Cross-border data transfer made easy now: The CAC Standard Contract

Previously, the transfer of cross-border personal data was challenging, whether it was conducting a CAC security assessment or certifying personal data. Both processes involved high costs, significant administrative burden, and long waiting times.

However, since June 1st, 2023, the transfer has been greatly simplified. The newly introduced CAC Standard Contract, together with the corresponding Standard Contractual Clauses (referred to as “China SCCs”), make it possible! You can find everything about the CAC Standard Contract here: what to consider and how the new simplified process works!

Overview: Cross-border data transfer and its challenges

With the introduction of the CAC Standard Contract, China takes another important step to ensure the secure and privacy-respecting transfer of personal or confidential data to other countries. Organizations that transfer large amounts of personal data are required to apply one of three transfer mechanisms. All three transfer mechanisms are outlined in Article 38 of China’s Personal Information Protection Law (PIPL):

1. The first is the security assessment conducted by the Cyberspace Administration of China (CAC), which follows a complex two-step process of self-assessment and CAC security assessment.
   Duration: At least 57 working days
   This assessment is mandatory for:
   1. Data processors transferring personal data of more than 1 million individuals.
   2. General transfer of personal data from more than 100,000 individuals or sensitive personal data from more than 10,000 individuals.
   3. Transfer of other data of special significance.
2. Between affiliated companies, obtaining a “Personal Information Protection Certificate” from specialized institutions involves a lengthy process.
   Duration: Approximately 110 working days
3. Now, there’s a new option: concluding a CAC Standard Contract and submitting it to the relevant CAC authority.
   Duration: At least 15 working days

Unlike the European Standard Contractual Clauses (EU SCC) that are equivalent to the CAC Standard Contract, the CAC Standard Contract does not have four different modules (“Controller-to-Controller,” “Controller-to-Processor,” “Processor-to-Controller,” “Processor-to-Processor”). Instead, it adopts a “one-size-fits-all” approach, using a universal “module” for all transfers of personal data abroad. The obligations of the parties (exporter and overseas recipient) are not dependent on their role and function.

Key information about the CAC Standard Contract:

• Applicable when there is no obligation for a CAC security assessment (as mentioned above)
• Language: Mandarin Chinese (mandatory)
• Process duration: At least 15 working days; extension of at least 25 working days in case of required document supplements/adjustments by the data processor and re-examination
• Process flow: (What?) Obligation to submit documents, including the signed standard contract and the data protection impact assessment report; (When?) within 10 working days after the standard contract takes effect; (Where?) to the competent CAC authority at the provincial level; (Form?) in written and electronic form
• CAC Standard Contract based on EU SCC is non-negotiable
• Additional agreements or conditions that do not contradict the purpose of the CAC Standard Contract are permissible
• Termination of the contract is achieved through mutual agreement based on designated reasons
• Liability between the contracting parties (exporter and overseas recipient) applies to all damages caused by a contract breach
• Liability towards the data subjects from whom the personal data originates: Joint liability of the exporter and the overseas recipient; recourse claims between the joint debtors

Parallel application of the CAC Standard Contract (China SCC) and the EU SCC

The CAC Standard Contract and the EU SCC have both substantive differences and partially contradictory provisions. Both standard contractual clauses are non-negotiable and unchangeable. Therefore, in each specific case, it is essential to determine whether the CAC Standard Contract or the EU SCC applies. The two parties to the CAC Standard Contract must ensure in advance, based on the local laws and practices at the destination, that the transfer process is not hindered.

Our legal and tax advice

We strongly recommend being vigilant when transferring personal data as described above. In particular, the interaction between the “CAC Standard Contract” and the “EU Standard Contract Clauses” requires thorough prior examination. Extensive research is key! Seek help and support to ensure a smooth process and avoid liability or high fines if the requirements for data transfer are not met. These fines are imposed not only on the “person in charge” but also on “other personnel subject to direct liabilities.”

After conducting a thorough data analysis, select the appropriate procedure for data transfer (security assessment, certificate, or CAC Standard Contract). Inform the affected parties of the transfer and, if necessary, obtain their consent. As a data processor, perform a due diligence assessment of the data recipient and conduct a privacy risk and impact assessment with a subsequent report before concluding the standard contract.

Before and during data export, the data recipient and data processor should maintain close communication. It should be coordinated which technical and organizational measures (TOMs) will be implemented, whether the data processing and transfer comply with the provisions of the CAC Standard Contract and other individual conditions, and there should be active information exchange with the CAC authority.

Our law firms, Ecovis Ruide in Shanghai and Ecovis Heidelberg, specialize in supporting German and Chinese companies, both from a tax and legal perspective. Contact us!