Hello privacy pros! Greetings from China!
The past several weeks have been hectic for businesses, data regulators and privacy pros in China! The most eye-catching development in data protection and privacy space in China is the final release of the long-awaited standard contractual clauses terms and the corresponding regulations by the Cyberspace Administration of China 24 Feb. This indicates that all three major legal mechanisms for cross-border data transfers under China's Personal Information Protection Law (namely, CAC-led security assessment, certification by licensed professional institutions, and Chinese SCCs) are all fully established with the necessary details for implementation.
It is worth noting that the three data transfer mechanisms are subject to strict application scope and companies cannot adopt the SCC structure if any of their international data transfers from China triggered the CAC-led security assessment. Businesses are explicitly prohibited from breaking down the data volume to circumvent the CAC security assessment mechanism.
China’s SCC terms mirror some clauses in the EU General Data Protection Regulation SCCs, but have significant Chinese characteristics. Unlike the EU GDPR SCCs, which cover four different models of controller-to-controller, controller-to-processor, processor-to-processor and processor-to-controller, China’s SCCs only have one universal template, regardless of the role and function of the parties. In addition, clauses on onward transfer, governing law and dispute resolution under the China SCCs show differences from the EU GDPR SCCs.
China’s new SCC terms will become effective 1 June. Companies have a six-month grace period to make rectifications according to the new SCC requirements if they have previously transferred personal data outside China. It is advisable that early steps be taken by companies to have a proper understanding of the SCC regulations and terms and assess the business implications for their cross-border data transfers.
Within 10 days of the effectiveness of the SCC terms, the data exporter must file with the competent provincial CAC by submitting the signed SCC-based data transfer agreement and the impact assessment report. The CAC authorities have the power to request rectification if the cross-border data transfer poses a substantial risk or if there is a major data incident. Failure to comply with the SCC regulations may also trigger administrative, civil and even criminal liabilities under the PIPL. Earlier this week I wrote a in-depth analysis of the new Chinese SCCs.
Along with the finalization of the SCCs, 28 Feb. marks the expiry date of the 6-month grace period for submitting to the CAC authorities for security assessment for cross-border data transfers. According to the news release issued by Beijing and Shanghai CAC authorities, more than 200 multinational corporations and Chinese business entities based in Beijing and Shanghai across automotive, aviation, financial, health care, pharma, tourism, technology and media industries have made submissions to the CAC. More companies are expected to submit to CAC even after the grace period.
With a strong digital economy, Beijing and Shanghai are spearheading new initiatives for data protection and security. The Beijing Internet Court issued a judgment in February, ruling that the collection of user profiling information does not pass the necessity test and the data handler must give sufficient notification and obtain consent from data subjects before collecting user profiling information. On 28 Feb., the Shanghai Telecom Bureau issued a notice, requesting all Shanghai-based internet and telecom companies to set up the DPO mechanism in 2023 to build up a robust system for data protection and security.
A lot to talk about for this week! Until next time!