Data Transfers and Beyond: China Moves Closer to Finalizing Draft Provisions Permitting the Transfer of Personal Data Abroad

Topic EU SCCs UK IDTA Draft Provisions When Required? The EU SCCs are required when transferring personal data outside the EEA and Switzerland. The EEA consists of the following European Union member states: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden. The IDTA is required for personal data transfers outside England, Wales, Northern Ireland and Scotland. The Draft Provisions are required to transfer personal data outside China. Mechanism’s History On June 4, 2021, the European Commission published the finalized version of the EU SCCs.  Before these clauses took effect, the European Commission used the “old” EU SCCs, which were in effect for over a decade. The “old” EU SCCs were updated to align more closely with the General Data Protection Regulation (“GDPR”). Following Brexit, the EU’s GDPR no longer governed personal data of UK residents. As a result, the UK adopted its own version of the GDPR (the “UK GDPR”). For the purpose of data transfers outside the UK, Northern Ireland and Scotland the “old” EU SCCs could be used (and still can be used for a limited time)  so long as they were modified to replace any reference to the EU with the UK. The Draft Provisions are the first transfer mechanisms of its kind in China. Although there have been several iterations of proposed Draft Provisions none have gone into effect. The purpose of the Draft Provisions is to align with Article 38(1)(3) of the PIPL. Who Can Use this Mechanism?
All Entities. The EU SCCs are available to all data controllers and/or processors who wish to sign and implement them, provided they can adhere to the provisions in practice. All Entities. Like the EU SCCs, the IDTA is available to all controllers and/or processors who wish to sign and implement them, provided they can adhere to the provisions in practice. Limited Entities. The Draft Provision limits the types of entities that may enter into this standard agreement. These entities must satisfy the following requirements:

• The entity is NOT a critical information infrastructure operator.
• The entity processes the personal data of fewer than 1 million individuals.
• The entity has transferred personal data of fewer than 100,000 individuals on a cumulative basis since January 1 of the previous year.
• The entity has transferred sensitive personal data of fewer than 10,000 individuals on a cumulative basis since January 1 of the previous year.

*Notably, the Draft Provisions also require the data exporter to file the executed contract with the provincial branch of the CAC within 10 days after the contract goes into effect along with a personal information protection impact assessment that must be prepared before the transfer.

Does the Mechanism have Modules?

Yes. The EU SCCs feature four separate modules that govern the transfer of personal data between entities based on each party’s data processing/exporting role.

Module One: controller to controller transfers

Module Two: controller to processor transfers

Module Three: processor to processor transfers

Module Four: processor to controller transfers.

Thus, the EU SCCs modular approach requires entities to pay close attention to (i) all potential processing roles a party may have under a transaction (e.g., data controller or data processor) and (ii) examine how data flows. Under the EU SCCs, certain agreements can call for the need of various modules to be in place to permit the transfer of data outside the EEA.

Yes. The IDTA adopts the same modular approach as the EU SCCs. The exporting parties must also select all the modules that apply to the particular data transfer in question. No. As discussed above, China’s Draft Provisions  are limited to transfers from certain Chinese-based entities to an overseas recipient. However, the Draft Provisions do not differentiate between certain transfer scenarios as the EU SCCs and IDTA do. As drafted, there are some ambiguities as to what obligations apply solely to data controllers and importers outside China and the obligations that apply only to processers or importers outside China. Are Onward Transfers Permitted? Yes. Under the EU SCCs, an “onward transfer” simply means the further disclosure of personal data by the data importer to another third party outside the EEA. For example, if any personal data has been transferred from the EEA to the United States and then transferred from the United States to other countries, the transfer from the United States is an “onward transfer” for GDPR purposes. Typically, a second agreement such as a data processing agreement is needed for the data importer to carry out an onward transfer to an additional third party Yes. Similar rules as the EU SCCs. It’s complicated. The Draft Provisions have stricter restrictions on carrying out onward transfers. Overseas recipients are not allowed to disclose personal data to third parties located outside China unless the following requirements are met:

• Legitimate Purpose. There are real and legitimate business needs to provide personal data.
• Data Subject Consent. The overseas recipient has informed the data subjects about the third-party recipient, and separate consent has been obtained.
• Data Processing Agreement Requirement. The overseas recipient has entered into a written agreement with the third party to implement the same level of personal data protection.
• Proof of DPA. The overseas recipient has provided the data exporter with a copy of the agreement.

 

Docking Clause
Yes. The EU SCCs feature a docking clause 7, which expressly permits adding new parties to the SCCs. The docking clause provides that an entity that is not a party to the SCCs may, with the agreement of the parties, accede to the SCCs at any time, either as a data exporter or as a data importer, by completing the EU SCCs Appendix and signing Annex I.A. Yes. Parties may amend the IDTA for use in multi-party arrangements and the clauses do not need to be signed to become binding Unclear. It is unclear whether these clauses will allow multi-party arrangements. Is there a Short-Form Version of this Mechanism?
No. There is no short-form version of the EU SCCs Yes. The UK IDTA is unique in that it works in tandem with the EU SCCs. In other words, if the EU SCCs are already in place, a shorter version of the IDTA may be used instead of the full 36-page document. Unclear. It is unclear whether the CAC will create a short-form version of the draft provisions that may be used in conjunction with the EU SCCs or IDTA. Status/Effective Date

Effective: September 27, 2021

Grace Period: Organizations can no longer enter into the “old” EU SCCs (the cut off was September 27, 2021) but can rely on the “old” EU SCCs entered into before that date until December 27 2022.

Effective: March 21, 2022.

Grace Period: Organizations may enter into the “old” EU SCCs (with UK edits), on or before September 21, 2022. Transfers using the “old” EU SCCs will be valid until March 21, 2024 assuming that the processing operations under the agreement remain unchanged during that time.

Not in Effect.

Public Comment on the Draft Provision ended on July 29, 2022.