China PIPL Standard Contractual Clauses: What to Know?
If your company is transferring data of individuals to a recipient outside China, you need to understand the rules of cross-border data transfer.
One of the most important provisions of many data protection regulations (especially PIPL) is the standard contractual clauses.
In this article, we’ll explain China PIPL standard contractual clauses, including what they are, who they apply to, and their requirements, so you can have a better understanding of them and be able to comply with this law
- SCCs are provisions of the Chinese data privacy law that govern the rights and obligations of a data transferor (company), data recipient, and an individual whose data is transferred overseas.
- These contractual clauses apply to non-CIIOs and companies that process data of no more than one million individuals or have not provided personal information (PI) of more than 100,000 individuals or 10,000 sensitive personal information (SPI).
- Before a cross-border data transfer agreement can be made, a company must obtain consent from individuals whose data it wants to transfer outside China and conduct an impact assessment.
PIPL or People’s Information Protection Law is a collection of articles made to protect the personal information of customers, employees, and other individuals in China from bad practices by businesses.
The Law was first introduced on 13 October 2020 and submitted as a draft to China’s National People’s Congress before becoming effective on 1 November 2021.
It applies to any organization or individual, regardless of whether they are based in China or not, that processes the personal data of data subjects in China.
Similarly to other data privacy laws, such as GDPR, China’s PIPL also guarantees certain rights to individuals.
These rights are:
- Right to be informed
- Right to restrict and refuse data handling
- Right to delete
- Right of portability
- Right of the deceased
Additionally, PIPL has 8 principles, similar to GDPR’s 7 principles. However, PIPL’s principles are not all listed in one article (Article 5 for GDPR) but are spread out throughout multiple articles of this law.
The principles of PIPL include:
- Lawfulness, legitimacy, necessity, and good faith (Article 5)
- Purpose limitation (Article 6)
- Data minimization (Article 6)
- Transparency (Article 7)
- Personal information quality (Article 8)
- Accountability (Article 9)
- Data security (Article 9)
- Storage limitation (Article 19)
What are China PIPL Standard Contractual Clauses?
China PIPL standard contractual clauses (SCCs) are provisions that regulate the rights and liabilities between a data subject, data recipient, and a company when that company is transferring the data subject’s personal data to the recipient outside of China (aka cross-border transfer).
These are pre-approved agreements between the sender and recipient of personal information, ensuring that transferred data will be adequately protected according to PIPL standards.
The Cyberspace Administration of China (CAC) released the rules of SCCs on 24 February and became effective on 1 June 2023).
Unlike GDPR’s SCCs, which have four models (controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller), PIPL’s SCCs do not distinguish between different roles and functions and have one universal template that works in all cases.
Who Needs to Use China PIPL Standard Contractual Clauses?
To be eligible to use China PIPL standard contractual clauses, a company needs to meet these conditions:
- It is not a critical information infrastructure operator (CIIO). Critical information infrastructure (CII) was established on 30th July 2021 and includes “important network infrastructure, information systems, etc., in important industries and sectors such as public telecommunications and information services, energy transportation, water, finance, public services, e-government, national defense science, technology, and industry, etc. as well as where their destruction, loss of functionality, or data leakage may gravely harm national security, the national economy and people’s livelihood, or the public interest”
- It processes the personal data of no more than one million individuals
- It has not provided the personal information of over 100,000 data subjects (cumulatively) overseas since 1st January of the previous year
- It has not provided sensitive personal information (cumulatively) of more than 10,000 data subjects since 1st January of the previous year
Transfers over 100,000 (PI) or 10,000 (SPI) need a special security assessment instead of the SCC.
Requirements for Chinese Standard Contractual Clauses
Before a business can enter an overseas data transfer agreement, it will have to do a Personal Information Protection Impact Assessment (PIPIA). This is similar to GDPR’s DPIA and must answer the following questions:
- Is the cross-border data transfer valid, necessary, and appropriate?
- What is the category, volume, and scope of the transferred data, and is it sensitive?
- What measures (organizational and technical) will the data recipient have to take?
- What are the obligations the data recipient will have?
- Are there any risks of data breaches, leaks, damage, or loss of data following the transfer? How can data subjects protect themselves?
- What data protection laws, regulations, and policies exist in the destination country?
- What other aspects could affect the transfer besides these?
China’s SCCs are very similar to GDPR’s SCCs when it comes to requirements.
