Since China’s Personal Information Protection Law (PIPL) took effect in 2021, companies doing business in mainland China have questioned what is required of them when transferring personal information in and out of the country. Taft pondered this very question in our earlier blog post, ‘Data Transfers and Beyond: China Moves Closer to Finalizing Draft Provisions Permitting the Transfer of Personal Data Abroad.’ Last month, the Cyberspace Administration of China (CAC) provided its long-awaited answer, by issuing its final version of the measures of the standard contact for cross-border transfer of personal information (Final Measures), along with a standard contractual clauses equivalent (PIPL SCCs). Similar to the EU SCCs or UK international data transfer agreement (IDTA), the PIPL SCCs allow companies to freely import and export data from China. Here is what companies should know about this new Chinese transfer mechanism:
How Do the PIPL SCCs Work?
- Applicability: In line with the PIPL’s Article 38, the CAC issued guidance regulating the transfer of data. According to the CAC, organizations are allowed to adopt the SCCs for transferring China data abroad if all four of the conditions below are satisfied:
- The data exporter is not a critical information infrastructure operator (CIIO), which is broadly defined to cover business entities in financial, energy, telecom, public utility, health care, transportation, e-government, and other sectors that have a concern on national security and public interest of China;
- The data exporter has not processed personal data exceeding 1 million individuals;
- The data exporter has not made aggregated transfers of personal data exceeding 100,000 individuals since January 1 of the preceding year; and
- The data exporter has not made aggregated transfers of sensitive personal (e.g., biometrics, information concerning religious beliefs or specific identities, medical health, financial accounts, and the personal information of minors under the age of 14) data exceeding 10,000 individuals since January 1 of the preceding year.
- Impact Assessment: Like the EU SCCs and IDTA, the PIPL model contract requires the exporting party to conduct a personal information protection impact assessment (PIPIA) before executing the PIPL SCCs. The PIPIA report is expected to address issues that could impact the security of personal information transferred abroad. The PIPIA is expected to address: (i) the legality, legitimacy, and necessity of the purpose, scope, and method of processing personal information by the data controller and the overseas recipient; (ii) the volume, scope, category, and sensitivity of personal information to be transferred outbound; (iii) the risks to the data subjects’ rights and interests; and the effect of personal information protection policies and regulations in the country of origin in which the overseas recipient is located.
- Modules: As we previously reported, the PIPLs do not use a modular approach like the EU SCCs. This is a positive for exporting parties because the PIPL SCCs will function as a universal template, regardless of the role and function of the parties.
- Modification: Similar to most standard contractual clauses, modification to the clauses is prohibited. However, additional language not covered in the model contract may be added so long as such terms do not conflict with the PIPL SCCs. The PIPL SCCs featured on the CAC’s website are only available in Mandarin. The PIPL SCCs, do not discuss translation, but this is something we anticipate the Administration will consider within the next few months. Translating the SCCs will be an important modification/addition for U.S. entities.
- Governing Law: The laws of China govern the PIPL SCCs. This limited scope of governing law drastically differs from the EU SCCs, which give the parties the option to contract which EU member state’s laws will govern the SCCs.
- Filing SCCs and Impact Assessment with CAC: The CAC requires entities to submit their executed PIPL SCCs and impact assessment within 10 working days of effectiveness.
- Private Right of Action: Consistent with the PIPL’s Article 50, the SCCs permit Chinese data subjects to file a lawsuit against the exporting parties for failing to implement the PIPL SCCs. Exporting parties will be jointly and severally liable for any harm or damages to the individual data subjects caused by the breach of the PIPL SCCs. Because of this private right of action, indemnification provisions in data processing agreements will be especially important for entities importing or exporting data from China.
- Adequacy Decision: To our knowledge, the CAC has issued no adequacy decision thereby eliminating the need to execute the PIPL SCCs. To be safe, all companies outside of China, regardless of where these companies are located, should execute the PIPL SCCs.
- Effective Date: The Final Measures take effect on June 1, 2023.
Grace Period
As stated above, companies doing business in China will have just a few short months to get up to speed on the Final Measures. Fortunately, the Final Measures offer a sixth-month grace period following the effective date – meaning the grace period will end on November 30, 2023.
What’s Next?
Assuming the personal information of individuals in China are being processed, Companies should identify whether they need to execute the PIPL SCCs. Next, companies should work with counsel to update their existing data processing agreements, conduct PIPIA (and other relevant transfer assessments) and work on incorporating the PIPL SCCs into their data processing agreement templates. Taft’s privacy and data security attorneys will continue to monitor updates related to the PIPL SCCs and work on translating these clauses. In the meantime, we can assist with questions related to the PIPL SCCs or any other data transfer mechanism. Stay tuned to Taft Privacy and Data Security Insights or download our app for more news and information.