A regulatory update
On 30 May 2023, the Cyberspace Administration of China (CAC) issued the long-awaited Guidelines for Recordal of the Standard Contractual Clauses (SCCs) for Cross-border Transfer of Personal Information (the Guidelines), following the issue of the SCCs Regulations in March 2023.
With all these in place, the regulatory authorities are now officially ready to implement and accept applications for SCCs Recordal from 1 June 2023.
The Guidelines provide clarifications on various procedural issues and time limits relating to the SCCs Recordal. For example:
There are three significant points to note under the Guidelines:
1. The extent of information requested for SCCs Recordal is no less than that for Cross-Border Data Security Assessment. The Guidelines require all PIA Reports to provide all required information according to the standard format. The template of the PIA Report for the SCCs Recordal is the same as the Self-assessment Report for the Cross-Border Data Security Assessment. This would imply that the applicants for SCCs recordal will have to devote similarly significant time and efforts (including considerable cooperations from their overseas data recipients) in order to satisfy the sufficiency of the information required.
2. Certain information requires special efforts to gather. Based on the experience of the self-assessment report for Data Security Assessment, the applicants for SCCs Recordal may experience challenges in providing very detailed information as requested by the regulatory authorities. This could include: (i) the specific technical details (bandwidth, capacities, IP address, etc) relating to the data cross-border flow routes/links in China and all the ways through to the overseas recipients; (ii) description of the full processing procedures of the concerned personal data by the overseas recipients; or (iii) the impact assessment of personal information protection regulations/policies on the performance of SCCs at the jurisdiction of the overseas recipients.
3. Uncertainty in obtaining SCCs Recordal should be clarified. The Guidelines specify that the recordal of SCCs may result in either “pass” or “no-pass” upon review of the recordal documentations submitted by the applicants. This brings uncertainty about whether the regulatory authorities are adopting a similar review criteria around the personal information subject to “Recordal review” under SCCs. This is supposedly to be a much lower review criteria than that of key data subject to “Approval review” under Data Security Assessment. We hope that the regulatory authorities will clarify the review criteria and reasons for “no-pass” as soon as possible.
The implications of having an executed or effective SCCs between Chinese or foreign parties before having certainty in obtaining SCCs Recordal from the regulatory authority
As discussed above, in case the regulatory authority refuses to grant recordal or requires considerable rectifications, the effective SCCs may need to be renegotiated or amended accordingly. We are seeking further clarifications from the authorities and exploring ways to control the risks.
Significant efforts are required. For those businesses who intend to transfer personal information to overseas recipients through the approach of SCCs Recordal, starting the preparation as soon as possible and completing the filing before the expiration of the 6-month rectification period (30 November 2023) is recommended to meet compliance requirements. In case a more detailed official review criteria comes out, they will then have time to update.
Read our Standard Contractual Clause Route Finalised: China cross-border data transfer article to learn more about the compliance requirements for SCCs and developing a prioritised Action Plan.
Need support with implementing the Standard Contractual Clauses route for cross-border data transfer? Leave your details and a member of the team will be in touch.
This Alert is written by Ling Jin, Sunny Su and the Data team of Rouse and Lusheng Law Firm (Strategic Partner of Rouse).