Background to the SCCs Guidance

As discussed in more detail in our separate briefing (available here), international transfers of data from mainland China triggering any of the following are subject to a security assessment by the CAC:

1. the data exporter is an operator of critical information infrastructure;
2. the data exporter processes the personal information of more than one million data subjects;
3. the data exporter exports important data; or
4. the data exporter has, since 1 January of the preceding year, cumulatively transferred: (i) the personal information of more than one hundred thousand individuals; or (ii) the sensitive personal information of more than ten thousand individuals.

Data exporters who are not required to complete a security assessment with the CAC as stated above must either obtain third party certification by a professional institution authorized for this purpose or, from 1 June 2023, implement and file the SCCs to cover the transfer.

The SCCs Guidance confirms that offshore access to personal information hosted in mainland China is considered an international transfer.

The SCCs

The SCCs impose obligations on both data exporters and data importers in their handling of international transfers of personal information, with the objective of ensuring that the data will be handled in accordance with the Personal Information Protection Law (the “PIPL”). 

The SCCs are required to be used verbatim, leaving some scope for the data exporter and offshore recipient to append non-standard terms, provided those terms do not conflict with the prescribed terms of the SCCs.  The data exporter must file the SCCs with the local provincial CAC within ten business days of the SCCs becoming effective, together with a personal information protection impact assessment (“PIPIA”) report.

The PIPIA Report

The scope of the PIPIA outlined in the SCCs Guidance is similar to the CAC security assessment. In this respect, the guidance raises concerns that the SCCs process will not actually provide organizations with an easier pathway to compliance than the CAC’s security assessment process.  The CAC security assessment process has struggled with low submission rates due to the large volumes of information being requested and the sensitivity of disclosures being sought by the CAC.  As the SCC route to compliance applies to smaller volumes of personal information, expectations have been that it would involve a lighter regulatory burden than the CAC security assessment. Unfortunately, the SCCs Guidance replicates much of the same information requirements in the template PIPIA report, which must accompany the SCCs filing.

The PIPIA report is required to be filed with the provincial CAC at the same time as the filing of the SCCs.

The SCCs Filing Process

The provincial CAC officials are required to conduct their review of each filing within fifteen working days, with the outcome being either a “pass” or a “fail.” If a failing grade is awarded, the data exporter will be notified of reasons for the failure and be asked to provide supplementary materials within ten working days. It is not clear what happens to SCCs that have been implemented but which fail the PIPIA report filing.

The short timeframe for review suggests that the provincial CAC’s review is meant to be “light touch”, but given that procedural timeframes under the CAC security assessment process have been regularly exceeded in practice, it is difficult to draw any conclusions from the timescales alone, particularly when the substantive requirements of the PIPIA report are taken into account. 

The PIPIA Report Requirements

The PIPIA report is expected to cover the following:

Brief Description of the PIPIA

The PIPIA report should provide details of the work done to prepare the PIPIA, including when it was commenced and completed, how it was completed and details of any third party institution involved in its preparation, with a note in the PIPIA template that such institution affixing its official seal to the PIPIA report.

Description of the International Transfer

This section has a number of sub-sections, including:

Basic information about the Data Exporter

This section must include details of the data exporter’s shareholding structure, organizational structure, information about its subsidiaries and a general description of its business.

Information about the Data Exporter’s Business

This section includes a description of the business to which the transfer relates, how the personal information is used in that business, the data centers where the data exporter stores the data and the networks used to transfer the data.

Information about the Data Transfer

This section is required to include a description of the purpose, scope and manner of processing of the data by the data exporter and the data importer, the lawful basis for processing and the necessity of the transfer, a description of the personal information itself and its sensitivity, the specific mechanism of transfer and any onward transfers that will be made by the data importer.

Information about the Parties’ Ability to Protect the Personal Information

This section should provide details of the parties’ information security management and governance, incident response capability and the technical security measures being applied to the data throughout the lifecycle of collection, storage, use and destruction.

Proof of effectiveness of personal information protection measures, such as certifications, audit programs and security assessments should be referenced.

The PIPIA report should also address how compliance with laws and regulations will be achieved in respect of the transfer.

Information about the Data Importer

This section should set out basic information about the Data Importer, including corporate information about the importer, the processing by the data importer, its ability to protect the data, the laws and regulations concerning data protection in the destination jurisdiction and a description of the process of personal information handling.

Risk Assessment and Conclusions

The PIPIA report should include an itemized impact assessment focusing on risks identified and corrective measures taken to reach a justified conclusion on the security of the transfer. 

The language here in the SCCs Guidance is very similar to the official guidance for the CAC security assessment, raising questions as to whether or not the SCCs process will actually be any easier to complete than the CAC security assessment, notwithstanding the lower volumes of personal information involved.  As has been the case with the security assessment, we expect organizations making SCCs filings to have concerns as to how detailed the risk assessment will need to be and how high the bar will be for establishing the sufficiency of risk mitigants.

The scope of risk assessment is very broad, taking into account the sensitivity of the personal information being transferred, its purpose of processing and manner of handling, the necessity of the transfer, the information security capabilities of the offshore recipient and the laws and regulations applicable to the protection of the personal information in the destination jurisdiction.

The Need for Refiling

If any of the following circumstances arise, the data exporter is required to prepare a new PIPIA report and submit a supplementary filing of the SCCs:

1. any change to the purpose, scope or means of processing of the personal information, or the type or sensitivity of the personal information or any extension of the retention period;
2. any change to the personal information protection laws of the jurisdiction where the data importer processes the personal information; or
3. any other circumstances potentially having an impact on the interests of the subjects of the personal information.

Local CAC Response to the SCCs Guidance

On June 2, 2023, the Beijing CAC issued a local version of the SCCs Guidance (“Beijing SCCs Guidance”). The Shanghai CAC followed suit on June 7 2023 and, on June 14, 2023, the Zhejiang and Shandong CACs each issued their own local versions. The local SCCs guidance follows the substance of the national level SCCs Guidance, with the focus being on providing applicants with details such as contact details for queries, the expected approach to document submissions and so forth. Notably, the Beijing SCCs Guidance specifies that the filing entity shall be a legal entity established under Chinese law, thereby excluding  branches or representative offices from the scope of filing entities.  The other local SCCs guidance notes are silent on this issue. The Beijing SCCs Guidance is also noteworthy for providing that an entity may make an SCCs filing on behalf of other data exporters in its corporate group. It is not clear whether the other local CACs will adopt the same approach to group applications.

Conclusions

Now that the SCCs Guidance has been issued, organizations transferring personal information from mainland China will need to assess the requirements.  We expect that, as is the case with the CAC security assessment, there is significant work to be done to align expectations as to the volume of information and the level of detail and sensitivity needed to be submitted in order to complete the filing process.