Draft standard contractual clauses (SCCs) were issued by China’s National Cyberspace Department in June
The SCCs will likely be a welcome tool for colleges and universities that receive personal information (PI) from China, and in some cases may allow institutions to receive PI without undergoing a Chinese government security assessment
This June, China’s National Cyberspace Department issued draft standard contractual clauses (SCCs) that U.S. institutions of higher education (IHEs) can potentially incorporate into contracts to allow them to conduct cross-border transfers of personal information from China to the U.S., in compliance with China’s Personal Information Protection Law (PIPL), without undergoing any security assessment or certification by the Chinese government. However, applicable Chinese regulations on cross-border transfers provide limitations on when the SCCs may be used in lieu of such security assessments. Furthermore, IHEs may only incorporate the SCCs into contracts after completing a transfer impact assessment and determining that they are not aware of any U.S. laws or regulations that would prevent them from complying with PIPL.
While the SCCs are still in draft form and are therefore subject to change, IHEs should start working now to identify situations where they may be receiving personal information from personal information handlers (i.e., controllers) or entrusted parties (i.e., processors) in China. Then, they should assess whether it is appropriate to incorporate SCCs into contracts with those handlers or entrusted parties to lawfully transfer personal information from China to the U.S. without undergoing a Chinese government security assessment.
Applicability to U.S. IHEs
IHEs may receive personal information from Chinese handlers and entrusted parties in a variety of scenarios, including activities related to international research, study abroad programs, student recruitment, or advancement. In all cases where the personal information is not fully anonymized before being exported from China, PIPL requires IHEs to either undergo a security assessment by the Chinese government or incorporate SCCs into their contracts with the exporting parties. The requirements of such security assessments may conflict with IHEs’ obligations under U.S. laws and regulations, making the newly drafted SCCs a welcome addition to any IHE’s PIPL compliance program.
Limitations to When U.S. IHEs May Use SCCs
However, China’s 2021 regulations on Data Export Security Assessments provide that SCCs will not relieve an IHE of the need to undergo Chinese government security assessment if the exporting party exceeds certain handling thresholds. Specifically, an IHE will need to undergo such security assessments to conduct cross-border personal information transfers if the exporting party: (1) is exporting important data; (2) is a critical information infrastructure operator; (3) handles the personal information of at least one million individuals; (4) annually transfers at least 100,000 individuals’ personal information from China; or (5) annually transfers at least 10,000 individuals’ sensitive personal information from China. If the exporting party exceeds any of these three thresholds, then the exporting party and IHE must undergo a Chinese government security assessment to lawfully transfer personal information from China to the U.S.
If an exporting party does not exceed any of those thresholds, then it may forgo Chinese government assessment by incorporating SCCs into contracts involving cross-border personal information transfers, but only after the IHE and exporting party conduct a transfer impact assessment. Such assessment must conclude, among other things, that U.S. legal obligations will not prevent the IHE from complying with PIPL. IHEs will need to conduct such transfer impact assessments on a case-by-case basis to consider the applicability of various U.S. laws and regulations that may conflict with PIPL. Laws and regulations requiring IHEs to disclose personal information to the U.S. government should be of particular concern, as PIPL requires Chinese government approval before providing U.S. judicial or law enforcement authorities with any personal information from China.
Actions U.S. IHEs Should Take Now
While the draft SCCs are being finalized, IHEs should engage in data mapping to identify any situations where they receive personal information from handlers or entrusted parties located in China. If an IHE is engaged in any cross-border personal information transfers, and the personal information is not fully anonymized prior to leaving China, then it should determine whether the exporter exceeds any of the thresholds provided in the 2021 regulations on Data Export Security Assessments. And, even if an exporter does not exceed any of the thresholds, an IHE should be prepared to conduct case-by-case transfer impact assessments to determine whether it can forgo a Chinese government security assessment by incorporating the SCCs into cross-border transfer agreements.