2023.06.13 DONG, Xiao (Marissa)、LIU, Yang、LU, Sipei (Ryo)、LI, Shuoying、SHI, Xiaoyu
On May 30, 2023, the Cyberspace Administration of China (“CAC”) officially released the Guidelines for the Filing of Standard Contracts for Cross-border Transfer of Personal Information (Version 1) (“China SCC Guidelines”)1 to provide guidelines for personal information processors who intend to file the Standard Contract released by the CAC (“China SCC”) with the competent authorities. The release of the China SCC Guidelines indicates that the filing of China SCC has officially commenced. We have analyzed and interpreted the main content of the China SCC Guidelines for your reference.
We have also compared and analyzed the relevant contents of the China SCC Guidelines with the Guidelines for the Application for Data Export Security Assessment (Version 1) (“Security Assessment Application Guidelines”) previously issued by the CAC.
I. Entities Subject to China SCC Filing
An enterprise engaged in personal information export without triggering a data export security assessment is subject to the filing of China SCC with the competent authority, unless it chooses to conduct personal information protection certification.
The provisions of the China SCC Guidelines on the scope of the application of China SCC are consistent with Article 4 of the Measures for the Standard Contract for Cross-border Transfer of Personal Information (“China SCC Measures”). Both state that in order to provide personal information to an overseas recipient by concluding a China SCC, a personal information processor shall meet the following conditions: (i) it is not a critical information infrastructure operator; (ii) it processes the personal information of less than one million individuals; (iii) it has provided the personal information of less than 100,000 individuals in aggregate to overseas recipients as of January 1 of the previous year; and (iv) it has provided sensitive personal information of less than 10,000 individuals in aggregate to overseas recipients as of January 1 of the previous year. In comparison, the circumstances triggering the filing of a China SCC complements the circumstances triggering a security assessment. This means that the filing of a China SCC could apply to any cross-border transfer of personal information that does not trigger a security assessment unless the transferor chooses to adopt certification mechanism.
The China SCC Guidelines again emphasizes that no personal information processor shall take measures, such as splitting the quantity of personal information, to circumvent a data export security assessment merely by concluding a China SCC. Whether the quantity of personal information provided to an overseas recipient triggers the filing of a China SCC needs to be determined according to the actual situation on a case-by-case basis.
II. What Circumstance Constitutes Cross-border Transfer of Personal Information
Enterprises will need to sort all scenarios where personal information is or to be transferred to overseas recipients directly or where such information can be accessed, queried, downloaded or exported from overseas, and on such basis, conduct a personal information protection impact assessment and conclude a China SCC.
The China SCC Guidelines continue to use the criteria provided in the Security Assessment Application Guidelines to determine cross-border transfer activities, which includes the following circumstances: (i) a personal information processor that transfers and stores outside the PRC the personal information that is collected and generated in its operations within the PRC; and (ii) the personal information collected and generated by a personal information processor is stored in the PRC and is available to overseas institutions, organizations or individuals for access, query, downloading or export. Also, the China SCC Guidelines retains the expression “other personal information export activities specified by the CAC”, allowing a flexible interpretation of any personal information export that may be more complex in future regulatory practice.
Although having described the circumstances that constitute cross-border transfer of personal information, the China SCC Guidelines do not clarify how to sign a China SCC under different data export scenarios or with different roles in data processing, such as how to sign a China SCC when an entrusted processor provides personal information to an overseas recipient as the data exporter.
III. Methods and Procedures for the Filing of China SCC
The China SCC Guidelines state that a personal information processor shall file a China SCC with the competent authority within 10 business days after the effectiveness of such China SCC.
An enterprise needs to file written materials accompanied by electronic versions to the cyberspace administration at the provincial level. The whole process includes material submissions, a material review, feedback on the result of the filing, and the provision of additional materials or re-filing, if applicable. The specific filing processes are described in the below flow chart.
In the China SCC Guidelines, it is mentioned that:
i. The filing needs to be completed by sending written materials accompanied by the electronic versions, but it does not expressly require the electronic filing materials to be submitted in CD form, therefore it still needs to wait and see if online submissions will be accepted in the near future.
ii. The time period for materials review by cyberspace administration at the provincial level (including when additional materials or re-filing is required) shall be 15 business days.
iii. The CAC published telephone and e-mail contacts for queries and reporting to facilitate any prior enquiries by enterprises on issues relating to the filing of China SCC.
IV. Possible Outcomes of Filings
In accordance with the China SCC Guidelines, the filing outcome is either “pass” or “fail”. If the filing fails, the personal information processor will receive a notice indicating the failure of the filing and why it failed, request the provision of additional materials, and allow re-filing after the provision of the additional materials.
If the filing fails, (i) the personal information export may be considered as baseless in law, and it is unclear whether an enterprise must stop the export activities; and (ii) the period for the provision of additional materials is 10 business days, which is a relatively tight schedule.
Therefore, it is advisable for enterprises to prepare a complete set of materials at the first-round filing and make best effort to pass in the first instance.
