Charmian Aw

Charmian Aw is a partner in Squire Patton Boggs’ Singapore office. For more than 16 years, she has built a track record of representing market-leading global corporations in navigating the increasingly complex, diverse and fast-evolving tech and data legal landscape in the Asia Pacific region. Having obtained certifications in information privacy for Asia, Europe and the US (FIP, CIPP/A, CIPP/EU, CIPP/US, CIPM), Charmian has counselled hundreds of corporations on multijurisdictional data law compliance and spearheaded projects (covering up to 82 territories) on regulatory compliance, data governance, and cross-border transfers.

Diletta De Cicco

Diletta De Cicco is a counsel in Squire Patton Boggs’ Brussels office. She advises clients on cybersecurity, data and privacy issues, and in particular, to comply with existing EU and national cybersecurity, data and privacy laws, such as the NIS Directive, GDPR and the Cybersecurity Act, and on upcoming developments, such as the AI Act and the ePrivacy Regulation. Diletta holds a Certified Information Privacy Professional/Europe (CIPP/E) certification, as well as a Data Protection Officer Certificate from Maastricht University. She is a member of the International Association of Privacy Professionals (IAPP), now a chair of the Brussels KnowledgeNet Chapter and a member of the IAPP Diversity in Privacy Board.

Bartolome Martin

Bartolome Martin is a partner in Squire Patton Boggs’ Madrid office. With almost 20 years of professional practice advising national and international clients on technology transformation and (more recently) digital transformation projects, his data protection experience covers all aspects of data protection, including: the design and implementation of GDPR compliance exercises (such as the one that is the subject of this proposal), the drafting and negotiation of international data transfer agreements, the design of cross-border data protection systems, audits, DPO support, risk analysis exercises and privacy impact assessments. He also has extensive experience in the negotiation and drafting of technology agreements, outsourcing and distribution agreements (including agency and franchising) and all types of commercial and intellectual property matters (trademarks, copyright, software, licensing, e-commerce advice, entertainment law) and other areas of law, including international trade (import/export) and online gaming.

Charles-Albert Helleputte

Charles Helleputte is a partner in Squire Patton Boggs’ Brussels office. He heads up the EU Data Privacy, Cybersecurity & Digital Assets Practice. Charles focuses on existing EU and national privacy, cybersecurity and data laws, such as the NIS Directive, GDPR and the Cybersecurity Act, and on upcoming developments, such as NIS 2, DORA, the AI Act and the ePrivacy Regulation. Charles holds a Certified Information Privacy Professional/Europe (CIPP/E) certification. He is a former co-chair of the Brussels KnowledgeNet Chapter of the International Association of Privacy Professionals (IAPP) and an appointed legal expert at the EU Cybersecurity Agency (ENISA). He is a member of the IAPP EU Advisory Board and designated on the expert list for the EDPB.

Scott Warren

Scott Warren is a partner in Squire Patton Boggs’ Tokyo office and leads a team that specializes in cybersecurity, data privacy and digital data disclosures in Japan and Asia. He advises on digital compliance, eDiscovery and corporate data privacy for global and local corporations. He also has significant experience in compliance, intellectual property, litigation, dispute resolution and government regulatory and internal investigations. He has provided advice to global multinational corporations in the hi-tech, software, retail, healthcare, pharmaceutical, automotive, banking, trading, telecommunications and professional services industries.

Lindsay Zhu

Lindsay Zhu is a partner in Squire Patton Boggs’ Shanghai office. She has substantial experience in corporate compliance and related investigations, in particular in the areas of anti-bribery and business ethics for companies in the People’s Republic of China. Her work scope covers drafting and advising on the implementation of compliance policies, FCPA and ethics training, conducting internal audit/health check for clients, investigation into employee suspicious activities, and cooperating with local counsel to take civil or criminal actions. Recently she has counseled clients on China’s Cybersecurity Law and related issues.

Katherine Fan

Katherine Fan is a senior associate in Squire Patton Boggs’ Shanghai office and assists with corporate-related matters, including foreign direct investment, corporate compliance, commercial contract review, mergers and acquisitions, as well as labor and employment matters, for companies in the People’s Republic of China. Her compliance work has involved anti-corruption, commercial bribery, cybersecurity and data protection.

1. Access to personal data from another jurisdiction could constitute a transfer.

2. Availability to intragroup transfers, as well as to transfers to external parties.

• expand_more

  EU SCCs

  • Under the EU General Data Protection Regulation, the concept of "transfer" is broad, as it also applies in the case of remote access to personal data.

