China's standard contract for cross-border data transfers released: key implications and comparison against the EU SCCs
On 24 February 2023, mainland China’s internet regulator – the Cyberspace Administration of China (CAC) – released the final form of the long-awaited Personal Information Export Standard Contract (Standard Contract), together with the Measures on the Standard Contract, which form principles governing the use of the Standard Contract (Measures). See our earlier alert here.
The Standard Contract and the Measures will take effect on 1 June 2023. New in-scope data exports from China must use the Standard Contract from that date, while a six-month grace period applies from the effective date for organisations to repaper existing in-scope cross-border data transfers.
The Standard Contract comprises one of the three main transfer mechanisms under China’s key data privacy legislation – the Personal Information Protection Law (PIPL). Multinational corporations (MNCs) doing business in or with China that are also subject to the European Union’s General Data Protection Regulation (GDPR) have been waiting for this critical development to legitimise international data transfers from China to overseas affiliates and other recipients, as part of their international data transfer strategy.
Comparison with the EU SCCs
The good news for many MNCs is that the Standard Contract is greatly influenced by the EU Commission’s Standard Contractual Clauses (EU SCCs). Nevertheless, while certain key aspects of the Standard Contract resemble the EU SCCs, the template appears to differ from the EU SCCs in several other respects, such as the scope of application, overall structure, and the additional filing obligations that it carries. Understanding the gaps between the two regimes will be essential for businesses that are seeking to use both the Standard Contract and the EU SCCs to achieve compliance across their global data flows.
We look at key aspects of the final Standard Contract in the table in Annex 1, comparing and contrasting against the EU SCCs, and highlighting some of important implications for international businesses.
Doing business in or with China requires action now as international businesses have no more than 9 months to negotiate and formulate terms for almost all data exports from this crucial market, regardless of their position under the GDPR.
The table comparing the Standard Contract to the EU SCCs is in Annex 1 here