On February 24, 2023, the Cyberspace Administration of China (CAC) released the final Standard Contractual Clauses (SCCs) for the Chinese Personal Information Protection Law (PIPL), along with its long-awaited accompanying SCC regulations (referred to as the Measures for Standard Contracts for the Export of Personal Information Abroad (the "SCC Measures").
A few quick takeaways for foreign higher education institutions who are actively engaged in the processing of personal information from data subjects located in China:
Of the cross-border transfer mechanisms currently available under the PIPL (namely, i. a security assessment conducted by the CAC; ii. a personal information protection certification by a licensed PRC entity; or iii. signing the PIPL SCCs), the SCCs have been regarded (and hopefully will remain) to be the most practical transfer mechanism for foreign higher education institutions with activities in China, so long as all the following conditions are met:
the PI handler is not a critical information infrastructure operator, or a CIIO - which refers to an entity that operates in a range of public service sectors, such as finance, energy, telecom, public utilities, health care, etc. that impact national security and public interests of China;
the PI handler processes the personal information of less than 1 million people;
the PI handler has not cumulatively transferred the personal information of more than 100,000 persons abroad as of January 1 of the previous year; and
the PI handler has not cumulatively transferred the sensitive personal information of more than 10,000 persons abroad as of January 1 of the previous year;
The final SCCs look drastically different from the initial draft that the Chinese government released last year.
Similar to the GDPR, no modifications can be made to the SCCs, although parties can supplement contractual terms so long as those additional terms do not conflict with the SCCs.
The SCC Measures require the personal information handler to file a copy of the SCC with the Chinese authorities.
The effective date of the SCCs and SCC Measures is June 1, 2023. The SCC Measures provide a 6-month grace period for personal information data transfers that occurred prior to June 1 in order to give institutions time to bring their activities into compliance with the PIPL (i.e., November 30, 2023).