On February 24, the Cyberspace Administration of China (CAC) released the final version of the Standard Contract Clauses for Cross-Border Transfer of Personal Information (the SCCs) and the Measures for the SCCs (the Measures) under the Personal Information Protection Law (PIPL).
The final version of the Measures and the SCCs almost mirror the draft version published in June 2022 and track closely to the European Union's SCCs for international transfers, pursuant to the General Data Protection Regulation (GDPR).
Some Important Takeaways
PIPL provides three legal mechanisms that organizations with operations in China may rely upon to transfer personal information out of China: (1) undergo a CAC-administered security assessment; (2) enter into the SCCs with the recipient outside of China; or (3) obtain a certificate from a CAC-recognized professional organization.
There are two sets of SCCs available: (1) “controller-controller” SCCs and (2) “controller-processor” SCCs. The SCCs cannot be used if the data exporter meets the below requirements and the data exporter will then need to perform a CAC-administered security assessment:
- is an operator of critical information infrastructure;
- holds/ processes the personal data in China of more than one million individuals;
- has transferred out of China the personal data of more than 100,000 individuals since January 1 of the previous year; and
- has transferred out of China the sensitive personal data of more than 10,000 individuals since January 1 of the previous year.
Personal Information Protection Impact Assessment (PIPIA)
A controller must file a PIPIA report (along with the SCCs) with the provincial branches of the CAC within 10 working days of the execution of the SCCs. The executed SCCs do not require approval from the CAC to take effect.
Governing Law and Dispute Resolution
The SCCs must be governed by the laws of China. The SCCs enable the parties to settle disputes through (1) arbitration in China, (2) arbitration in a country that is a member of the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards, or (3) litigation in China. However, data subjects have the right to file a lawsuit to assert their rights or claims against the parties to the SCCs in a Chinese court.
Failure to comply with PIPL can result in administrative, civil and even criminal liabilities. Fines can range between RMB 1 million and RMB 50 million, or up to 5% of the annual turnover in the previous year.
The CAC's Authority and Supervision
The Measures provide that if the CAC identifies significant risks with a cross-border transfer, then only will it require the processor to rectify and mitigate the risks. In addition, CAC will also be involved if any security incidents have occurred.
Grace Period and Timeline
The Measures and the SCCs will become effective on June 1, 2023, with a six-month grace period for compliance by November 30, 2023.
The three legal mechanisms under PIPL for cross-border data transfers outside of China continue to evolve. Companies will need to pay close attention to comply with PIPL's complex requirements.