Contact

PIPL: Proposed China SCCs for Cross Border Transfers

Published
05 Aug 2022
Read time
4 min read
Category
Asia, Law
Banner with the Chinese flag where the red background includes data processing. There's a text overlay that says China's PIPL

On 30 June 2022, the Cyberspace Administration of China (CAC) released a template agreement for cross-border data transfers under China’s Personal Information Protection Law (PIPL). There was a consultation period of one month, which ended on 29 July 2022. While it remains to be seen whether the proposed Standard Contractual Clauses (proposed China SCCs) for Cross-Border Transfers in China will be adopted, we took the time to unearth the key elements of the proposed China SCCs:  

Proposed China SCCs: What Australian Organisations Need to Know 

Cross-border transfers are covered by Chapter 3 of China’s PIPL. Article 38 requires that personal information processors must meet certain conditions before transferring personal information out of China. The proposed China SCCs form one of these conditions permitting cross-border transfers. 

As a result, the release of the proposed China SCCs has been long-awaited.  

Who Can Use the Proposed China SCCs 

Organisations must meet four criteria to use the proposed China SCCs: 

  • The personal information handler (“PI Handler”) cannot be a critical information infrastructure operator. 
  • The PI Handler must not process personal information belonging to over one million individuals. 
  • The PI Handler must not have transferred the personal information of more than 100,000 individuals since January 1 of the previous year.  
  • The PI Handler must not have transferred sensitive information of 10,000 individuals since January 1 of the previous year. 

Key Provisions of the Proposed China SCCs 

Certain Details Must Be Included In The Agreements

Certain details must be included in data transfer agreements, including:  

  • Information about the organisation and overseas recipient, including the name and address of the organisations and contact details of the contact person, including their name.  
  • The purpose, scope, type/sensitivity, volume, method, retention period and storage location of the personal information being transferred.  
  • The responsibilities of the organisation and overseas recipient.  
  • Technical and management security measures.  
  • An outline of the impacts of the data privacy laws in the destination location on the SCCs.  
  • Data subjects’ rights.  
  • Remedy, rescission of contract, liability, and dispute resolution. 

Personal Information Impact Assessments Required Concept illustration showing data transfers around the globe

The draft China SCCs include a provision that requires covered organisations to undertake a Personal Information Impact Assessment (PIIA) under Article 55 of the PIPL before transferring personal information out of China.  

The PIIA must consider (amongst other things): 

  • The legitimacy, justifiability, and necessity of the data transfer.  
  • The quantity, scope, and type of personal information being transferred.  
  • The risk of unauthorised disclosure if the personal information is transferred.  
  • The impact of data protection laws in the jurisdiction the personal information is being transferred to.  

Proposed China SCCs Filing Requirements 

The proposed China SCCs require that any organisation that adopts the SCCs must file its use of the template agreement with the CAC within ten working days of the effective date of the agreement.  

The agreement must also be updated and re-filed if certain elements change, including the purpose, scope, authority, volume, type of data, or duration or location of storage.  

Mandatory Data Breach Notifications 

The proposed China SCCs require data processors to notify the CAC where a data breach occurs, regardless of the level of risk.  

Onward Transfers Restricted 

The proposed China SCCs prohibit the onwards transfer of data to third-party organisations outside of China unless:  

  • There is an actual business need;  
  • The data subject is informed, and separate consent is obtained;  
  • The overseas recipient has a contract with the third party which requires the third party to provide equivalent protections and be jointly liable; and  
  • A copy of the agreement is provided to the Data Handler.  

Steps for Australian Organisations to Comply With The Proposed China SCCs

Australian organisations looking to collect and transfer the personal information of Chinese data subjects must now work to determine:  

  1. Whether the PIPL applies to them and,  
  2. If so, which data transfer mechanisms are available. 

If the proposed China SCCs are an option, they likely represent the simplest mechanism for data transfers. In this case, Australian organisations should start to take steps to implement the finalised SCCs in due course.  

Additional Resources on China’s PIPL 

PIPL Compliance with Privacy 108 

If you need assistance navigating privacy compliance and the PIPL, reach out. Our privacy lawyers would love to help.  

Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.