PIPL: Proposed China SCCs for Cross Border Transfers
On 30 June 2022, the Cyberspace Administration of China (CAC) released a template agreement for cross-border data transfers under China’s Personal Information Protection Law (PIPL). There was a consultation period of one month, which ended on 29 July 2022. While it remains to be seen whether the proposed Standard Contractual Clauses (proposed China SCCs) for Cross-Border Transfers in China will be adopted, we took the time to unearth the key elements of the proposed China SCCs:
Proposed China SCCs: What Australian Organisations Need to Know
Cross-border transfers are covered by Chapter 3 of China’s PIPL. Article 38 requires that personal information processors must meet certain conditions before transferring personal information out of China. The proposed China SCCs form one of these conditions permitting cross-border transfers.
As a result, the release of the proposed China SCCs has been long-awaited.
Who Can Use the Proposed China SCCs
Organisations must meet four criteria to use the proposed China SCCs:
- The personal information handler (“PI Handler”) cannot be a critical information infrastructure operator.
- The PI Handler must not process personal information belonging to over one million individuals.
- The PI Handler must not have transferred the personal information of more than 100,000 individuals since January 1 of the previous year.
- The PI Handler must not have transferred sensitive information of 10,000 individuals since January 1 of the previous year.
Key Provisions of the Proposed China SCCs
Certain Details Must Be Included In The Agreements
Certain details must be included in data transfer agreements, including:
- Information about the organisation and overseas recipient, including the name and address of the organisations and contact details of the contact person, including their name.
- The purpose, scope, type/sensitivity, volume, method, retention period and storage location of the personal information being transferred.
- The responsibilities of the organisation and overseas recipient.
- Technical and management security measures.
- An outline of the impacts of the data privacy laws in the destination location on the SCCs.
- Data subjects’ rights.
- Remedy, rescission of contract, liability, and dispute resolution.
Personal Information Impact Assessments Required
The draft China SCCs include a provision that requires covered organisations to undertake a Personal Information Impact Assessment (PIIA) under Article 55 of the PIPL before transferring personal information out of China.
The PIIA must consider (amongst other things):
- The legitimacy, justifiability, and necessity of the data transfer.
- The quantity, scope, and type of personal information being transferred.
- The risk of unauthorised disclosure if the personal information is transferred.
- The impact of data protection laws in the jurisdiction the personal information is being transferred to.
Proposed China SCCs Filing Requirements
The proposed China SCCs require that any organisation that adopts the SCCs must file its use of the template agreement with the CAC within ten working days of the effective date of the agreement.
The agreement must also be updated and re-filed if certain elements change, including the purpose, scope, authority, volume, type of data, or duration or location of storage.
Mandatory Data Breach Notifications
The proposed China SCCs require data processors to notify the CAC where a data breach occurs, regardless of the level of risk.
Onward Transfers Restricted
The proposed China SCCs prohibit the onwards transfer of data to third-party organisations outside of China unless:
- There is an actual business need;
- The data subject is informed, and separate consent is obtained;
- The overseas recipient has a contract with the third party which requires the third party to provide equivalent protections and be jointly liable; and
- A copy of the agreement is provided to the Data Handler.
Steps for Australian Organisations to Comply With The Proposed China SCCs
Australian organisations looking to collect and transfer the personal information of Chinese data subjects must now work to determine:
- Whether the PIPL applies to them and,
- If so, which data transfer mechanisms are available.
If the proposed China SCCs are an option, they likely represent the simplest mechanism for data transfers. In this case, Australian organisations should start to take steps to implement the finalised SCCs in due course.
Additional Resources on China’s PIPL
- China’s New Data Security Law (DSL): Another piece in a complex puzzle
- China’s New Personal Information Protection Law: Yet another piece in a complex puzzle
- China’s PIPL: A guide to what’s covered
PIPL Compliance with Privacy 108
If you need assistance navigating privacy compliance and the PIPL, reach out. Our privacy lawyers would love to help.