We have all been waiting for a confirmed approach on legitimising overseas transfers. Finally, we have a clear answer on what organisations need to do to transfer or access for personal data and “important data” outside of Mainland China; and the message is clear – all organisations must determine the correct approach and take steps to get compliant by 1 March 2023.

Firstly, it is clear now that there is no one obvious approach, unlike other jurisdictions where organisations could simply sign SCCs to validate/legitimise overseas transfers. All organisations must assess – based on their data processing activities, volume and type of data, operations in Mainland China and other factors – which of the options, namely (A) CAC certification, (B) SCCs (see our recent alert on these here), (C) CAC security impact assessment or (D) other mechanisms, such as those for certain industries, is the right one for them to follow. Once that decision is made, data mapping, repapering of DPAs and engagement with the regulator (CAC) in one form or another is going to be critical.

To be clear, based on recent released guidance, regardless of which route an organisation opts for, there appears to be a need for each organisation to engage with the CAC to a lesser or greater extent.

Following hot on the heels of the draft SCCs, we now also have clearer guidance on two of the alternative routes to legitimise overseas data transfers – draft guidelines on getting organisation level CAC certification (route (A) above), and most recently – and it seems the most likely route for many multinational organisations – an approval from CAC upon satisfying the CAC-security impact assessment (route (C) above).

On this last option, the Measures for Security Assessment of Overseas Transfers were published by the CAC on 7 July, and will come in force on 1 September 2022, with a six-month grace period for organisations to obtain approval from the CAC. The CAC security assessment primarily assesses the impact of overseas transfers on national security, public interest, and the legitimate rights and interests of individuals or organisations, and details of the process is set out below:

Triggers for opting for CAC Approval against its Security Assessment

Organisations may choose this route to legitimise overseas data transfers if they:

• transfer important data overseas;
• are designated as a critical information infrastructure operator;
• may process personal information of over 1 million data subjects and intend to conduct overseas transfers activities;
• transferred personal information of 100,000 data subjects or sensitive personal information of 10,000 data subjects overseas from 1 January of the preceding year; or
• are required by the CAC to conduct security assessment based on other relevant legislation.

 Required Documentation and Process of Obtaining Approval from CAC

Prior to applying for an approval from the CAC, an organisation should conduct a self-security assessment.  The self-security assessment report should then be submitted to the local CAC together with a completed application form and the relevant documents/contracts with the overseas recipient.

The local CAC will conduct a preliminary review of the submitted documentation, and submit them to the national CAC for next steps (i.e. the CAC security assessment, and issuance of an approval note). If the CAC security assessment has been passed, the organisation will be granted with a written approval. Such approval should be renewed every two years.

Highlights of the Approval Process

Organisations should:

• Take into account the time required to obtain approval from the CAC when planning its overseas transfers processing activities. The approval process may take a few months, and although there is a grace period of six months for organisations to obtain the approval – it is anticipated that the regulators would expect organisations to hold off data transfers activities until an approval has been obtained.
• Consider their current and future contracting methodology with third parties (including with their intra-group companies). There are specific requirements as to what content should be included in the data transfer agreements. Given the contracts will need to be submitted to the CAC for approval, organisations may consider to adopt the SCCs with overseas recipients.
• Note that, subject to further clarification by the CAC, it is likely that approval can be obtained on a per-data controller basis, rather than a per-transfer/data set basis.
• Note that, remote access of data from overseas will also be considered as overseas transfers.

The China draft SCCs have been published, but may not provide the easy approach to cross border transfers of Mainland China personal data we have hoped to. Requirements to file the SCCs or PIIA for each transfer with the regulator, to undertake mini transfer impact assessments upon changes to a recipient country’s data laws, and regulator powers to suspend cross border data transfers as a sanction for non-compliance with the PIPL, mean that this is not just a case of updating intra group, vendor and business partner agreements to include the new SCCs.

The Cyberspace Administration of China (“CAC) issued the Draft Provisions on Standard Contracts for Cross-border Transfer of Personal Information (“Draft SCCs Provisions”) on 30 June 2022. The Draft SCCs Provisions provide clarification on how the SCCs may be implemented by organisations as one of the mechanisms for overseas data transfer under the Personal Information Protection Law.

The Draft SCCs Provisions include template SCCs. The template SCCs appear to be influenced by GDPR, and a number of clauses are aligned with the GDPR. Notably, the Draft SCCs Provisions do not distinguish C2C/C2P transfers.

Organisations may rely on SCCs only if all of the below conditions are satisfied:

1. It is not a critical information infrastructure operator (“CIIO”);
2. It processes personal information of no more than one million individuals;
3. It has transferred personal information of no more than 100,000 individuals since January 1 of the previous year (i.e., potentially up to a two-year period); and
4. It has transferred sensitive personal information of fewer than 10,000 individuals since January 1 of the previous year (i.e., potentially up to a two-year period).

The above threshold is generally aligned with the draft Measures on Security Assessment of Overseas Data Transfer released last year. That means, if the data transfer does not satisfy any of the above conditions, the organisation is not able to rely on SCC. Instead, a CAC-conducted security assessment must be carried out for overseas data transfer.

The SCCs should include the following provisions:

1. basic information of the organisation and the overseas recipient, including but not limited to names, addresses, names and contact information of contact persons, etc.;
2. the purpose, scope, type, sensitivity, quantity, method, retention period and place of storage of the personal information;
3. the responsibilities and obligations of the organisation and overseas recipient, as well as technical and management security measures; and
4. the impacts of the data privacy laws and regulations of the destination country on the SCC;
5. data subject rights, approaches to exercise such rights; and
6. remedy, rescission of contract, liability, disputes resolution, etc.

The Draft SCCs Provisions reiterate that, before transferring personal data outside of Mainland China, a personal information impact assessment should be conducted. (Of course, explicit, separate consent, must be also obtained.)

The SCCs should be filed with the local CAC within 10 days after taking effect. In addition, the PIIA should also be filed. This suggests, although the drafting is not explicit on this point, that copies of each and every SCCs signed on a per transfer/contract basis must be filed.

New SCCs should be signed in each of the below circumstances:

• change of data processing activities, including change of purpose, scope, type, sensitivity, quantity, method, retention period and place of storage, method of overseas recipients to process personal information, or extension of retention period of personal information;
• change to the data privacy laws and regulations of the destination jurisdiction that may impact the rights and interests of individuals. This appears to involve a “light” version of GDPR/Schrems II transfer impact assessment; or
• other circumstances that may affect the rights and interests of individuals.

The local CAC (provincial level or above) is entitled to suspend the overseas transfer of personal data by any organisation if the local CAC discovers that the actual transfer does not comply with the relevant cross border data transfer rules. This is a significant incentive for organisations to comply, as the operational and contractual risks for organisations having to suspend cross data transfer, including investment to setting up a solely in-country infrastructure, would no doubt be more costly than a regulatory fine.

Separately, for those organisations preferring not to use the SCCs, an alternative route would be for the organistion to get overall accreditation for its global data transfers from a certification body. Separate draft guidelines outlining the procedure to do this were published last month for public consultation.