  • Controllers and processors can apply EU SCCs to transfer data to third parties as well as in intragroup scenarios

• expand_more

  PRC Standard Contract

  • Although the term "export" is not clearly defined in China's Personal Information Protection Law, certain guidelines issued by the authorities suggest the following circumstances will be deemed data transfers:

  1. A controller transfers the data collected and generated in its domestic operations offshore.

  2. A controller stores the data collected and generated in its domestic operations offshore.

  3. The data collected and generated by the controller is stored within China, whereby offshore organizations or individuals may access, retrieve, download or extract it.

  • The PRC Standard Contract can apply to intragroup transfers as well as transfers to third parties.

• expand_more

  ASEAN MCCs

  • Although "transfer" is not expressly defined in the ASEAN MCCs, the illustrations provided in the framework suggest access to personal data from a third jurisdiction could constitute a transfer.

  • The ASEAN MCCs are a voluntary mechanism available to any organization within the ASEAN transferring personal data to another organization in a different ASEAN country. The MCC provisions are modular, meaning they can be adapted at will, so long as the data exporter and importer adhere to applicable data protection laws including any transfer requirements and/or restrictions imposed upon them in their own territories.

  • The ASEAN MCCs can apply to intragroup transfers, as well as transfers to third parties.

3. Standards contracts are one among many available legal transfer mechanisms.

• expand_more

  EU SCCs

  • The EU SCCs are one of the legal mechanisms available under the GDPR that parties may rely upon to ensure the lawful transfer of personal data to a third country that does not provide adequate levels of personal data protection compared to the EU framework. Generally, EU SCCs are available to all controllers and processors who wish to sign and implement them, provided they can adhere to the provisions in practice.

• expand_more

  PRC standard contract

  • The PRC Standard Contract is one of the legal mechanisms available under the PIPL that parties may rely upon to transfer personal data originating from China to a third country, provided that the following criteria are met. To rely on the PRC Standard Contract for personal data export activities, a controller must satisfy all the requirements below. Otherwise, the controller will be subject to the security assessment organized by the government authority.

  1. The controller must not be a critical information infrastructure operator, which refers to the operators of network facilities and IT systems that are critical to national security and/or public interest. Typically, CIIOs are involved in industries that raise national security and public interest concerns, such as utilities, transportation, finance, public service and national defense.

  2. The volume of the personal data processed by the controller must be less than that of one million individuals.

  3. It has not exported cumulatively more than 100,000 individuals' personal data since 1 Jan. of the preceding year.

  4. It has not cumulatively exported more than 10,000 individuals' sensitive personal data since 1 Jan. of the preceding year.

• expand_more

  ASEAN MCCs

  • The ASEAN MCCs can be adapted and used for data transfers within the ASEAN. This would satisfy any member state laws that recognize a data transfer agreement or contract as one of the ways an outbound transfer can be lawfully carried out. However, where any member state has requirements that contradict the MCCs, for instance if there is data localization which requires data is only processed and stored in-territory, the local law requirement will prevail.

1. No changes are allowed/changes are allowed.

2. A description of the personal data transfers must be provided/or not.

• expand_more

  EU SCCs

  • The text of the EU SCCs is not amendable, except to select modules and/or specific options offered in the text, complete the text where necessary, fill in the annexes, or add additional safeguards that increase the level of protection for the data. Optional elements of the SCCs include a docking clause that allows additional parties to join the contract in the future or an additional redress clause that allows data subjects to lodge complaints with an independent dispute resolution body at no cost.

  • The parties can incorporate the EU SCCs into broader commercial contracts so long as the other contractual provisions do not contradict the provisions in the EU SCCs, either directly or indirectly, or prejudice the rights of data subjects.

  • Details about the transfer must be provided, including the categories of personal data, categories of data subjects, retention periods, as well as, where applicable, the list of subprocessors and the supplementary technical and organizational measures identified.

• expand_more

  PRC standard contract

  • The text of the PRC Standard Contract is not amendable and must be strictly followed, though the parties will be able to fill in the applicable blanks and select the dispute resolution mechanism. Additional provisions, that do not contradict the PRC Standard Contract, agreed between the parties can be added to the PRC Standard Contract in a separate appendix.

  • The PRC Standard Contract is a standalone contract. The parties will be able to refer to the commercial contract in the preamble.

  • Details about the export need to be included, including the purpose and method of export, the type and volume of the personal data being exported, the details on onward transfers by the offshore recipient, the transmission method, the offshore retention period, and the location of storage; the security and organizational measures to be taken by the offshore recipient; and the point of contact of the offshore recipient to respond to data subject inquiries.

