Contact Us

    Amit, Pollak, Matalon & Co.

    APM House, 18 Raoul Wallenberg St.,
    Building D, 6th floor, Ramat Hachayal,
    Tel Aviv, 6971915, Israel

    101 Hebron Road
    Beit Hanatziv, Building B, 3rd Floor
    Jerusalem

    Contact

    T. +972-3-5689000
    F. +972-3-5689001
    E. apm@apm.law
    facebook linkedin

    Media Center / Legal Updates

    CHINA: A NEW DRAFT OF SCCs FOR CROSS-BORDER TRANSFER OF PERSONAL INFORMATION

    July 4, 2022

    On June 20, 2022, the cyberspace administration of China (“CAC“) issued the draft provisions of the Standard Contractual Clauses (”SCC”), which will govern and set out the legal framework for the cross-border transfer of personal information (“SCC Draft”). The SCC Draft is influenced by the European General Data Protection Regulation (“GDPR”) and clarifies how entities should legally secure personal information transfers outside China.

    Until now, any transfer of personal information out of China would be subject to a government authorization and security assessment (e.g., clinical trials’ results required the grant of government permission, SaaS solutions with hosting servers out of China required a government confirmation, etc.). Thus, enabling a contractual safeguard as an option for transferring personal information might be helpful for many businesses.

    Article 38 of the new Law of the Personal Information Protection Law of the People’s Republic of China (“PIPL”) sets out three mechanisms to ensure a lawful transfer of personal information outside of China: (i) successful completion of a security assessment conducted by the government; (ii) obtaining certification by an authorized governmental certification scheme; or (iii) implementing a standard contract with a third party based outside of China and receiving the data. In an explanatory note, the CAC states that the parties relying on the SCC may negotiate additional terms and attach them as an additional annex to the contract. However, it is unclear whether the SCC template may be revised or will need to be signed “as is.”

    Companies must meet all of the following requirements otherwise, the SCC cannot be used (if such requirements are not met, CAC’s security assessment must be conducted):

    • The company is not a critical information infrastructure operator (“CII”). A CII is defined as a Critical Information Infrastructure whose destruction, loss of function, or data leakage could seriously harm state security, the national economy, people’s livelihood, or the public interest. The CIIO are required to undergo security assessments for cross-border transfers of personal information and important data (i.e., personal information and important data collected or generated during operations within the territory of China shall be stored locally subject to Article 37 of the Cybersecurity Law of the People’s Republic of China (“CSL”)). As such, we recommend that Data Processors identified by the relevant authorities as CIIO should apply for security assessment before providing personal information and important data abroad and not rely on the SCC.
    • No more than one million individuals’ personal information is processed;
    • The company has transferred the personal information of no more than 100,000 individuals since January 1 of the previous year (i.e., potentially up to two years); and
    • The company has transferred sensitive personal information of fewer than 10,000 individuals since January 1 of the previous year (i.e., potentially up to two years). Note that the definition for evaluation the sensitivity and importance of the data is not the common definition known in the GDPR but rather “its importance in economic and social development, and the Data Security Law of the People’s Republic of China (“DSL”) defines it as “harm that may be caused to national security, public interests or the legitimate rights or interests of individuals or organizations in the event of data tampering, damage, leakage, illegal acquisition or illegal use.

    The key factors for determining whether a transfer triggers a security assessment of cross-border data transfer or whether the transfer can be subject to the SCC are as follows:

    • Is the data processor a “special entity” such as a CIIO or a processor that processes the personal information of more than a million people?;
    • Does the data transferred include “sensitive” or “important data” with the amount exceeding the scope?; and
    • Whether it falls under other circumstances specified by the national cyberspace authority.

    If the data transfer does not satisfy any of the above conditions, the entity cannot rely on SCC. Instead, a CAC-conducted security assessment must be carried out for overseas data transfer.

    It should be noted that concerning conditions 2 and 3 above, the PIPL defines “processing of personal information” in a manner that includes “storage” and “cross-border provisions,” taking into account that most entities have their own user base and engage in cross-border activities, this might trigger a security assessment, and many entities will not be able to rely on the Chinese SCC Draft.

    Furthermore, similar to the four annexes attached to the European Standard Contractual Clauses under the GDPR, according to the SCC Draft, the Chinese SCC must include the following provisions:

    • Information on the entity and the overseas recipient (names, addresses, names and contact information of contact persons, etc.);
    • The purpose, scope, type, sensitivity, quantity, method, retention period, and place of storage of the personal information;
    • The responsibilities and obligations of the entity and overseas recipient, as well as technical and managerial security measures;
    • The impacts of the data privacy laws and regulations of the destination country on the SCC;
    • Data subjects’ rights and how to exercise such rights; and
    • Remedy, rescission of a contract, liability, dispute resolution, etc.

    Within 10 days after the SCC shall be effective, the entity is required to submit a file to the CAC accommodating the following: (i) the executed SCC; and (ii) a report that includes the personal information protection impact assessment conducted concerning the transfer, which is required to be carried out before transferring personal information overseas. The requirement is similar to the transfer impact assessment (“TIA”) requirement obtained under the GDPR.

    The European SCC do not need to be filled with the Commissioner (as opposed to other binding rules that should be under Chapter V of the GDPR). However, the Chinese SCC will need to be filled with the CAC, and a new SCC shall be signed and filed with the CAC if the following changes occur:

    • Change of data processing activities (e.g., change of purpose, scope, type, sensitivity, quantity, method, retention period and place of storage, method of overseas recipients to process personal information, or extension of retention period);
    • Changes to the data privacy laws and regulations of the recipient’s jurisdiction that may impact the rights and interests of individuals; or
    • Other circumstances that may affect the rights and interests of individuals.

    The CAC has a significant authorization to suspend personal information transfers of entities in cases of non-compliance with the law, which constitutes a higher incentive for compliance rather than the traditional risk assessment of fines reception by the competent authority.

    This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding. APM & Co. is not licensed to practice law outside of Israel.

    Please let us know if you have any further questions,

    APM Technology and Regulation Team.