Hello privacy pros. Greetings from Beijing.

Since I wrote my last Asia-Pacific Digest note four weeks ago, there have been some significant developments in China's data protection and privacy space!

Same as everywhere else in the world, artificial intelligence has remained one of the hottest topics in the investment, business, technology, academic, legislative and enforcement circles in China.

Earlier this week, the State Council, China's central government, issued its law-making work plan 2023, which expressly states the State Council proposes the draft AI Law to be reviewed by the Standing Committee of the People's Congress, the highest law-making body of China. This appears to be a significant signal that China will draft a more comprehensive AI law, following the issuance and adoption of previous piece-meal AI regulations, for example, the Regulations on Administration of Internet Deep Synthesis and the Measures on Administration of Generative AI Services.

Local governments in Beijing, Shanghai and Shenzhen have issued multiple policies to promote the development of AI innovation, encourage research on large model algorithms and key technologies, and create a supportive business environment for AI innovation. The Beijing AI Acceleration Plan 2023-2025 sets a target that by 2025, the scale of Beijing's AI industry will reach CNY300 billion (approx. USD42 billion), with a projected growth rate at or exceeding 10%.

As we are in June, this digest note would not be complete without talking about China Standard Contract Clauses regime for cross-border data transfer, because 1 June marks the formal adoption of China's SCC mechanism. 

Under the Personal Information Protection Law of China, there are three major legal mechanisms for making outward data transfer from China: CAC-led security assessment, SCC mechanism, and certification by qualified third parties. Compared with the other two mechanisms, the SCC method appears more cost-efficient and familiar to international businesses. However, it is important to note that a company cannot loosely choose the mechanism of its own preference, because each of the mechanisms is subject to its respective application scope and the company is prohibited from avoiding the CAC-led security assessment by dividing up the volume of data transferred in order to choose the SCC mechanism.

Although China's SCC mechanism shares some similarities with the EU General Data Protection Regulation SCC regime, it has multiple unique and peculiar distinctions from the GDPR. This has presented some difficulties for MNCs in preparing the documents anticipated under the China SCC regime and synchronizing the China SCC terms with the global strategy for international data transfer.

Last week, the central CAC issued the China SCC Filing Guidelines and the Beijing Municipal CAC released the local version of the Filing Guidelines for companies based in Beijing, to provide some practical direction and clarity. The SCC Filing Guidelines contain a template impact assessment report, which covers aspects much more expansive than what is usually expected in the DPIA/TIA report under the GDPR. The China SCC-based cross-border data transfer agreement and the impact assessment report must be filed with the provincial/municipal CAC. Failure to pass the filing may negatively impact cross-border data transfers, cause business interruptions, or even harm the company's reputation and brand image. Thus, for companies that need to transfer personal data from China to their headquarters, affiliates or business partners outside China, I strongly suggest you pay close attention to the requirements set out in these China SCC regulations and take necessary compliance actions as soon as possible. We have prepared the unofficial English translation of the China SCC terms and prepared some articles discussing the China SCC mechanism. You can download those materials from the IAPP website.

Hope you enjoy this digest note. Until next time!