As highlighted in our earlier articles, the introduction of the Measures for the Standard Contract for Outbound Transfer of Personal Information (Measures), effective from June 1, 2023, underscores the emphasis of data export control in China. The Measures provide explicit requirements and standard contract clauses (SCC) for transferring personal information out of the People’s Republic of China (excluding Hong Kong, Macau, and Taiwan, and for the purpose of this article, PRC) by way of signing the SCC.
Multi-national Corporations are likely familiar with the SCC under General Data Protection Regulation (GDPR). This alert outlines key similarities and distinctions between the GDPR SCC and Personal Information Protection Law (PIPL) SCC in the PRC for ease of understanding.
1. Similarities
(1) Third party beneficiary approach
The data subjects under both the GDPR SCC and the PIPL SCC are regarded as third party beneficiaries and remedies are available to the data subjects.
(2) Priority and implementation of SCCs
Both the GDPR SCC and PIPL SCC provide that when there is any conflict between the SCC and the agreement between the parties, the GDPR SCC or the PIPL SCC shall prevail. Similar to the GDPR SCC, the text of the PIPL SCC cannot be modified, except for the addition of supplementary clauses that do not conflict with the SCC.
(3) Impact assessment
Both GDPR and PIPL requires the impact assessment before outbound transfer of the personal information.
The PIPL SCC require that all the data exporter should carry out a personal information impact assessment which should cover the following items:
(i) The legality, legitimacy and necessity of the purpose, scope and method of processing the personal information
(ii) The scale, scope, type and sensitivity of personal information to be transferred overseas, and the risk to the personal information that may cause
(iii) The obligations that the foreign recipient promises to undertake, and whether the organizational and technical measures and capabilities to perform the responsibilities and obligations can guarantee the security of exported personal information
(iv) Risk of personal information being tampered, destroyed, leaked, lost, illegally used after the transfer of personal information, and whether there are channels for individuals to smoothly exercise the rights and interests, etc. on the personal information
(v) To evaluate the impact of the local policies, laws and regulations in the foreign recipient’s jurisdiction on the performance of a standard contract
(vi) Other matters that may affect the security of outbound transfer of personal information
2. Distinctions
(1) Governing law and dispute resolution
In terms of the governing law, the GDPR SCC provides that the parties may agree on the governing law based on different options for the relevant modules. The PIPL SCC stipulates that the governing law must be Chinese law.
In terms of dispute resolution, under GDPR SCC, any disputes arising from the SCC must be resolved by the courts of an EU member state. Under the PIPL SCC, the parties may file a lawsuit at a competent Chinese court or submit the dispute for arbitration at one of the listed arbitration institutes in the PRC or any arbitration institute in the countries that are members of the Convention on the Recognition and Enforcement of Foreign Arbitral Awards for arbitration.
(2) Restrictions on exporting personal information
Under the PIPL, the personal information can only be transferred outside the PRC when it is necessary and shall go through any one of the following three approaches:
(i) a security assessment organized by the Cyberspace Administration of China (CAC),
(ii) security certification by an agency appointed by the CAC, or
(iii) a standard contract executed by the data processor and the overseas recipient.
The most common approach for the foreign-invested enterprises in the PRC is the third one, which is executing the standard contract. Unlike the GDPR, the personal information processor exporting personal information under the SCC must satisfy all of the following conditions:
(i) Not a critical information infrastructure operator;
(ii) Processes personal information of less than 1 million individuals;
(iii) Has exported personal information of less than 100,000 individuals since 1st Jan of the immediately preceding calendar year; and
(iv) Has exported sensitive personal information of less than 10,000 individuals since 1st Jan of the immediately preceding calendar year.
(3) Modules for different scenarios
The GDPR SCC provides 4 modules to deal with different transfer scenarios between and among the controller and the processor, while the PIPL SCC sets out one single set of obligations as between the personal information processor in the PRC and the foreign recipient. One should note that, the role of processor under the PIPL is similar to the concept of “data controller” under the GDPR, while the “data processor” under the GDPR is sometimes referred to as the “entrusted party” or “co-processor” under the PIPL, as the case may be.
Should you require further insights into the PIPL SCC or have further queries concerning its application and statutory filing, please do not hesitate to contact us.