• expand_more

  ASEAN MCCs

  • There are additional optional modules offered in the MCCs which parties can choose to include in their final executed agreement.

1. A modular approach is accepted/promoted.

• expand_more

  EU SCCs

  • EU SCCs are designed for four possible transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.

• expand_more

  PRC standard contract

  • The PRC Standard Contract applies to all personal data export activities by controllers only. Unlike the EU SCCs, it does not differentiate controller-to-controller or controller-to-processor transfers, nor does it apply to data transfers by a processor.

• expand_more

  ASEAN MCCs

  • The ASEAN MCCs are designed for two possible scenarios: C2C and C2P transfers.

1. A risk assessment must be conducted prior to the transfer.

2. The assessment includes an evaluation of the third country’s legal framework.

3. The assessment should be transfer specific and consider whether the transfer is necessary.

4. A risk-based approach is adopted generally.

5. Additional measures may have to be included to ensure an adequate protection.

6. Monitoring obligations apply.

• expand_more

  EU SCCs

  What is a data transfer impact assessment?

  • A DTIA helps ensure EU SCCs will provide appropriate safeguards and effective and enforceable rights for individuals. It involves a detailed assessment of the laws and practices of the third country of destination. As part of the DTIA, parties should assess the risks related to the transfer, such as the risk of public authorities accessing personal data, as well as the possibility for data subjects to effectively enforce their rights. If the assessment determines the personal data is insufficiently protected by the safeguards provided under the EU SCCs, then supplementary measures should be adopted to address the deficiencies identified.

  Country assessment

  • Data exporters are required to assess if there is anything in the law and/or practices of a third country that may impinge on the effectiveness of the appropriate safeguards being relied upon and in the context of the specific transfer.

  Specific circumstances of the transfer and necessity test

  • The DTIA should be transfer-specific and consider whether the transfer meets the necessity test. The EU SCCs require the parties to consider the specific circumstances of the transfer. Examples include the length of the processing chain, the number of actors involved, the transmission channels used, intended onward transfers, and the type of recipient.

  Is it a risk-based approach?

  • Even if in a footnote, the EU SCCs allow data exporters to take a risk-based approach when conducting the DTIA. When assessing the impact of the laws and practices on compliance with the EU SCCs, the data exporter can take into account “relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time frame.” However, these elements should be part of an overall assessment and, when they are used to justify the transfer, the conclusion should be supported by other relevant, objective elements.

  Additional measures

  • If a third country's legislation cannot guarantee a level of protection that is equivalent to the one provided under the EU framework, then technical, contractual, i.e., additional clauses, and organizational measures, i.e., specific policies and procedures, can also be put in place to address deficiencies identified in the DTIA.

  Monitoring

  • The EU SCCs do not contain specific provisions for when a DTIA must be redone.

  • However, in its January 2020 recommendations, the European Data Protection Board stated data exporters must monitor, on an ongoing basis, developments in the third country to which they have transferred personal data when such developments could affect the assessments they made and the decisions they took.

• expand_more

  PRC standard contract

  What is a personal information protection impact assessment?

  • As required by the PIPL, a PIPIA is the precondition of carrying out any personal data export activities. A PIPIA on data exports shall include:

  • The legitimacy and necessity of the purpose, scope and method of the processing by the controller and the offshore recipient.

  • The volume, scope, type and sensitivity of the personal data being exported, and the risks associated with the export on the data subjects' rights and interests.

  • The undertakings of the offshore recipient, and the effectiveness of the technical and organizational measures taken by the offshore recipient in terms of safeguarding the personal data.

  • The risk of a data breach after the export of personal data, and whether an effective mechanism has been established to protect the data subjects' rights and interests.

  • The legislative environment of foreign jurisdictions where the offshore recipient is located, and how it may impact the performance of the PRC Standard Contract.

  • Other matters that may influence the security of personal data in the context of a data export.

  Evaluation on the legislative environment of foreign jurisdictions

  • Under the PRC Standard Contract, both the controller and the offshore recipient are obligated to evaluate whether the legislative environment of the foreign jurisdiction where the offshore recipient is located may impair the offshore recipient's performance of the PRC Standard Contract.

  • The PRC Standard Contract also sets forth the detailed aspects to be considered for the evaluation, including the export details, prior experience of the offshore recipient, and policies and legislations of the foreign jurisdiction. The assessment on foreign jurisdictions should be included in the PIPIA report.

