Scope of application

EU data exporters can use the EU SCCs to make cross-border transfers to a data importer located in a third country outside of the EU, where that country has not been granted an adequacy decision (so-called 'whitelisted' jurisdictions).

If the personal information processor (a term similar to a 'controller' under the GDPR) which seeks to make a cross-border data transfer is not subject to the security assessment regime, the Standard Contract can be used. To qualify, the organisation must:

• not be a critical information infrastructure operator, as outlined in other cybersecurity rules released by the CAC;
• process personal information of no more than 1 million individuals;
• have provided personal information of no more than 100,000 individuals in aggregate to overseas recipients since 1 January of the previous year; and
• have provided sensitive personal information of no more than 10,000 individuals in aggregate to overseas recipients since 1 January of the previous year.

Materially different

The Standard Contract has a narrower scope of application (both in terms of sectoral relevance and data volumes) than the EU SCCs.

The Measures - as released in final form - explicitly prohibit organisations from splitting the volume of data to be exported via Standard Contracts among different entities in order to avoid meeting the thresholds for a mandatory security assessment. This new provision seeks to prevent organisations using the Standard Contract to circumvent the more onerous security assessment mechanism, which it is understood the CAC thinks has been adopted less than it envisaged.

Overall structure

Four-module approach

EU SCCs can be adopted for personal information exports:

• from a controller to another controller ('C2C');
• from a controller to a processor ('C2P');
• from a processor to a sub-processor ('P2P'); and
• from a processor to its appointing controller ('P2C').

One-size-fits-all approach

The Standard Contract has been released in one form that must be signed between a personal information processor and an offshore recipient, despite the CAC having considered a two-module approach like that adopted under the recommendary measures applicable in Hong Kong Special Administrative Region ('SAR').

Radically different

Multinational organisations will likely find it difficult to apply the one-size-fits-all terms of the Standard Contract to all transfer scenarios in practice. Compared with the multiple circumstances that are feasible with the EU SCCs, this aspect will be challenging for international business. For example:

• Can an overseas personal information processor that is subject to the extraterritorial application of the PIPL adopt the Standard Contract?
• The Standard Contract does not appear to allow a China-based entrusted party (akin to a 'data processor' under the GDPR) to adopt the Standard Contract with its offshore recipients. If so, how can an entrusted party legitimise its cross-border transfers, for example, when acting as a service provider to overseas affiliates?

Flexibility of contract

One or more modules of the EU SCCs can be included in a master contract and supplemented with other provisions or additional safeguards, so long as they do not contradict with the EU SCCs or prejudice the fundamental rights or freedoms of data subjects.

The EU SCCs are also expressly designed to be adopted by multiple controllers and/or processors and include a 'docking' clause to subsequently add further parties.

The Measures state that the Standard Contract must be concluded in strict accordance with the CAC's form. A domestic organisation may agree other terms with its overseas counterpart and record these in the second appendix to the Standard Contract. However, these additional terms must not conflict with the Standard Contract.

Differences exist, but with some similarities

The Standard Contract seems to be less flexible in its form than the EU SCCs. This will create a challenge for international businesses' global data transfer programmes if they are to meet the requirements imposed on the form of the Standard Contract.

It will be crucial for the CAC to clarify whether the Standard Contract must be used in a bilateral manner or can also be revised so it is multilateral (as the EU SCCs allow) for use in the existing intra-group data transfer agreements of international groups.

Pre-contract step: transfer impact assessment

The EU SCCs and related European Data Protection Board guidance require a transfer impact assessment ('TIA') to be conducted to assess the risk of transferring personal data to the relevant third country. A key objective of the TIA is to examine the extent of data access rights of local law enforcement and national security agencies in the third country.

There is no specific retention requirement for holding TIA records. However, in practice, organisations should retain their TIAs to assist in complying with their accountability obligations under the GDPR.

Under the PIPL, a personal information processor must conduct a personal information protection impact assessment ('PIPIA') before any data export. The PIPIA must include an assessment of the impact of local policies and applicable laws regarding the protection of personal information on compliance with the Standard Contract.

A PIPIA must be retained for three years.

Differences exist, but with some similarities

To prepare PIPIAs, domestic organisations can be expected to request information on the offshore party's circumstances as the recipient of the personal information, including the protections afforded to that information under the local law of place in which the offshore recipient is located, together with information on the offshore party's data security practices.

Undertaking a compliant PIPIA will likely be time consuming. Multinational groups should implement procedures to map their data processing and data flows and consolidate the data required to complete a PIPIA on the relevant data export activities.