V. Application Materials and Key Considerations
The China SCC Guidelines set out seven pieces of documents required for the filing. This includes copies of the social credit code certification of the personal information processor, the ID documents of the responsible person for the China SCC filing and the legal representative of the personal information processor. Most importantly, the executed version of China SCC and the report on Personal Information Protection Impact Assessment (“PIPIA”) must be submitted.
Below is a summary of some key issues to be considered when preparing the application documents required for filing.
i. The template for the undertaking letter specifically provides that the PIPIA must be completed within three months prior of the filing date and that there have been no material changes to the PIPIA as of the filing date.
ii. In the template for the undertaking letter, the personal information processor is required to provide a covenant that it has not engaged in any split-up of the quantity of personal information, and it will not provide overseas recipients with the personal information that is subject to a data export security assessment merely by concluding a China SCC. However, with regard to the “split-up of the quantity of personal information”, it is noteworthy that whether the quantity of personal information transferred among different affiliates under the same group should be calculated on an aggregate basis, which is also pending to be clarified from the regulators.
iii. In the template for the power of attorney in respect of the responsible person of the China SCC filing, such person should be granted full power to act on behalf of the personal information processor to take all actions and communicate with the regulators as necessary for the completion of the China SCC filing. Therefore, such power of attorney must remain in effect throughout the whole filing process.
VI. Preparing the PIPIA Report
A template for the PIPIA was released together with the China SCC Guidelines, and it provides important guidance for personal information processors to prepare PIPIA.
The PIPIA template is consistent with the Data Export Risk Self-Assessment Report (template) enclosed in the Security Assessment Application Guidelines in terms of assessment elements and considerations. It reflects that the regulator has similar concerns for security assessment and filing in respect to data export. Outlined below are some key items to be included in the report.
i. Composition of the PIPIA report: the PIPIA report consists of four sections, i.e., a description of the PIPIA process, a description of the data export, a detailed assessment of the impact of the proposed data export, and an assessment of the proposed conclusion of the data export.
ii. Basic information of personal information processors: in addition to general information relating to the business registration of the personal information processor and its business and information systems involved in the export of personal information, the information about its actual controller, the establishment of a personal information protection department, and the general business and personal information and domestic and foreign investments in respect to the personal information processor must also be included.
iii. Details of personal information to be exported: the purpose, scope and method of personal information processing, and its legality, legitimacy and necessity, as well as information regarding the processing of sensitive personal information and the use of personal information in automated decision-making should be included.
iv. Assessment of the capabilities of the personal information processor to ensure data security: the establishment of governance structures and management rules, the deployment and implementation of systems for whole process data management, emergency response, and the protection of personal information rights and interests, as well as technical security measures implemented throughout the entire process of the collection, storage, use, processing, transmission, provision, disclosure and deletion of personal information should be included.
v. Assessment of the overseas recipient: the basic information of the overseas recipient, its capabilities to ensure data security, the cybersecurity and data security legislation of the country/region where the overseas recipient is located, and the entire process of personal information processing by the overseas recipient should be included.
vi. Assessment of the impact of the proposed data export: an item-by-item description of the elements assessed in the PIPIA in accordance with Article 5 of the China SCC Measures should be included, with focuses on the issues and potential risks discovered in the PIPIA, as well as the corresponding rectification measures taken and the effect of rectification.
vii. Conclusion of the PIPIA report: the personal information processor must draw an objective conclusion of the PIPIA report for the proposed personal information export, and fully describe the reasons and arguments to support such conclusion, on the basis of the PIPIA process and related rectifications.
As can be seen from the above summary of the requirements in the PIPIA template, the information required for PIPIA contains some more details which may not be included in the Transfer Impact Assessment (TIA) under GDPR.
VII. Our Observations and Recommendations
Based on the above:
i. The China SCC Guidelines provide specific guidance on the scope of application, submission method and process, and material requirements, similar to the Security Assessment Application Guidelines in the level of detail and requirements.
ii. The China SCC Guidelines specify that the filing may result in either approval or disapproval. In case of disapproval, the personal information processor will be notified of the disapproval for its filing and the reasons for it, and they will have a period of 10 business days to prepare and submit additional or amended supporting materials.
iii. Nevertheless, the China SCC Guidelines leave out specific filing processes in different scenarios, such as whether different entities within a group are permitted to submit a consolidated filing, and how and to what extent the PIPIA report should be applied, etc., which will need to be further explored when the CAC starts to accept the filing.
As the deadline to prepare and submit the filing is the end of November this year, companies subject to China SCC filing will only have 6 months to complete their submissions and make any necessary remediations. As data mapping, preparing PIPIA reports, and negotiating and executing China SCCs with overseas recipients could be time consuming, companies are advised to take actions as soon as possible, leave sufficient time and submit the China SCC filing to avoid delays and any uncertainties associated with the cross-border transfer to their business and operation.
1. The Guidelines for the Filing of Standard Contract for Personal Information Export (Version 1), are available at http://www.cac.gov.cn/2023-05/30/c_1687090906222927.htm