On 30 May 2023, the Cyberspace Administration of China (CAC) issued the Guidelines and measures for the Filing of Standard Contracts the SCC, for the Outbound Transfer of Personal Information providing specific requirements for the methods, procedures, and materials for filing standard contracts for the outbound transfer of personal information, along with the EU’s general data protection regulation. this comes effective on June1, 2023.
According to the SCC Regulations, business organizations are only allowed to adopt the SCCs for transferring China data abroad if ALL of the following conditions are satisfied:
- The data exporter is not a critical information infrastructure operator — CIIO, which is broadly defined to cover business entities in financial, energy, telecom, public utility, health care, transportation, e-government and other sectors that have a concern on national security and public interest of China.
- The data exporter has not processed personal data exceeding 1 million individuals.
- The data exporter has not made aggregated transfers of personal data exceeding 100,000 individuals since Jan. 1 of the preceding year.
- The data exporter has not made aggregated transfers of sensitive personal data exceeding 10,000 individuals since Jan. 1 of the preceding year.
The SCC Regulations explicitly prohibits businesses from transferring the China data abroad by breaking down the data volume to circumvent the CAC security assessment mechanism. The Regulations expressly prohibit splitting or breaking down the volume of the data to avoid the CAC security assessment, Unlike the EU General Data Protection Regulation SCCs, which cover four different models of controller-to-controller, controller-to-processor, processor-to-processor and processor-to-controller, China's SCCs only have one universal template, regardless of the role and function of the parties. Before entering into the cross-border data transfer agreement, the data exporter is required to conduct an impact assessment and prepare an impact assessment report by considering multiple factors, including:
- Validity, necessity and appropriateness for the cross-border data transfer.
- Scope, category, volume and sensitivity of the data transferred.
- Obligations to be undertaken by the foreign data recipient.
- What technical and organizational measures are to be adopted by the foreign recipient.
- Potential risk of personal data being breached, leaked or damaged after the transfer and what remedy channels are available to data subjects.
- Data protection laws and policies of the foreign destination countries.
- Other aspects which may affect the cross-border data transfer.
The cross-border data transfer agreement must be prepared based on the SCC standard terms. The parties are not allowed to make changes to the standard SCC terms.
Liability and Enforcement
CAC can subject check the cross-border whether the data transfer poses substantial risk or major data incidents, the CAC officials will request interviews and meetings with the data exporter and order rectifications. They also can set up a whistle-blowing mechanism where individuals or organizations can report to provincial CAC authorities on noncompliant cross-border data transfer activities.
The SCC Regulations further provide that if any of those irregularities constitute noncompliance with China's Personal Information Protection Law, the violator will face administrative, civil and even criminal liabilities, where the maximum penalties to reach RMB50 million, approximately USD7.8 million, or 5% of the last year's turnover, whichever is higher, under the PIPL.