February 2023 was a busy month for China’s data protection regulator and supervisory authority – the Cyberspace Administration of China (CAC). This month marks the end of the six-month grace period for the Regulation of Security Assessment for Outbound Data Transfer (hereinafter referred to as the “Regulation”). With the Regulation now fully in force, companies have started to apply to the CAC for a security assessment of their data transfers from China to third countries.

Meanwhile, the long-announced draft Chinese standard contractual clauses (the Chinese SCCs) were finally adopted in February and will come into force on 1 June 2023, with a further grace period of 6 months.

What is a security assessment and who should do it?

According to the Regulation, data controllers must go through a security assessment when transferring data from China to third countries in the following cases:

  • The transfer involves critical data.
  • A Critical Information Infrastructure Operator (CII Operator) transfers personal data outside of China.
  • A data controller processing personal data of more than one million data subject transfers personal data outside of China.
  • A data controller that has transferred personal data of more than 100,000 data subjects or sensitive personal data of more than 10,000 data subjects since the beginning of last year transfers personal data outside China.

The Beijing CAC has announced that it had received more than 80 applications by the end of February, with a further 142 companies preparing to apply. Local CACs in other regions are also holding seminars and information sessions on the implementation of the security assessment requirement.

For companies not subject to the security assessment requirement, this doesn’t mean that personal data collected in China can be transferred out of China without further restrictions. Art. 38 of the Chinese Personal Information Protection Law provides three ways for data controllers to transfer personal data from China to a third country. In addition to the aforementioned security assessment, a data protection certification or the Chinese SCCs can also be used to transfer personal data out of China.

The Chinese SCCs

In the EU, standard contractual clauses are standardised and pre-approved model data protection clauses issued by the European Commission (EU SCCs) that can be used by controllers and processors to comply with their obligations under EU data protection law. Strictly speaking, there are two sets of EU SCCs, one for use between controllers and processors within the EEA to meet the requirements of Art. 28(3) GDPR, and the other one for transfers of personal data to countries outside the EEA.

This approach has been followed by the Chinese regulators. However, there is currently only one set of SCCs in China, namely the one for data transfers from China to third countries. Unlike the EU SCCs for transfers to third countries, which consist of 4 different modules, the Chinese SCCs do not follow a module approach. Since the Chinese SCCs only refer to the „data handler“, which is defined as the organisation that determines the purposes and means of data processing (same as the definition of “data controller” under the GDPR), as the party transferring personal data outside China, it is reasonable to expect that the Chinese SCCs are only applicable in the „controller to controller“ and „controller to processor“ scenarios. For data transfers from a processor to a sub-processor or from a processor to a controller covered by Modules 3 and 4 of the EU SCCs, specific arrangements between the parties will be required to apply the SCC or other transfer tools will need to be used.

The content and other obligations under the Chinese SCCs will be elaborated in our subsequent blog posts on China’s cross-border data transfer regimes.