  Necessity of export

  • A critical part of the PIPIA is to justify and demonstrate in the report the necessity of the personal data export, which is the fundamental requirement of exporting personal data under the PIPL. The factors to consider typically include the nature of the data subjects, the types of data being exported and the purpose of the export.

  Is it a risk-based approach?

  • The offshore recipient's prior experience with similar exports or requests from public authorities to access personal data should be taken into account during the evaluation discussed in the second point above.

  Additional Measures

  • The specific technical measures to be taken by the offshore recipient should be added to the PRC Standard Contract. The controller has the obligation to use reasonable efforts to ensure those measures have been taken by the offshore recipient.

  Monitoring

  • Unlike the EU SCCs, the PRC Standard Contract contains specific requirements on when a PIPIA must be redone.

  • The parties are required to redo the PIPIA, amend or re-sign the PRC Standard Contract and make a new filing if there is:

  • Any change in the purpose, scope or types of personal data being exported; any change of the method of the export or the location of storage; or any change in the offshore recipient's usage, method of processing or retention period.

  • Any change in the foreign legislation or policy that may impair the rights and interests of the data subjects.

• expand_more

  ASEAN MCCs

  No transfer risk assessment is required.

  Additional measures

  • The ASEAN MCCs provide that the data exporter must ensure the importer has reasonable and appropriate technical, administrative, operational and physical measures in place that are consistent with applicable data protection laws. However there are no requirements for parties to assess and put these measures in place over and above what the contractual language stipulates.

  Monitoring

  • There are no monitoring requirements prescribed under the ASEAN MCCs.

1. Do the standards clauses require the reporting of personal data breaches?

• expand_more

  EU SCCs

  • The EU SCCs require data importers to take measures to address data breaches and mitigate their adverse effects. The EU SCCs also require data importers to report data breaches, with varying reporting obligations depending on the module and the level of risk arising from the breach.

  • In the C2C module, the data importer must notify the data exporter and the competent supervisory authority if the breach is likely to result in a risk to the rights and freedoms of individuals as well as the data subjects if the likelihood of such risk is high. In the C2P and processor-to-processor modules, the data importer must notify the data exporter (and its data controller in the P2P module, if feasible), and assist the data exporter in complying with its own notification obligations. In the P2C module, when a data breach happens at the data exporter's level, it is the data exporter who must notify and assist the data importer.

• expand_more

  PRC standard contract

  • In case of data breaches, the PRC Standard Contract requires the offshore recipient to promptly take remedial actions and mitigate the impact on the data subjects; notify the breaches to the controller and the supervising authority, and, if required by the law, the data subjects directly; and keep records on the breach and the remedial actions. The notice to the controller and supervising authority should include:

  • The types of personal data affected by the breach, the cause, and potential consequences and impact.

  • The remedial actions being taken.

  • The remedial actions that could be taken by the controller to mitigate the loss.

  • The contact of the person or team responsible for dealing with the breach.

  • In cases where the offshore recipient is an entrusted party, i.e., similar to C2P transfers under the GDPR, the notices to data subjects must be delivered by the controller.

• expand_more

  ASEAN MCCs

  • Yes, but through an optional module only.

  • The ASEAN MCCs require the data importer to notify the data exporter of any data breaches it becomes aware of, and parties have the option to determine the period in which this is done, for instance, without undue delay or within a reasonable time specified by the parties.

1. Specific conditions must be met for onward transfers.

• expand_more

  EU SCCs

  • An onward transfer may only take place if the data importer meets certain conditions, which vary depending on the module.

  • For instance, specific grounds for the transfer should be identified. Grounds for the C2C, C2P and P2P modules include, for example) the third-party being bound by the EU SCCs;) the third country benefiting from an adequacy decision; or the onward transfer being necessary for specific reasons, e.g., to establish, exercise or defend legal claims, to protect the vital interests of individuals, etc. Additional grounds are available only for the C2C module, such as obtaining the explicit consent of the data subject.

• expand_more

  PRC standard contract

  • An onward transfer may only take place if all the following requirements are met:

  • Necessity in terms of business

  • Sufficient notice to the data subjects on the onward transfers, to the extent required by the law.

  • Proper consent from the data subjects if the processing is based on consent.

  • Written agreement with the third-party recipient, ensuring that such recipient could meet the standard of protection required by the PRC laws.

  • Data subjects have the right to request a copy of the agreement with the third-party recipient.

• expand_more

  ASEAN MCCs

  • The ASEAN MCCs provide a module to address any onward transfers.

  • The data importer must only carry out an onward transfer after notifying the data exporter of this in writing and giving the exporter a reasonable opportunity to object. The importer also must ensure any third-party recipient is bound by the same obligations as those that the data importer owes to the data exporter.

