In the past year, we have seen an increase in the number of countries developing/updating legal frameworks (such as model agreements) that permit the transfer of personal data abroad. Transfer mechanisms, such as the model agreements, are necessary because different countries’ data protection laws may offer different levels of protection to individuals’ personal data. Transfer mechanisms function as an “equalizer” by requiring a base level of protection that all entities must have in place when transferring personal data abroad. Accordingly, transfer mechanisms ensure that protections are in place to safeguard data that leaves a country with strong data protection laws to be transferred to a country that has no such laws. Last June, the European Commission updated its Standard Contractual Clauses (“EU SCCs”) permitting the transfer of data outside the European Economic Area (“EEA”) after a decade. Earlier this year the United Kingdom implemented the UK’s version of transfer clauses with the International Data Transfer Agreement (“UK IDTA”). Like Europe and the United Kingdom, China also has some transfer mechanisms in the works.
On June 30, 2022, the Cyberspace Administration of China (“CAC”) released draft provisions on the Standard Contract for the Cross-border Transfers of Personal Information (“Draft Provisions”). The Draft Provisions are an extension of China’s data privacy efforts and work in conjunction with China’s comprehensive data privacy regulation, the Personal Information Protection Law (“PIPL”). Like its EU and UK counterparts, the Draft Provisions are a template standard contract that exporting parties can incorporate into agreements involving the transfer of personal data collected in China. Like the EU and UK SCCs, the Draft Provisions can be modified to include additional terms so long as they do not contradict any existing language included within the template agreement.
While the Draft Provisions aim to serve the same purpose as the EU SCCs and UK IDTA, there are notable differences between the three transfer mechanisms that entities transferring personal data should be aware of. The chart below breaks down the differences of each mechanism (but is subject to change given that the Draft Provisions have not yet been finalized).
|Topic||EU SCCs||UK IDTA||Draft Provisions|
|When Required?||The EU SCCs are required when transferring personal data outside the EEA and Switzerland. The EEA consists of the following European Union member states: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.||The IDTA is required for personal data transfers outside England, Wales, Northern Ireland and Scotland.||The Draft Provisions are required to transfer personal data outside China.|
|Mechanism’s History||On June 4, 2021, the European Commission published the finalized version of the EU SCCs. Before these clauses took effect, the European Commission used the “old” EU SCCs, which were in effect for over a decade. The “old” EU SCCs were updated to align more closely with the General Data Protection Regulation (“GDPR”).||Following Brexit, the EU’s GDPR no longer governed personal data of UK residents. As a result, the UK adopted its own version of the GDPR (the “UK GDPR”). For the purpose of data transfers outside the UK, Northern Ireland and Scotland the “old” EU SCCs could be used (and still can be used for a limited time) so long as they were modified to replace any reference to the EU with the UK.||The Draft Provisions are the first transfer mechanisms of its kind in China. Although there have been several iterations of proposed Draft Provisions none have gone into effect. The purpose of the Draft Provisions is to align with Article 38(1)(3) of the PIPL.|
|Who Can Use this Mechanism?
||All Entities. The EU SCCs are available to all data controllers and/or processors who wish to sign and implement them, provided they can adhere to the provisions in practice.||All Entities. Like the EU SCCs, the IDTA is available to all controllers and/or processors who wish to sign and implement them, provided they can adhere to the provisions in practice.||Limited Entities. The Draft Provision limits the types of entities that may enter into this standard agreement. These entities must satisfy the following requirements:
*Notably, the Draft Provisions also require the data exporter to file the executed contract with the provincial branch of the CAC within 10 days after the contract goes into effect along with a personal information protection impact assessment that must be prepared before the transfer.
|Does the Mechanism have Modules?
Yes. The EU SCCs feature four separate modules that govern the transfer of personal data between entities based on each party’s data processing/exporting role.
Module One: controller to controller transfers
Module Two: controller to processor transfers
Module Three: processor to processor transfers
Module Four: processor to controller transfers.
Thus, the EU SCCs modular approach requires entities to pay close attention to (i) all potential processing roles a party may have under a transaction (e.g., data controller or data processor) and (ii) examine how data flows. Under the EU SCCs, certain agreements can call for the need of various modules to be in place to permit the transfer of data outside the EEA.
|Yes. The IDTA adopts the same modular approach as the EU SCCs. The exporting parties must also select all the modules that apply to the particular data transfer in question.||No. As discussed above, China’s Draft Provisions are limited to transfers from certain Chinese-based entities to an overseas recipient. However, the Draft Provisions do not differentiate between certain transfer scenarios as the EU SCCs and IDTA do. As drafted, there are some ambiguities as to what obligations apply solely to data controllers and importers outside China and the obligations that apply only to processers or importers outside China.|
|Are Onward Transfers Permitted?||Yes. Under the EU SCCs, an “onward transfer” simply means the further disclosure of personal data by the data importer to another third party outside the EEA. For example, if any personal data has been transferred from the EEA to the United States and then transferred from the United States to other countries, the transfer from the United States is an “onward transfer” for GDPR purposes. Typically, a second agreement such as a data processing agreement is needed for the data importer to carry out an onward transfer to an additional third party||Yes. Similar rules as the EU SCCs.||It’s complicated. The Draft Provisions have stricter restrictions on carrying out onward transfers. Overseas recipients are not allowed to disclose personal data to third parties located outside China unless the following requirements are met:
||Yes. The EU SCCs feature a docking clause 7, which expressly permits adding new parties to the SCCs. The docking clause provides that an entity that is not a party to the SCCs may, with the agreement of the parties, accede to the SCCs at any time, either as a data exporter or as a data importer, by completing the EU SCCs Appendix and signing Annex I.A.||Yes. Parties may amend the IDTA for use in multi-party arrangements and the clauses do not need to be signed to become binding||Unclear. It is unclear whether these clauses will allow multi-party arrangements.|
|Is there a Short-Form Version of this Mechanism?
||No. There is no short-form version of the EU SCCs||Yes. The UK IDTA is unique in that it works in tandem with the EU SCCs. In other words, if the EU SCCs are already in place, a shorter version of the IDTA may be used instead of the full 36-page document.||Unclear. It is unclear whether the CAC will create a short-form version of the draft provisions that may be used in conjunction with the EU SCCs or IDTA.|
Effective: September 27, 2021
Grace Period: Organizations can no longer enter into the “old” EU SCCs (the cut off was September 27, 2021) but can rely on the “old” EU SCCs entered into before that date until December 27 2022.
Effective: March 21, 2022.
Grace Period: Organizations may enter into the “old” EU SCCs (with UK edits), on or before September 21, 2022. Transfers using the “old” EU SCCs will be valid until March 21, 2024 assuming that the processing operations under the agreement remain unchanged during that time.
Not in Effect.
Public Comment on the Draft Provision ended on July 29, 2022.
Taft’s privacy and data security attorneys will continue to monitor updates related to the Draft Provisions. In the meantime, we can assist with questions related to the Draft Provision or any other data transfer mechanism. Stay tuned to Taft Privacy and Data Security Insights or download our app for more news and information.