Data transfers to non-European countries remain an important topic which is currently on everyone’s lips with the European Commission’s latest adequacy decision on the EU-US Data Privacy Framework (see here). However, what is easily overlooked in view of the justifiably great attention paid to data transfers across the Atlantic is that the People’ Republic of China has also introduced new rules for handling the personal data of Chinese citizens, which are also likely to affect many companies in this country, as China remains one of Germany’s most important trading partners. This is a good time to take a look at the latest developments in data protection there.
What are the Chinese standard contractual clauses?
In November 2021, a new data protection law (the Personal Information Protection Law, PIPL) was passed in China. The law contains similar provisions to the General Data Protection Regulation (GDPR) and includes requirements for data transfers to foreign (non-Chinese) countries. One way to comply with these requirements is to enter into standard contractual clauses (CN-SCCs) with foreign data recipients. The CN-SCCs came into effect on 1 June 2023. Companies have until 30 November 2023 to implement the CN-SCCs and to take the necessary measures resulting from them.
For whom will the CN-SCCs be relevant?
The CN-SCCs safeguard transfers from China to other countries, including the European Union (EU). Importers under the CN-SCCs may therefore include EU companies receiving personal data from Chinese companies, provided any of the following circumstances exist:
- Data processing is carried out for the purpose of offering goods or services to natural persons within the territory of China;
- Data processing is carried out in order to analyze or evaluate the behavior of natural persons within the territory of China;
- Other circumstances determined by law and administrative norm.
The CN-SCCs make no distinction between a transfer between controllers and processors. In contrast to the EU Standard Contractual Clauses (EU-SCCs), there is only one module for all data imports abroad, regardless of the role and function of the parties involved. In exchange , the applicability of the CN-SCCs is qualitatively and quantitatively limited to prevent “sensitive” data transfers. They are only applicable if all of the following provisions are met:
- The controller of personal data is not an operator of a critical information infrastructure.
- The scope of personal data processed by the controller does not concern more than 1 million natural persons.
- The cumulative number of natural persons whose personal data the controller has transferred abroad since 1 January of the previous year has not reached 100,000.
- The cumulative number of natural persons whose sensitive personal data the controller has transferred abroad since 1 January of the previous year does not exceed 10,000.
Differences between the CN-SCCs and the EU-SCCs
Although it is quite obvious that the EU-SCCs served as a template for the CN-SCCs, there are also differences between the standard clauses. Regardless of the content, it is already clear from the scope that the CN-SCCs are more compact and show a lower level of detail than the EU-SCCs. This is not only due to the fact that the CN-SCCs do not distinguish between the roles of the companies involved in the transfer, but also to the fact that the obligations for the data importer and exporter are less detailed.
Furthermore, there are also discrepancies in terms of content: Despite some similarities in the obligations for the parties, the CN-SCCs contain additional requirements that have no equivalent in the EU-SCCs. These include, for example, the obligation that data may only be transferred by the data importer if there is a business need and this need must be documented. EU companies that sign the CN-SCCs as data importers must therefore examine the extent to which these obligations can be implemented internally. As a rule, adjustments to existing processes or the implementation of new processes will be necessary.
Compatibility of the CN-SCCs with the EU-SCCs and the GDPR
When dealing with the CN-SCCs, the question of compatibility with the EU-SCCs and the requirements of the GDPR inevitably arises. It is true that both standard clauses regulate different scenarios – the EU SCCs safeguard data transfers from the EU to third countries, while the CN-SCCs safeguard transfers from China to foreign countries. Nevertheless, it cannot be ruled out that a company must comply with both the CN-SCCs and the EU-SCCs with respect to certain transfers. In addition, EU companies are also subject to the obligations of the GDPR when processing data received from China.
A possible conflict could arise, for example, in the case of the data importer’s extensive duty to provide information to the Chinese authorities under the CN-SCCs if the data importer is simultaneously bound by the EU-SCCs, which stipulate strict requirements for the transfer of data to authorities in third countries. Furthermore, under the CN-SCCs, the data importer is subject to an information obligation vis-à-vis the data exporter with respect to requests for information from national authorities. Unlike the EU-SCCs, the CN-SCCs do not provide for an exception if this information is prohibited by law, so the importer could also run into a conflict here.
Risk assessment of the data transfer
According to the CN-SCCs, data exporters must conduct a Personal Information Protection Impact Assessment (PIPIA) prior to transferring personal data from China, which essentially corresponds to a Transfer Impact Assessment according to the EU-SCCs. For example, the purpose, scope and nature of the data processing, the risks for the data subjects and the obligations entered into by the data importer must be assessed. The technical measures implemented and maintained by the recipient abroad to protect the personal data must also be specified, and the enforceability of the CN-SCCs must be assessed based on the data protection laws and policies of the country in which the recipient is located. Therefore, it is expected that existing structures on the TIA process can be used to implement the PIPIA.
Transmission of documents to the supervisory authority
Unlike data exports from the EU, a copy of the completed CN-SCCs together with the risk assessment must be proactively submitted to the competent authority 10 working days after signing. However, this is primarily intended as an after-the-fact check of the legality of the data transfer; there is no provision for prior review and approval of the documents by the authority.
Sanctions
By concluding the CN-SCCs, the data importer becomes the addressee of sanctions under the PIPL. Accordingly, the Chinese supervisory authorities can impose fines of up to 5% of the company’s last annual turnover, i.e. even higher fines than the 4% provided for in the GDPR. In addition to these fines against companies, however, natural persons, such as the signatories of the CN-SCCs or the management of the data importer, can also be subject to sanctions.
Outlook
Companies that source data from China should address the issue of CN-SCCs as soon as possible in view of the 30 November 2023 implementation deadline. After all, there is still a lot to do: Signing the CN-SCCs in due course will not be enough. Rather, companies must carefully examine what impact the conclusion of CN-SCCs will have on obligations under other applicable data protection laws and to what extent integration into intra-group data transfers can be sensibly realized.