The long-awaited Standard Contractual Clauses of China ('China SCCs'), as referred to in Article 38 of the Personal Information Protection Law ('PIPL'), and the Regulations for the China SCCs ('the Regulations') were finally endorsed and released by the Cyberspace Administration of China ('CAC') on 24 February 2023.

The perception of the China SCCs as being straight-forward and simple template clauses to just be concluded as they are could lead in the wrong direction. The complexities ahead shall not be underestimated, particularly for multinational companies. In this insight, our experts will share their long term observation and thoughts based on existing experience of supporting international companies in this field.

Background

Both the China SCCs and the Regulations will take effect as of 1 June 2023, and a six-month grace period is given. This means that, by 30 November 2023 and if no compulsory export security assessment is triggered, all companies which need to share personal information with foreign recipients, like its head office, affiliates, or other service providers, must have in place the China SCCs and file them with the People's Republic of China ('PRC') regulators.

Act now and in the right way

There are about three months remaining for the Regulations and the China SCCs to take effect. But waiting until the last minute is not a viable approach as ramping up into compliance with the Regulations will trigger quite some preparatory work which requires lead time.

Since the China SCCs only apply to those non-sensitive export cases which are further limited to personal information, whether or not you could rely on the China SCCs as a legal basis to get data out of the PRC will need to be examined first. Different from the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') where the EU Standard Contractual Clauses ('EU SCCs') are used as the general basis to export personal information to a jurisdiction without protection sufficiency, the China SCCs cannot be used to support those sensitive export cases. Such sensitive cases might more likely arise for a foreign company, since the vague concept of important data, one of the factors triggering sensitivity and compulsory procedures, is closely linked up with national security concerns which is a topic in the Chinese context that will immediately arouse questions and concerns if you are foreign. Therefore, the China SCCs may not necessarily be a proper legal instrument to manage cross-border data transmission. Which legal instrument applies must be examined carefully beforehand which will take time if you bear in mind the deadline under the Regulations. Article 4 of the Regulations explicitly prohibits one from using the China SCCs as means to circumvent compulsory governmental security assessment by, for example, breaking the quantity of personal information processing into small pieces.

Chinese laws and regulations do allow data to flow into and out of China. However, it is worth noting that the Regulations reiterate and stress that one shall assess the necessity for cross-border transmission. The tone seems to indicate that a minimisation principle shall also be applied to cross-border data transmission. In our view, this will become an alert for multinational companies who have been waiting for the official launch of the China SCCs and expecting to use them as much as possible in their course of business. This may appear an easy way to stay compliant, but - taking the aforesaid into consideration - could substantially increase the risk exposure of these companies. Many of their cross-border data transmission might be needed due to their existing IT architect as globally deployed, while this may not be taken for granted by the PRC regulators as a good enough argument to prove 'necessity' to get data out of China.

Out of the many data compliance cases we handled for multinational companies, a systematic and structural approach in our view is critical to better understand and manage the topic of China data compliance exercise. Having a good overview of the exact regulatory implications of various data flow situations in the course of your business, including identifying priorities of measures to take as tailored to your business case, will be a critical first step to do to avoid steering effort to the wrong direction.

More than the China SCCs

On top of executing the China SCCs, Article 7 of the Regulations stipulates that the China SCCs shall be filed with the regulators within ten working days upon its execution. At the same time, a personal information protection impact assessment report ('PIPIA') shall be handed in as part of the submission package.

The concept of and requirements for PIPIAs were first mentioned in Articles 55 and 56 of the PIPL, so this is nothing new. However, absence of implementation guidelines in the past made it difficult for companies to follow this statutory requirement. Therefore, similar to the attitude towards the China SCCs, many companies rather took a wait-and-see approach. After the Regulations become effective, there is no longer room for this approach and the PIPIA becomes a statutory must for those who are using the China SCCs as a legal basis for transmitting data out of China. On the other hand, some 'blank areas' still remain as regards how a PIPIA shall be prepared, although Article 5 of the Regulations provides for some very general and rough guidance on the 'must-have' elements. Without a 'one-size-fits-all template', it is expected that preparation of the PIPIA will become a fairly challenging job to manage as quite some inputs will also need to come from other departments besides the one taking care of data compliance.

The above reality already shows again that - not different from many other areas in China - the PRC authorities will have quite some discretionary power to interpret how a PIPIA shall be polished to be up to their expectation in terms of content. Equally, the efforts do not end with a successful filing of your SCCs. In fact, Article 11 of the Regulations indicates that the regulators will proactively and continuously monitor personal information export activities under the concerned China SCCs and will request correction of any breach or wrongdoings. Considering the intention of Article 10 which explicitly encourages whistleblowing, risk of a potential dawn raid under the PIPL could increase, which may not necessarily be initiated against your company, but may start from your business partner. Having in place a good mechanism within the organisation focusing on data compliance enforcement is a must-have which shall not be overlooked.