Post-contract step: filing procedure

EU SCCs do not require filing with the competent supervisory authority. However, the EU authorities may request to review relevant EU SCCs in certain circumstances, such as an audit or investigation.

A personal information processor must file both the Standard Contract and the report generated by the PIPIA with the provincial branch of the CAC that supervises the location where the organisation is registered. The filing must be completed within ten days from the effective date of the Standard Contract.

If certain changes occur that may affect interests in the personal information, the data exporter must reconduct the PIPIA, supplement, or resign the Standard Contract.

Materially different

Because the Standard Contract and corresponding PIPIA must be filed, domestic enterprises can be expected to make increasing numbers of information requests of overseas counterparties for the purposes of undertaking compliant PIPIAs. This may lead to service providers seeking to prepare the relevant information in advance to give them a competitive advantage in servicing Chinese businesses expanding abroad.

International organisations must consider implementing an ongoing monitoring protocol to flag when changes to their data export activities affect a filed PIPIA and/or Standard Contract.

Compliance with data processing principles and safeguards

Aligned with the GDPR requirements, parties are required to comply with obligations and principles of lawful processing, transparency, data minimisation, respecting data subject rights, limitation of storage, security, and accountability.

Aligned with the PIPL requirements, parties are required to comply with obligations and principles of lawful processing, transparency, data minimisation, respecting data subject rights, limitation of storage, security, and accountability.

Generally aligned

Data processing terms

Provisions are included in the EU SCCs that meet the requirements of Article 28 of the GDPR in respect of data handling by processors (where applicable).

Provisions are included in the Standard Contract that meet the requirements of Article 21 of the PIPL in respect of data handling by an entrusted party.

Generally aligned

Acceptance of oversight from supervisory authorities

The party receiving the personal information must accept supervision by the relevant EU supervisory authority, including to respond to enquiries, cooperate with audits by, and comply with measures adopted by, the supervisory authority.

The parties to the EU SCCs must also be able to show their compliance with the EU SCCs, and make available to the supervisory authority, upon request, documentation evidencing that compliance and the corresponding processing activities.

The offshore recipient must accept the supervision and management of the Chinese supervisory authority during the term of the Standard Contract, including to respond to enquiries and comply with measures adopted or decisions made by that authority.

The parties to the Standard Contract must be also able to show their compliance with the Standard Contract, and make available to the competent authorities on request documentation evidencing that compliance and the corresponding processing activities.

Generally aligned, but a new term requires notification of government access requests which may cause a possible conflict of law

The final form of the Standard Contract contains a new provision requiring the offshore recipient to immediately notify the data exporter when the recipient receives a data access request from a local government department or judicial authority. Since this new obligation does not have any exceptions provided under the Standard Contract or the Measures, conflicts of laws will likely occur between the two jurisdictions. Namely, where a notification is prohibited under the law of the foreign jurisdiction, failing to make the notification to the party in China would likely constitute a breach of contract, while notifying the Chinese party in accordance with the Standard Contract's obligation may lead to a violation of the overseas jurisdiction's regulatory requirements.

Governing law and choice of jurisdiction

Depending on the four modules:

• C2C: Parties may select the governing law of any EU Member State, provided that such law permits data subjects to enjoy third-party beneficiary rights. Parties may agree on the jurisdiction of the courts of any EU Member State. Data subjects may also make claims against the Chinese party and/or offshore recipient before the courts of the EU Member State in which they have their habitual residence.
• C2P or P2P: Parties must select the governing law of the EU Member State where the data exporter is located, provided that such choice of law permits data subjects to enjoy third-party beneficiary rights (and where that is not the case the governing law must be that of an EU Member State that does permit those rights). Choice of jurisdiction is the same as for the C2C module.
• P2C: Parties can select the governing law and jurisdiction of the courts of any country, provided that in the case of governing law such law permits data subjects to enjoy third-party beneficiary rights.

The Standard Contract is solely governed by laws and regulations of mainland China.

If disputes arise between the data exporter and data importer, they can resolve the dispute through an arbitration institution that is a member of the 'New York Convention', or through litigation conducted in courts of mainland China.

If a data subject (as a third-party beneficiary) claims against the personal information processor or the offshore recipient, the jurisdiction should be determined in accordance with the provisions of China's Civil Procedure Law.

Materially different

Many multinational organisations will embrace the option of agreeing on an arbitration institution that is a member of the New York Convention, since they have been traditionally hesitant to bring disputes in China because of concerns on impartiality and practical issues, such as choice of language.