My previous article, A Glimpse of the Regulatory Mechanism for the China SCCs, provided a high-level summary of the regulatory mechanism to rely on the CN SCCs to outbound transfer personal information from China. It introduced the applicable scope, conditions precedent and the filing requirements of the regulatory mechanism. From that article, you may have a general understanding that the CN SCCs has its origin from the GDPR SCCs. In this Article, Estella and I will make a deep dive into the CN SCCs to share with you some more details about the relationship between CN SCCs and GDPR SCCs. However, due to our limited knowledge of GDPR SCCs practice, our comments about GDPR SCCs may not be accurate in all aspects. If you find places where our understanding can be improved, you are welcome to contact us about it. Thank you!
The modernized SCCs, under the GDPR, can be used as one of the appropriate safeguards in the absence of an adequacy decision for a data controller or processor to transfer personal data to a third country or an international organisation outside EEA.
Since CN SCCs has its original from the GDPR SCCs, it is natural to wonder what the similarities and the differences are between the China SCCs and the GDPR SCCs. Specifically, to what extent does the latter influence the former, and what is the proper logic to coexist both SCCs for different regulatory and legal systems?
From a comparative law perspective, we are addressing those questions in this article for organizations that conduct businesses processing personal data in both jurisdictions.
The Similarities
The similarities between those two SCCs include:
- Data subjects are entitled to the right as a third-party beneficiary and can make a claim against both the data exporter and foreign data recipient.
- Both the data transferors and foreign data recipients should assume the joint and several liabilities to the data subjects.
- Both jurisdictions require data exporter and data importer to exercise reasonable care to assess the impact of local laws on the performance of the SCCs, and impose notification obligations on data importer in case of access by local public authorities.
The Divergencies
Although there are similar words used in both SCCs, however, the basic legal concepts, the legal requirements and the regulatory practice behind those words are with major differences.
- The Structure of the SCCs.
GDPR SCCs has four modules (i.e., C-C, C-P, P-C, P-P) that are based upon the obligations and rights of data transfers or data importers under the GDPR in transferring personal data to countries outside of the EEA. This allows more accurate tailorship by the parties of their rights and obligations by choosing the proper module based upon their specific roles in the underlying personal data outbound transfer.
China SCCs imposes a universal set of rights and obligations on the parties, regardless the different roles the parties may take in different scenarios of the outbound data transfer. This may impose higher standard of obligations on the parties. Behind such an approach is the defensive attitude and the security concern the CAC has towards personal information outbound transfer.
- Separate Consent
CN SCCs incorporates the obligation to secure the separate or written consents under the PIPL for personal information cross-border transfer, even though CN SCCs does exempt the requirement for separate consent where the personal information exporter can rely on other statutory legal grounds to outbound transfer the personal information.
Although GDPR SCCs does not use the term "separate consent", the GDPR has a similar concept, "explicit consent", which can be used as a mechanism for cross-border transfers of personal data. In the absence of an adequacy decision, SCCs, or BCRs, according to Article 49 of the GDPR, data exporters may rely on derogations which include explicit consents from the data subjects who have been informed of the possible risks of the transfers and appropriate safeguards.
- Administrate and Control
- The application of China SCCs: Voluntary or not?
Generally speaking, the freedom of contract means that the parties have the ability to bargain and create the terms of their agreements as they desire. However, both China SCCs and GDPR SCCs are standardised clauses that are pre-approved by relevant authorities, and the parties are not allowed to execute other clauses that contradict with the SCCs.
Under the GDPR, there is no legal obligation for a data controller or processor to use SCCs. As explained in the official Q&A of the latest GDPR SCCs, the clauses can be used on a voluntary basis to demonstrate compliance with data protection requirements.
However, the CN SCCs does not equally give all personal information processors the right to "opt-in". If the personal information processor has triggered the thresholds for a government-led security assessment, the CN SCCs cannot be used as an alternative legitimacy mechanism for its personal information outbound transfers.
- Filling obligations with Chinese characteristic
As required by the CN SCCs Rules, a filing of the SCCs and the PIPIA report must be made to the provincial office of the CAC. The purpose and basis of this filing requirement is unclear. Article 38 of the PIPL does not require "filing for record of the executed SCCs" as a necessary legitimate condition for the outbound transfer of personal information.
In contrast, there is no similar filing requirement under the GDPR for the executed SCCs.
- DPIA v. PIPIA – PIPIA is a necessary step before signing the China SCCs
Article 35 of the GDPR provides for Data Protection Impact Assessments (DPIA). According to Article 35, the transfer of personal data abroad does not by itself necessarily trigger the assessment obligation under the GDPR, but depends on the nature, risks, etc. of that processing activity.
Although PIPIA is a similar concept as the DPIA, PIPL takes a very different approach: the PIPIA becomes a mandatory legal requirement for the transmission of personal information abroad.
Article 55 of the PIPL provides that transmitting personal information abroad by itself triggers the need for a PIPIA. In an extreme example, a personal information processor needs to run a PIPIA even if it will merely outbound transfer a single piece of insensitive personal information.
CN SCCs bears more administrative color from the government. It is not only the respect of the control the data subjects should have on their personal data, but also a government's safeguard and supervision of its data resource for security and competition advantage.
To conclude this article, we share for your reference in Appendix I a more detailed comparison between China SCCs and GDPR SCCs. If you are interested in knowing more about our view and advice on CN SCCs and its related regulation and enforcement policies, you are welcome to contact us!
