Authors: Carolyn Bigg and Amanda Ge
Businesses who must follow the China SCCs route to legitimize their cross-border transfers of personal data must file their signed China SCCs together with the supporting personal information impact assessment (“PIIA”) report with their local CAC branch by no later than 30 November 2023. This requires significant effort, and so businesses must act now to meet the filing deadline.
To recap, the China SCCs route is the relevant route for China entities that are data controllers of China personal information but who do not meet the thresholds whereby the full CAC assessment must be undertaken (for further information on this, click here).
During the past few weeks, more practical guidance has been published by different local CACs, and we have gained insights from businesses already preparing their SCCs and accompanying PIIAs:
- More than 30 local CACs have published hotline numbers. Businesses can ask questions on filing-related matters on a real name basis. Anonymous questions in general are not accepted.
- Many local CACs (e.g. Beijing, Shanghai, Jiangsu, Chongqing, Shandong, Hubei, Jiangxi, Hainan, Heilongjiang, Guangxin, etc.) have published the email addresses to which companies may send the electronic copies of their filing materials. In these provinces, the local CACs’ comments and the companies’ amended materials will mainly be exchanged via emails. Companies only need to submit the hard copy materials after the electronic versions are confirmed by the CACs.
- Different CACs have different opinions on whether a filing on a group basis is acceptable. For example, the Beijing CAC seems to be fine with the group filing approach. If the Chinese headquarter of a multi-national organization is registered in Beijing, it may consider making the filing on behalf of all the other Chinese affiliates with the Beijing CAC. As to how to define the scope of “affiliate” (e.g. whether more than 50% control or other conditions are required), there is no clear guidance yet.
In addition, whether the group filing can work in practice also depends on the local CACs in the provinces where the affiliates are registered. For example, some CACs (e.g. Tianjin) only request a copy of the group filing record in other provinces, while some other CACs (e.g. Zhejiang) request the record/re-submission of the province-specific materials.
- The China SCCs are drafted in a way deeming the Chinese data exporter as a data controller. Thus, it remains uncertain as to whether or how the SCCs should be signed if the Chinese data exporter is a data processor.
- Where the Chinese exporter is the data controller, the same SCCs should be used regardless of whether the overseas importer is a data controller or a data processor – i.e. there is not a separate C2P version of the China SCCs. While in theory the parties may insert additional (but not conflicting) terms in Appendix 2 to the SCCs, we suggest limiting those to the absolutely necessary terms (if any), to avoid delays in the filing or more questions from the local CACs.
- In practice, we are seeing many international businesses identifying their group companies (e.g. the lead entity under their IGDTA) as the primary overseas recipient and vendors contracted at a group level as onward recipients (since in practice vendors engaged locally by the China entity tend to provide domestic only services). In other words, the first-tier transfer is on an intra-group basis. When reviewing the CAC security assessment applications, the CAC seems to be fine with this approach. Following this approach, some businesses are considering putting in place the China SCCs directly between the exporter and the importer, while some other companies are considering supplementing their intra-group data transfer agreement with the China SCCs. The latter seems to be more common in practice at the moment, given the reluctance of big tech vendors at the moment to engage on signing China SCCs except where they have contracted directly with a China entity.
- At the moment, an overseas recipient is not mandatorily required to sign the China SCCs with the subsequent recipient(s) (i.e. for onward transfers). But it remains uncertain as to whether the CAC will adjust the regulatory approach in the future. While this delay is being embraced by vendors, who are keen to avoid signing China SCCs for such onward transfers at the moment, there is an obligation in the China SCCs to flow them down to onward recipients, so while this is not an immediate priority this should not be forgotten entirely.
- Together with the signed SCCs, a personal information protection impact assessment (“PIIA”) report must be submitted to support the filing. The PIIA report requires extensive data mapping, and a significant amount of work to complete. Do not leave it until the last minute – the time to act is now. The PIIA template published by the CAC requires almost the same set of details as in a CAC security assessment (i.e. the approval route). No local CAC has published further explanation on how detailed a PIIA report should be. To cover all the matters included in the template, a PIIA report can easily go beyond 50 pages. It is recommended to reserve at least two months to gather all the required details, coordinate with overseas parties and prepare (and translate if needed) the PIIA report.
- While it is referred to as a filing, the local CACs have the authority and discretion to order specific remediation measures if they identify compliance gaps when reviewing the data processing activities described in the PIIA report. Thus, before making the filing, it is recommended to fix major compliance gaps or (for the gaps that require significant effort to mitigate) at least formulating and describing in the PIIA report clear remediation plans.