1. The standards provide for the possibility/obligation to suspend the transfer in case the protection afforded to personal data is not effective.

• expand_more

  EU SCCs

  • Under the EU SCCs, the data exporter must suspend the data transfers if the data importer breaches or is unable to comply with its obligations under the EU SCCs, or if the data exporter is instructed to do so by the competent supervisory authority or the data controller, in the P2P module.

  • In the event of suspension, the data exporter may be entitled to terminate the contract with the data importer. To do so, one of the termination grounds must be present, such as if the suspension exceeds a reasonable time, one month in any event and if the data importer is in substantial or persistent breach.

• expand_more

  PRC standard contract

  • Under the PRC Standard Contract, the controller may suspend the export of personal data if the offshore recipient violates its contractual obligations under the PRC Standard Contract or if a change in policy and legislation of the jurisdiction where the offshore recipient is located results in the recipient's failure in performance of the PRC Standard Contract.

  • In addition, if the suspension lasts for more than one month, the controller has the right to terminate the PRC Standard Contract.

• expand_more

  ASEAN MCCs

  • The ASEAN MCCs stipulate that if the data importer is in breach of its obligations, either under the MCCs or applicable law, then the data exporter is entitled to temporarily suspend the transfer of data until the breach is repaired or processing under the agreement is terminated.

• expand_more

  EU SCCs

  • There is no requirement to file the EU SCCs nor to retain the DTIA for a specific amount of time.

• expand_more

  PRC standard contract

  • The executed PRC Standard Contract and the PIPIA report on the personal data export must be filed with the provincial Cyberspace Administration of China within 10 working days after the PRC Standard Contract takes effect. All documents must be written in Chinese.

  • The PIPIA report must be retained for at least three years.

  • Note that the measures on PRC Standard Contract will take effect 1 June, and a six-month grace period is granted to existing export activities.

• expand_more

  ASEAN MCCs

  • There is no requirement to register the ASEAN MCCs, although, in principle, if a data exporter is required under local law to file a transfer agreement with a local authority, it can do so using the MCCs in their executed form.

1. Obligation to identify a local governing law.

2. Obligations in relation to competent forum.

• expand_more

  EU SCCs

  • The governing law must allow for third-party beneficiary rights and, in most cases, it must be the national law of a European Economic Area country. The parties can only specify the national law of an EEA or non-EEA country in the P2C module.

  • Similar rules apply when choosing the competent forum, i.e., the obligation to identify the courts of an EEA country in most cases. However, a data subject may also bring legal proceedings before the courts of the EEA country of their habitual residence.

• expand_more

  PRC Standard Contract

  • The PRC Standard Contract must be governed by the PRC laws.

  • The parties to the PRC Standard Contract may choose a Chinese court or an international arbitration tribunal under the New York Convention as the mechanism of dispute resolution.

  • Data subjects, as the third-party beneficiaries, may bring legal claims in Chinese courts.

• expand_more

  ASEAN MCCs

  • Parties are free to choose the governing law of the ASEAN MCCs, among the 10 member states.

  • Parties are free to choose the forum of dispute resolution.

1. Organizations will need to work with local supervision (with some exceptions).

• expand_more

  EU SCCs

  • In most cases, the EU SCCs require the identification of an EEA data protection authority, determined based on the territorial scope of the data exporter.

  • In the C2C, C2P and P2P modules, the parties must designate the supervisory authority competent for the data exporter's compliance with the GDPR, if the exporter is established in the EEA; the supervisory authority of the representative's establishment, if the data exporter is not established in the EEA but has appointed a representative; or the supervisory authority of one of the EEA countries where the data subjects' data is transferred are located, if the data exporter is not established in the EEA and has not appointed a representative. There is no requirement to identify an EEA supervisory authority for the P2C module. The EU SCCs also allow data subjects to lodge a complaint with the EEA data protection authority in the country of their habitual residence or place of work.

• expand_more

  PRC standard contract

  • Under the PRC Standard Contract, the supervisory authority refers to the provisional and state CAC.

  • Notably, by signing the PRC Standard Contract, the offshore recipient accepts the supervision and administration of the CAC, including, but not limited to, answering inquiries, cooperating with inspections, complying with measures taken or decisions made by the CAC, and providing written certificates as requested.

• expand_more

  ASEAN MCCs

  • The ASEAN MCCs are silent on any supervisory authority, as they are voluntary in nature and local data protection laws will continue to apply to the respective parties.