Chinese standard contractual clauses and their potential impact on your business
Concerns about data localisation and restrictions on cross-border data transfers remain some of the most pressing for international organisations operating in Mainland China. Linklaters Zhao Sheng explores whether data transfers are poised to get easier under imminent reforms to the domestic privacy regime.
The European Union’s (EU’s) standard contractual clauses (SCCs) have proved to be the most practical solution for multinationals conducting cross-border transfers of personal information from the EU in compliance with the bloc’s General Data Protection Regulation (GDPR). New versions of the EU SCCs came into effect on 25th June 2021 to reflect refinements needed following the Schrems-II case in the European Court of Justice in 2020.
This overhaul of the EU SCCs is timely. Mainland China’s legislature has long looked to the EU for reference in reforming its data protection regime, and the first comprehensive data privacy law for the world’s second largest economy, the Personal Information Protection Law (PIPL), is expected to be finalised in August and become effective by year-end. One of the key mechanisms for cross-border transfers of personal information in accordance with the PIPL is set to be a contract based on a standard form prepared by the Cyberspace Administration of China (CAC).
A little history
The GDPR recently celebrated its third birthday, having come into effect on 25th May 2018. However, borrowing its so-called ‘model contracts’ as a means of exporting personal information is an idea Mainland Chinese legislators have had since the GDPR’s infancy. Back in June 2019, the CAC released the draft Measures on Security Assessment of Cross-border Transfer of Personal Information, which prescribed certain obligations and other terms that must be clearly provided for in a legally-binding document signed between the onshore sender and the offshore recipient of personal information.
These requirements, which remain very similar to the key terms in the new EU SCCs, include:
- the purpose of the transfer, type and retention period of the relevant personal information;
- that the data subject be the beneficiary of the terms of the contract, including its stated rights and interests;
- the data subject’s right to claim compensation from the data sender or the recipient, or both, for a breach of those rights and interests;
- that the contract will be terminated if a change in law in the transferee country makes performance of the contract “difficult”;
- that the responsibilities of the data sender and recipient will not cease on termination of the contract unless the personal information is deleted or anonymised;
- various obligations of the data sender, such as forwarding claims from a data subject to the data recipient but remaining liable to pay compensation to the data subject where loss has been suffered; and
- various obligations of the data recipient, such as warranting compliance of the contract with local laws in the recipient’s jurisdiction.
This legislative history and comments from industry suggest that that the forthcoming Chinese SCCs will be modelled on that of the EU. Multinationals and other businesses operating in and with Mainland China will be pleased to see this direction, in anticipation of being able to leverage their EU SCCs to facilitate cross-border data transfers from the EU’s largest trading partner.
Even if this prediction on the content of the Chinese SCCs is correct, a number of important issues remain uncertain:
- Different modules: The new EU SCCs have four modules to allow transfers: from controller to controller (Module 1); from controller to processor (Module 2); from processor to sub-processor (Module 3); and from processor to controller (Module 4). However, under the draft PIPL, the concept of ‘data processor’ basically equates to that of a ‘data controller’ under the GDPR, while the most similar concept to the EU’s ‘data processor’ is an ‘entrusted party’, but its role and obligations are not as fully formed under the PIPL. As such, will drafters scrap the modular structure of EU SCCs and solely focus on the substance of Module 1?
- Processors: It follows that the Chinese SCCs might impose overly onerous obligations on an overseas data processor, such as a data centre in Europe, requiring it to sign up to terms better suited to a data controller. Will overseas data processors accept such terms where they do not themselves decide how to process the personal information being transferred?
- Chinese binding corporate rules (BCRs): The GDPR’s BCRs are another method for cross-border data transfers among group companies. BCRs require stringent regulatory review and approval, but provide a transfer mechanism trusted by individuals whose personal information is handled by the group in question. So far, Mainland China has no equivalent of the BCRs. Will this be addressed separately to provide corporate groups an alternative?
- Adequacy: The Schrems-II decision re-emphasises the question of whether the legal system of the data recipient’s jurisdiction provides adequate protection for the personal information being transferred from the EU. Will Mainland China formulate a list of countries providing “adequate protection” of personal information? Would the GDPR allow the EU to be considered sufficiently robust for “adequacy”?
- Security assessments: Under the draft PIPL, critical information infrastructure (CII) operators, and other organisations that handle personal information up to a threshold to be set by the CAC, must go through a mandatory security assessment before completing a cross-border data transfer out of Mainland China. European businesses continue to request urgent clarification on the scope of CII and this key threshold amount of personal information. Will the answers to these issues be given before the PIPL is launched?
As the promulgation of the PIPL is around the corner, the draft Chinese SCCs may be circulated for public comments soon. They should be a welcome reform for European businesses operating in China. In the meantime, legal, compliance and IT teams of multinational companies should monitor developments relating to the PIPL and prepare to implement changes to their practices where needed.
Note: The content in this article is relevant as of end of July 2021.
Linklaters is a well-known global law firm, supporting clients in achieving their strategies wherever they do business around the world. It has more than 40 years’ experience of advising Chinese and international corporates, Chinese state-owned enterprises and financial institutions on their cross-border strategic deals. Their rich experience in China and strong track records have provided Linklaters’ team an exceptional understanding of the local legal and economic landscape. They are able to not only call on the expertise of lawyers from the firm’s 31 offices globally, but also get support for PRC legal advice through Linklaters Zhao Sheng, its joint operation office with Zhao Sheng Law Firm in the Shanghai Free Trade Zone. This joint operation brings together Linklaters’ long-standing international experience and Zhao Sheng’s PRC-law capabilities, offering a ‘one-stop shop’ service of both international and PRC legal advice seamlessly to clients.