full approval application required for the (more onerous) CAC Assessment route; the filed materials will be scrutinized and could be rejected; and more broadly non-compliance with the Personal Information Protection Law (“PIPL”) identified by the CAC via the China SCCs filing materials might lead to enforcement action. Therefore, it is critical for organisations subject to the China SCCs route to:
- ensure their China data protection compliance programme has been properly designed and implemented;
- identify and sign the China SCCs with relevant overseas recipients; and
- file the China SCCs with primary overseas recipients – together with a fully-completed PIIA using the new template published by the CAC – by the relevant deadlines.
Who must follow the China SCCs route?
By way of reminder, personal information controllers who:
- do not meet the thresholds for the CAC assessment/approval route (see our summary here); or
- must follow the CAC certification route (primarily foreign personal information controllers of Mainland China personal information, see 10 below),
must follow the China SCCs route to legitimize access or transfers of personal information outside of Mainland China.
China SCCs route – compliance step plan
|1.||Data mapping: understand CBDTs and approach to China SCCs||· Undertake or update data mapping of CBDT of China data, to have a clear idea of flow of China CBDTs
· Decide approach to SCCs preparation and filing (e.g. whether a filing is made as a group or on a per controller basis, etc.).
|2.||Consent: separate, explicit consent from data subject to CBDT of China personal data||· Review/update existing PRC privacy notice(s) and consent language, if not already done so, to ensure separate, explicit consent to CBDT (and general compliance with PIPL etc.).
· Recent TC260 guidelines published in June 2023 provide practical, industry-specific guidelines as regards giving/obtaining notice and consent.
|3.||PIIA: complete for each primary CBDT where PRC entity/ies is the personal information controller||Complete CBDT PIIA for each primary CBDT, using the new CBDT PIIA template (as per the Guidelines).
The new CBDT PIIA is now more detailed and will be reviewed and accepted/rejected/clarified by the local CAC; as such, the PIIA must be responded to fully and drafted very carefully. That said, the CAC’s expectations as to the level of detail to be included in the CBDT PIIA report (such as the mini-TIA section, descriptions of data transfers, onward recipients etc.) remain unclear (for example, as compared to the very detailed responses required for the CAC Assessment route).
|Ready to file with accompanying signed China SCCs by no later than 30 November 2023, or otherwise within 10 days of signing the SCCs|
|4.||China SCCs: PRC entity/ies acting as personal information controller re primary transfers||Personal information controller to sign China SCCs supplement with relevant overseas recipient(s) for each primary CBDT.
The CAC has emphasized that the content of the China SCCs cannot be amended or integrated into an existing contract. Organisations should, therefore, adopt / sign a standalone, bilingual supplement incorporating the China SCCs.
|Signed China SCCs to file with accompanying PIIA by not later than 30 November 2023, or otherwise within 10 days of signing the SCCs|
|5.||File signed China SCCs: PRC entity/ies acing as personal information controller re primary transfers||Personal information controller to file signed China SCCs with local CAC branch(es), along with the following filing materials:
· the completed PIIA;
· a certified copy of the personal information controllers’ unified social credit code certificate;
· a certified copy of its legal representative’s ID card;
· a certified copy of the appointed agent’s ID card;
· a Power of Attorney appointing an agent handling the filing; and
· a Commitment letter.
Unfortunately details of the actual process for making the filing with the local CAC branch(es) have not yet been published.
|Hard and soft copies of filing materials must be filed no later than 30 November 2023, or otherwise within 10 days of signing the SCCs|
|6.||CAC review of filed China SCCs/PIIA: respond to CAC questions (if any)||· The local CAC will review the filing.
· Respond to local CAC questions on filing (if any), and supplement filing materials as required.
The result of the review is on a pass / fail basis.
|Local CAC review within 15 working days of receiving filing|
|7.||China SCCs: flow down of China SCCs for onward transfers||Identify relevant vendor list, and flow down China SCCs to vendors procured by the organisation at a group level (i.e. onward transfers), even though no need to file with CAC.
The CAC has indicated that China SCCs currently only primarily concern first-tier overseas recipients, and C2C/C2P transfers, and not onwards transfers. In light of this, we have already seen pushback from some vendors as regards entering into the China SCCs, except where they are the primary overseas recipients.
|Now – to identify relevant vendor list.
To put in place China SCCs with these vendors at next engagement opportunity with relevant vendors.
|8.||Vendor management||Use organisation’s existing global vendor management data protection programme (e.g. due diligence, ongoing monitoring).
Organisations must reassess, amend, supplement or re-file China SCCs filings in the event of certain changes.
|9.||China SCCs – acting as data processor/client engagements (if relevant)||Where organisations act as data processor, the relevant personal information controller may ask for China SCCs to be put in place: so organisations to assess, and determine their in-house approach to this and impact on standard service agreements etc.||Now|
|10.||Non-PRC data controllers within the organisation processing China personal data: await finalization of CAC certification route||Draft details of CAC certification scheme published and was subject to public consultation (so likely to change) (see CHINA: CBDT routes now all clear – Draft guidelines for CAC Certification route published – Privacy Matters (dlapiper.com))||Anticipated H2 2023|
Broader compliance risks
If a China SCCs filing is rejected because the CAC identifies compliance gaps in an organisation’s general PIPL compliance programme (not just related to CBDT), this may trigger the CAC to take corresponding enforcement action under the PIPL (e.g. requesting remediation or issuing penalties). Therefore, it is critical for organisations to ensure their overall China data protection programme complies with applicable China data protection laws and regulations, and that this is accurately described within the CBDT PIIAs.