Cross-border Data Transfer Made Easy: The CAC Standard Contract

The transfer of personal data has been much simpler since 1st June 2023. This has been made possible by the newly introduced Collective Action Clause (CAC) Standard Contract, together with the corresponding Standard Contractual Clauses (referred to as “China SCCs”). The experts from Ecovis Richard Hoffmann law firm explain what needs to be considered with the Standard Contract and how the new simplified procedure works.

Previously, whether it was conducting a CAC security assessment or certifying personal data, the cross-border transfer of personal data was challenging. The processes involved high costs, a significant administrative burden, and long waiting times.

Overview: Cross-border Data Transfer and its Challenges

With the introduction of the Standard Contract, China is taking another important step to ensuring the secure and private transfer of personal or confidential data to other countries. Organisations that transfer large amounts of personal data are required to apply one of three transfer mechanisms. All three transfer mechanisms are outlined in Article 38 of China’s Personal Information Protection Law (PIPL):

1. The first is the security assessment conducted by the Cyberspace Administration of China (CAC), which follows a complex two-step process of self-assessment and CAC security assessment.
   Duration: At least 57 working days
   This assessment is mandatory for:
   1. Data processors transferring the personal data of more than 1 million individuals
   2. The general transfer of the personal data of more than 100,000 individuals or the sensitive personal data of more than 10,000 individuals
   3. The transfer of other data of special significance
2. For affiliated companies, obtaining a “Personal Information Protection Certificate” from specialist institutions involves a lengthy process.
   Duration: Approximately 110 working days
3. A new option: Concluding a Standard Contract and submitting it to the relevant CAC authority
   Duration: At least 15 working days

Unlike the European Standard Contractual Clauses (EU SCC), the CAC Standard Contract does not have four different modules (“controller-to-controller,” “controller-to-processor,” “processor-to-controller,” “processor-to-processor”). Instead, it adopts a “one-size-fits-all” approach, using a universal “module” for all transfers of personal data abroad. The obligations of the parties (exporter and overseas recipient) are not dependent on their role and function.

ECOVIS Ruide in Shanghai and ECOVIS Heidelberg provide tax and legal advice for German and Chinese companies.

Richard Hoffmann, Lawyer, Ecovis Heidelberg, Germany

Key Information About the CAC Standard Contract

• It is applicable when there is no obligation for a CAC security assessment (as mentioned above)
• Language: Mandarin Chinese (mandatory)
• Process duration: At least 15 working days; extension of at least 25 working days where supplementary documentation/adjustments by the data processor and re-examination are required
• Process description:
  • What: Obligation to submit documents, including the signed standard contract and the data protection impact assessment report
  • When: within 10 working days after the Standard Contract takes effect
  • Where: to the competent CAC authority at the provincial level
  • Form: in written and electronic form
• The regulations of the CAC Standard Contract, like the EU SCC, are non-negotiable
• Additional agreements or conditions that do not contradict the purpose of the Standard Contract are permissible
• Termination of the contract is achieved through mutual agreement based on designated reasons
• Liability between the contracting parties (exporter and overseas recipient) applies to all damages caused by a contract breach
• Joint liability of the exporter and the overseas recipient towards the data subjects from whom the personal data originates; recourse claims between the joint debtors

Parallel Application of the CAC Standard Contract (China SCC) and the EU SCC

The CAC Standard Contract and the EU SCC both have substantive differences and partially contradictory provisions. Both standard contractual clauses are non-negotiable and unchangeable. Therefore, in each specific case, it is essential to determine whether the CAC Standard Contract or the EU SCC applies. The two parties to the CAC Standard Contract must ensure in advance, based on the local laws and practices at the destination, that the transfer process is not hindered.

Be on the Safe Side with Legal and Tax Advice

Businesses should be extremely vigilant when transferring personal information as described above. In particular, it is important to closely scrutinise the interaction between the CAC Standard Contract and the EU SCC in advance. Extensive research is key! Businesses should seek help and support to ensure a smooth process and avoid liability or high fines if the requirements for data transfer are not met. These fines are imposed not only on the “person in charge” but also on “other personnel subject to direct liabilities.”

The appropriate procedure for data transfer (security assessment, certificate, or CAC Standard Contract) should be selected after a thorough data analysis. The affected parties must be informed of the transfer and, if necessary, their consent obtained. The data processor must perform a due diligence assessment of the data recipient and conduct a privacy risk and impact assessment with a subsequent report before concluding the Standard Contract.

The data recipient and data processor should maintain close communication before and during data export. The implementation of technical and organisational measures (TOMs) must be coordinated.

Additionally, companies should assess whether the data processing and transfer comply with the provisions of the Standard Contract as well as other individual conditions. Active information exchange with the CAC authority is also necessary.

For further information please contact:

Richard Hoffmann, Lawyer, Ecovis Heidelberg, Germany
Email: richard.hoffmann@ecovis.com