techUK joins global industry letter on China Standard Contract Provisions
We believe it is important that the Cyberspace Administration of China’s (“CAC”) design the standard contract provisions to be a valid and effective transfer mechanism under the Personal Information Protection Law (“PIPL”). As designed, we are concerned that the proposed framework may be unworkable in practice for many Chinese and foreign entities.
On 30 June 2022, the Cyberspace Administration of China ('CAC') released the Standard Contract Provisions for the Export of Personal Information (Draft for Comment) ('the Draft Standard Contract Provisions'). The Draft Standard Contract Provisions contain a standard contract akin to Standard Contractual Clauses ('SCCs') and establish requirements for personal information processors as well as overseas recipients, notably the obligation to carry out Data Protection Impact Assessments ('DPIAs'). China’s Personal Data Protection Law (PIPL), often referred to as China’s GDPR, officially came into force on 1 November. The PIPL is a comprehensive data protection law, regulating the way in which personal data is stored, handled and processed. Learn more about PILP here.
If organisations are restricted in their ability to lawfully transfer data across borders, they may be unable to enter new markets, reach potential customers and deliver their offerings to consumers, which can hold back innovation and consumers' access to new technologies and services. You can read more about why international data transfers matter in techUK’s insight.
techUK joins other organizations in submitting that the draft Standard Contract Provisions should:
- not impose greater restrictions on data transfers than necessary;
- afford equal treatment to Chinese and foreign enterprises, services, and technologies;
- and be administered in a uniform, impartial, and reasonable manner with a view to ensuring non-discriminatory and streamlined approvals.
We also believe that China’s Standard Contract Provisions should reflect international best practices, and should be revised for greater alignment and interoperability with standard contractual clauses (SCCs) under the EU General Data Protection Regulation (GDPR).
You can read the full industry association letter submitted to the Cyberspace Administration of China and our further observations below.