Filing of the Chinese SCC for Outbound Transfer of Personal Information

28.06.2023

On February 22nd, 2023, the Cyberspace Administration of China (the “CAC”) issued the Measures for the Standard Contract for Outbound Transfer of Personal Information (the “Measures”) and its annexed text of the Standard Contract (the “SCC”). And then on May 30th, CAC further issued the First Edition of the Guidelines for the Filing of the Standard Contract for Outbound Transfer of Personal Information (the “Guidelines”, see Annex 1). 

 

In comparison to the Measures, the Guidelines provide more detailed information regarding the filing process, and we have summarized the key takeaways for your better understanding and to assist you in navigating the next steps. 

 

1.    The Guidelines has refined outbound transfer scenarios and iterated the eligibility to sign SCC

 

The Guidelines provide further clarification on scenarios considered as outbound transfer of personal information, including:

  • personal information collected and produced in the domestic operation are transmitted or stored overseas; or
  • personal information collected and produced is stored domestically, but overseas institutions, organizations, or individuals have access to inquire, retrieve, download, or export it.
     

As mentioned in the previous newsletter, companies engaged in cross-border transfer of personal information may sign the Chinese SCC to legalize their cross-border data processing activities if they meet the following conditions:

  • it is not a critical information infrastructure operator;
  • it processes the personal data of less than one million individuals, calculated since the establishment of the company;
  • it has provided overseas recipients with personal data of less than 100,000 individuals in aggregate since 1 January of the previous year (i.e., January 1, 2022); and
  • it has provided overseas recipients with sensitive personal data of less than 10,000 individuals in aggregate since January 1 of the previous year (i.e., January 1, 2022).
     

No changes have been made to these requirements in the Guidelines. If one of the abovementioned conditions are not met, then a security assessment at the Cyberspace Administration of China is required.

 

2.    What are the filing requirements?

 

  • the time to file: within 10 working days after the SCC takes effect (but there is a time limit for completion of the filing procedures, please refer to the item 6);
  • the way to file: to submit the written documents along with the electronic copies, currently no online filing platform is available;
  • the authority in charge of the filing: the provincial-level cyberspace administration where the personal information processor is located.

 

3.    What documents are required for filing?

The templates for documents No.4-7 have been provided along with the Guidelines.

 

4.    Are there specific requirements for the PIA?

 

In the template provided, a PIA report shall include 4 parts as follows:

 

  • brief description of the assessment work, in particular, if a third-party such as a professional assessment agency participates in the assessment, illustration of the basic information of the third-party and the participation situation is required, and those contents must be stamped with the official seal of the third party;
  • overall situation of outbound activities, e.g., information of the overseas recipient, information of the business and information system involved in transmitting personal information abroad etc.; 
  • Information of impact assessment of the planned outbound activities, for instance, the legality, legitimacy and necessity of the purposes, scopes and methods for the personal information handler and the overseas recipients to process personal information; and
  • Conclusion of the impact assessment for outbound activities. 

 

After the PIA report is completed, it shall be filed within 3 months together with the signed SCC provided that no major changes occurring up to the filing date. Otherwise, there is a risk that the filing enterprise may need to redo the PIA. Based on our experience, in practice, enterprises are often required to supplement or modify filing documents multiple times. Considering the PIA report is complex and such preparation will be time-consuming, companies may need to allocate enough time for this process.

 

5.    How will the authority process the filing?

 

Upon receiving the documents, the provincial-level Cyberspace Administration will complete the examination within 15 working days and notify the personal information processor of the filing results. If any documents need to be supplemented or modified, the personal information processor shall resubmit them within 10 working days. The authority will then have 15 working days to review the resubmitted documents.

 

6.    What are the legal consequences of not filing on time?

 

According to the Measures, the enterprises shall complete the filing within 6 months from June 1st,2023 which serves as the effective date of the Measures. So, the deadline for the enterprises to complete the filing is end of November this year. There is no clear legal consequence regarding the failure of filing on time in the Measures and the Guidelines yet. And the Measures only provides that any violation of the Measures shall be punished in accordance with the Personal Information Protection Law. Technically, it could mean that failure to comply with the filing requirements on time may result in the authority conducting regulatory interviews with the enterprises, issuing rectification requirement, imposing administrative penalties which usually could be the confiscation of illegal gains of the company, in extreme situations could reach to 50 million RMB or 5% of the turnover of the previous year of the company, or even in extreme situations pursuing criminal responsibility for illegal provision of personal information. 

 

7.    Conclusion

 

As there is less than half a year remaining to complete the filing process, the PIA will take some time and the filing may not be successful on the first attempt, it is suggested that companies with outbound transfer activities of personal information shall schedule the PIA accordingly and initiate the fling process at the earliest opportunity.

 

Please do not hesitate to contact us if you are interested in any of these topics and we are excited to discuss it with you!

 

Annex:  Filing procedures of SCC