However, they have a few distinct clauses, namely:
- An overseas data recipient can only make a transfer once it meets certain criteria. This includes giving a notification to the data subjects, implementing the necessary security measures, and signing the agreement from the transferee that will guarantee data protection
- The cross-border data transfer agreement is governed by Chinese law.
- The company transferring the data and the data recipient have a joint responsibility toward the data subject, who can make a claim against both.
- A Chinese court, a Chinese arbitration tribunal, or an international arbitration tribunal will handle any disputes.
The SCC-based international data transfer must be filed with the CAC within ten business days.
What are the other Appropriate Safeguards for Cross-Border Data Transfer?
Cross-border data transfer is much stricter under Chinese than it is under EU law (appropriate GDPR cross-border data transfer safeguards), and a business must take several steps to check all of the boxes.
Under the PIPL, transfers of personal information (PI) or sensitive personal information (SPI) that involve volumes exceeding 100,000 or 10,000, respectively, require a special security assessment. Additionally, any CIIO will need this security assessment.
This means that businesses must undergo an evaluation conducted by China's state cybersecurity department to ensure proper safeguards are in place for transferring data across borders.
This special security assessment aims to verify whether appropriate measures have been taken to protect the privacy and security of an individual's personal information during cross-border transfers.
It involves evaluating factors such as the technical capabilities of the receiving party, their data protection policies and practices, encryption methods used for transmission purposes, and compliance with Chinese laws regarding data protection obligations domestically and abroad, among other relevant considerations.
In addition to the special security assessment, another appropriate safeguard for cross-border data transfers in China is obtaining certification from a specialized body authorized by the state Cybersecurity and Informatization Department.
This certification verifies that businesses have implemented adequate measures to protect personal information during international data transfers.
The certification process involves an evaluation conducted by the authorized specialized body. The certification criteria may include data protection policies, technical safeguards, encryption protocols, internal controls, and governance mechanisms related to personal information handling practices.
Legally Binding Treaties
Cross-border data transfers may occur while obliging with China’s international treaties and agreements.
These legally binding instruments provide a framework for governing the transfer of personal information across borders, offering safeguards and protections to ensure compliance with relevant laws in both exporting and importing jurisdictions.
By adhering to specific provisions outlined in these treaties or agreements, businesses can demonstrate their commitment to protecting individuals' privacy rights during cross-border data transfers while maintaining transparency and legal certainty throughout the process.
China PIPL standard contractual clauses is an important part of the Chinese data protection regulation as they oversee the lawful methods for transferring data outside of China.
China’s PIPL is one of the stricter data privacy laws out there, and non-compliance can cost you several million dollars, a lower social credit score, business suspension, disciplinary action, or even imprisonment.
That’s why you should get expert help from us. Get in touch today with Captain Compliance, and our experts will help you avoid fines and penalties.
Are standard contractual clauses still valid?
Yes, standard contractual clauses are valid for most international data transfers. However, under PIPL data protection law, SCCs apply only for non-CIIOs and where the transfer does not go over 100,000 for personal information or 10,000 for sensitive personal information.
What is the standard contractual clause for China?
A standard contractual clause (SCC) in China is a set of provisions that the company transferring data of individuals overseas, the overseas data recipient, and the individuals all must agree on. These regulate the rights and liabilities of all three parties.
What are the rules of Chinese SCCs?
The rules of Chinese SCCs include:
- The company is not a critical information infrastructure operator (CIIO). This means it is not an important infrastructure network or system, works in an important public sector (telecommunications, energy transportation, national defense, etc., or potential data leakage or loss will not harm the national security, national economy, public interest, or someone’s livelihood.
- It processes the personal data of less than one million data individuals
- It hasn’t provided PI of more than 100K individuals since 1st January the previous year
- It hasn’t provided SPI of more than 10K individuals since 1st January the previous year
Where the company has provided over 100K PI and 10K SPI, then a special security assessment will be used instead.
Does GDPR apply to China?
No, the GDPR does not apply to China. However, if a company in China processes the personal information of citizens of the European Union, then the GDPR will apply to it.
What is the difference between GDPR and China PIPL?
The GDPR is a legal framework that governs how the personal data of EU citizens can be handled, while PIPL oversees the data privacy and protection of Chinese citizens.
Although the two regulations have the same goal, they, of course, have several key differences, namely:
- Different territorial scope
- Definitions of personal information and sensitive personal information
- Primary roles
- Data localization
- Lawful basis for data processing
- Data subject access requests (DSARs)
- Non-compliance penalties and fines
- Separate consent
- DPO requirements
- International data transfer