Appendix I – Comparison between the CN SCCs and the GDPR SCCs
|
NO. |
Subject |
CN SCCs |
GDPR SCCs |
|
I. Comparison on Application Scope and Structure |
|||
|
1. |
Scope of Application |
A narrower application scope When meeting all of the following circumstances, a personal information processor can rely on adoption of the CN SCC mechanism to compliantly transfer personal information out of China without going through any third-party certification or governmental assessment process:
(Article 4 of the Rules for the Standard Contracts for Outbound Transfer of Personal Information, the "CN SCC Rules") |
Applied on a voluntary basis Pursuant to Article 46(1) of Regulation (EU) 2016/679, in the absence of an adequacy decision by the Commission pursuant to Article 45(3), a controller or processor may transfer personal data to a third country only if it has provided appropriate safeguards, and on condition that enforceable rights and effective legal remedies for data subjects are available. Such safeguards may be provided for by standard data protection clauses adopted by the Commission pursuant to Article 46(2)(c). The role of standard contractual clauses is limited to ensuring appropriate data protection safeguards for international data transfers. (Article 1of the Decision of 4.6.2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, "the SCCs Decision") |
|
2. |
Structure of the SCCs |
An all-in-one Structure Article 1 Definitions Article 2 Obligations of the Personal Information Handler Article 3 Obligations of the Foreign Recipient Article 4 The Impact of Personal Information Protection Policies and Regulations in the Foreign Recipient's Country or Region on the Performance of this Contract Article 5 Rights of the Personal Information Subject Article 6 Remedies Article 7 Termination of the Contract Article 8 Liability for Breach of the Contract Article 9 Miscellaneous Appendix |
Each Clause contains provisions intended to cover different cross-border modules SECTION I Clause 1 Purpose and scope Clause 2 Effect and invariability of the Clauses Clause 3 Third-party beneficiaries Clause 4 Interpretation Clause 5 Hierarchy Clause 6 Description of the transfer(s) SECTION II – OBLIGATIONS OF THE PARTIES Clause 8 Data protection safeguards Clause 9 Use of sub-processors Clause 10 Data subject rights Clause 11 Redress Clause 12 Liability Clause 13 Supervision SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES Clause 14 Local laws and practices affecting compliance with the Clauses Clause 15 Obligations of the data importer in case of access by public authorities SECTION IV – FINAL PROVISIONS Clause 16 Non-compliance with the Clauses and termination Clause 17 Governing law Clause 18 Choice of forum and jurisdiction Appendix |
|
II. Procedures for contract |
|||
|
3. |
Pre-contract: Prior self -assessment |
A must-have Conduct PIPIA before transferring personal information abroad is necessary. |
Exporting data by itself is not a condition triggering the DPIA. For certain high-risk processing activities, regardless of whether a cross-border transfer is involved, a DPIA must be carried out. |
|
Before the outbound data transfer, both parties should assess the impact of data laws and policies in the foreign recipient's country or region on the performance of the SCCs. Relevant requirements and considerations in this Part of the China SCCs and GDPR SCCs are generally similar. |
|||
|
4. |
Post-contract: Filing obligation |
There is a filing obligation on personal information processor. They are required to file the signed SCC and the PIPIA report with the provincial CACs within ten days from the effective date of the SCCs. |
No filing obligation. |
|
|||
|
5. |
Obligations of the Personal Information Handler/Data exporter |
Align with the PIPL |
Align with the GDPR. However, the GDPR SCC explicitly clarify different obligations that may apply under the different modules due to the different roles of data exporter and importer. |
|
6. |
Obligations of the Foreign Recipient/Data importer |
||
|
7. |
Onward transfer |
See Article 3.8 The foreign data recipient is required to enter into a written agreement with the third party to ensure that the third party's personal information processing activities comply with the personal information protection standards set forth in the PRC relevant laws and regulations, and to assume legal responsibility for any violation of the rights of the personal information subject. This is much higher standard than GDPR SCCs. |
Under different modules, there are different lawful basis can be applied to when there is an onward transfer. For example, under the C-C module, an onward transfer by the data importer may take place if:
|
|
8. |
Data Subject Rights |
Data Subjects as the third-party beneficiary Generally aligned with the GDPR SCCs. |
Data Subjects as the third-party beneficiary |
|
9. |
Local laws & obligations in case of accessed by public authorities |
Generally aligned with the GDPR SCCs. Both Parties are required to conduct a prior assessment on the impact of local laws and practices on the performance of the SCCs. The foreign data recipient should notify the processor when there is access by public authorities to personal information transferred. |
(See SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES) |
|
10. |
Supervision of competent regulators |
The foreign data recipient must accept supervision by the competent CN supervisory authority. Generally aligned with the GDPR SCCs. |
The data importer must accept supervision by the competent EU supervisory authority. |
|
11. |
Governing Law and Jurisdiction |
China SCCs are governed solely by the laws and regulations of the PRC. Parties to Chinese SCCs may choose to litigate in Chinese courts or to submit disputes to Chinese arbitration or to international arbitration under the 1958 New York Convention. |
There are different requirements for different modules. For example, a C-C module allows both parties to choose the governing law of any EU member state, while a P-P module allows only the governing law of the EU member state where the data exporter is established to be chosen. Due to the fundamental differences in their judicial and regulatory systems, overall, GDPR SCCs are more flexible than CN SCCs. |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.