Sign it as it is?

As standard sample clauses, Article 6 of the Regulations stipulates that the China SCCs shall be strictly followed when being concluded by the parties. The content and format of the SCCs may appear fairly straight-forward from a Chinese perspective. However, a deeper dive read could reveal many questions and issues for the foreign data recipient since many obligations remain open and vague, which could become quite burdensome if really enforced based on a strict literal interpretation in favour of the Chinese data exporter.

Some of the clauses under the China SCCs aim at building up a direct claim chain between the foreign recipient and the Chinese data subjects, as well as the Chinese regulators (e.g. Articles 3.13 and 5 of the China SCCs). These make the foreign data recipient heavily exposed to the PRC data protection regulatory requirements, which, if not managed well, could put the foreign data recipient in a very vulnerable legal position. This is not a hypothetical remark, particularly considering the fact the whole PRC data protection regime is comparably new, while many regulatory uncertainties and risks, which are faced by the onshore data exporter, will now be spilled over to the foreign data recipient through contractual ties. The picture will get even more serious from a liability perspective since - different from the GDPR, which is focusing on corporate level liabilities - the Chinese data protection laws also address personal liabilities. A more vulnerable legal position of the foreign data recipient will inevitably also increase liability exposure of the respective individuals, be it the signatory of the China SCCs or the management members.

A positive signal is that the China SCCs still allow the parties to 'agree on supplementary clauses' (see the second appendix to the China SCCs), provided that these do not conflict with the official template. Although currently the Regulations and the China SCCs do not provide for a clearer hint on what exactly will be deemed as a 'conflict', to clarify and substantiate certain harsh obligations of the foreign recipient under the respective appendix will help to better manage potential uncertainties and risks. These are not meant to be uncertainties and risks between the parties (which quite often could be affiliates belonging to the same corporate group), but rather those that might come from PRC regulators and data subjects which will land on the shoulder of the onshore data exporter first and be further carried over to the foreign data recipient based on the China SCCs.

Therefore, to have good drafting based on good knowledge of best market practice, as well as preferences of the PRC regulators will be key to successfully make use of such a positive option offered under the China SCCs and the Regulations.

Last, but not least

Besides the above issues, there are further challenges under the China SCCs which could be underestimated.

Since the China SCCs aim at protecting rights and interest from a Chinese perspective, the tricky issue it how to align these with those existing under the EU SCCs since the latter aim at protecting rights and interest from the other way around (i.e. from an EU perspective). Conflicts between the China SCCs and the EU SCCs may arise from various aspects. Already the scope of application of the clauses is different due to the different definitions of personal information versus 'personal data'. In those areas where there is overlap, care must be taken to ensure that the obligations under one set of SCCs do not torpedo those under the other SCCs, thereby undermining the protection granted by the respective SCCs for the transfer. For companies that require both sets of SCCs, especially for transfers within the group, but also in the context of contractual relationships with vendors, it is therefore advisable to embed the China SCCs and the EU SCCs in a framework agreement (such as an intra-group data transfer agreement for group internal transfers), in which the scope of application of the SCCs are defined and a conflict clause is included.

For foreign data recipients, enforceability of the long arm clauses under the PIPL and the Data Security Law ('DSL') may have faced uncertainties in the past. But now with Chinese law governing becoming a must under the China SCCs, a contractual relationship will pull them closer to the reach of the impact from PRC law enforcement.

The Regulations and the China SCCs answer some pending questions, but also raise new questions. One of these relates to the statutory data export security assessment, i.e. what contractual clauses are supposed to be 'must-haves' for submission under this governmental procedural. Using the China SCCs might be a good starting point, but the fact that they only apply to the export of personal information, instead of important data, will create a lot of issues throughout the drafting process as we have experienced in many other cases.

Irrespective of all these pending and new issues, a clear to-do is to prepare yourself well for the conclusion of the China SCCs by carefully reviewing their impact on your existing data protection framework under your home jurisdictions. A simple 'take-up-and-sign' approach by only considering the PRC perspective requirements without a global overview will become quite risky as this could at a later stage drive you to the corner. To some extent the PRC data protection regime mirrored some concepts and mechanism from the GDPR. This means a good combination of PRC knowledge and GDPR experience will become critical for international companies to properly manage this topic. All this will take time according to our past experience. In reality, the deadline of November 2023 is a very tight schedule for multinational companies, but manageable if you take action right away.