I. What are the ways of cross-border transmission of personal data between China and the EU?

There are three ways for China to transmit personal data overseas (including the European Union and the United States): 1. Through the security assessment of the Internet Information Department; 2. Personal information protection certification of professional institutions; 3. Sign standard contracts.

The EU's general data protection guidelines provide a variety of ways to realize the cross-border transmission of personal data, mainly divided into three mechanisms, the first is based on the adequacy recognition mechanism (also known as the white list); The second is the mechanism of taking appropriate safeguard measures, including signing standard contract (standard contractual clause or SCC), adopting binding corporate rules (BCR), certification mechanism, code of conduct (COC), etc; The third is necessary for obtaining the consent of the data subject and performing the contract.

As the white list of the adequacy of personal data protection recognized by the European Union does not include China, enterprises that transmit EU personal data to China need to take other exemption ways stipulated in the general data protection standards, such as signing standard contracts, binding enterprise rules, and obtaining the consent of data subjects. For intra group data transmission, large and medium-sized multinational enterprise groups may prefer to choose the path of binding enterprise rules, that is, to submit a document or system statement to ensure compliance with EU data protection law within the group. For most enterprises, they may rely more on the path of signing standard contracts to transmit EU personal data to China.

II. What are the similarities and differences between the standard contracts for cross-border transmission of personal information between China and Europe?

Although the EU standard contract and China's standard contract are the texts of signing standard contracts, they are still different in emphasis and application. Specifically:

1. Applicable subject and scope

According to the provisions of the EU standard contract, as long as the enterprise responsible for data protection transmits the personal data collected in the EU from the EU to a third country, it can choose to apply the EU general data protection guidelines to realize cross-border data transmission. According to the different roles of subjects in personal data processing, standard contracts divide subjects into data controllers and data processors of personal data. The data controller is the company that collects the data, while the processor is the company that analyzes or uses the data. Their legal responsibilities and focus are different.

To explain a little about the data controllers and data processors, take the Cambridge data disclosure case, in which Facebook was fined $5billion . In this case, Facebook collected and controlled users' data, but due to its poor protection of users' data, an app developed by Cambridge, which was used by only 27000 users, obtained more than 50million users' Facebook data, and the corresponding data analysis results even affected the results of the U.S. general election, Eventually, he was fined $5billion. In this case, Facebook is the data controller, while Cambridge, which analyzes the data, is the data processor.

Compared with the EU, which distinguishes the role of subjects in processing data, China is collectively referred to as personal information processors. The purpose of distinguishing industries and processing the total amount of personal data in China's standard contracts is not only based on protecting the rights and interests of personal data subjects, but also based on national security and public interests. Therefore, not all entities can apply standard contracts to realize cross-border data transmission. Only those who meet the four conditions at the same time can provide personal information abroad by signing a standard contract:

（1） Non critical information infrastructure operators;

（2） Processing personal information less than 1million people;

（3） Providing personal information of less than 100000 people abroad since January 1 of last year;

（4） Since January 1 of last year, less than 10000 sensitive personal information has been provided overseas. Personal information processors refer to organizations and individuals that independently determine the purpose and method of processing in personal information processing activities.

In terms of scope of application, in principle, the EU standard contract and China's standard contract are only applicable to both parties signing the standard contract, but the docking clause in the EU standard contract can make the third party subsequently join the EU standard contract as the identity or status of the data transmitter or receiver, and be bound by the contract. However, there is no such mechanism in China's standard contracts. If the overseas receiver provides personal data to a third party, it must obtain the user's separate consent and reach a new written agreement.

2. Applicable law and dispute resolution clause

In terms of applicable provisions of law, the option of EU standard contracts may be more than that of China's standard contracts. The reason for this is that in addition to the laws of EU Member States, EU standard contracts can be allowed to apply the laws of non EU member states under specific circumstances. In contrast, China's standard contract can only be applied to Chinese law.

In terms of dispute resolution clauses, the dispute resolution of EU standard contracts is more inclined to court jurisdiction, but EU or non EU courts can be selected, while the dispute resolution of China's standard contracts adopts a special settlement mechanism for civil disputes: court jurisdiction or arbitration jurisdiction. The jurisdiction of the court requires that domestic courts must be selected, but the arbitration institutions can choose the China International Economic and Trade Arbitration Commission, the China Maritime Arbitration Commission or the Beijing Arbitration Commission, or the arbitration institutions that are members of the Convention on the recognition and enforcement of Foreign Arbitral Awards (i.e. the 1958 New York Convention).

3. Evaluation of data transmission

Both EU and China need to evaluate data transmission accordingly. Although the EU's general data protection guidelines emphasize the idea of risk assessment for cross-border data transmission activities and taking effective measures to reduce the risk of cross-border data transmission, cross-border data transmission is not a scenario in which data protection impact assessment must be carried out. Only when required by EU regulators, Enterprises need to provide evaluation records of cross-border transmission of personal data. In contrast, China's standard contracts need to carry out a personal information impact assessment report in advance and provide the assessment report to the wechat department at the same time (the report needs to be kept for 3 years).

In terms of the content of the evaluation, the content and focus of the two evaluations are similar. The evaluation required by the EU standard contract includes the specific situation of data transmission, the legal and judicial practice of the country where the data receiver is located, relevant supplementary contracts that have been implemented, technical or organizational safeguards, etc. China's standard contracts need to focus on the assessment, including the specific situation of exit, the impact of personal information protection policies and regulations in the country or region where the overseas recipient is located on the performance of the standard contract, and whether the management and technical measures and capabilities of the overseas recipient to perform its responsibilities and obligations can ensure the security of exit personal information.

As mentioned above, enterprises need to provide corresponding evaluation records when required by EU regulators. In this case, EU regulators may still substantially review the evaluation contents and records. Since the standard contract in our country implements the filing system, China's Internet Information Department will not substantially review each evaluation report and evaluation record.

4. Technical guarantee measures

The EU standard contract has strict restrictions on data access, that is, Section III of the EU standard contract stipulates that once the data receiver receives a data access request from the government of a non EU country and has reason to question the legitimacy of the request, it should immediately inform the data sender.

Compared with the EU's strict access restrictions, China's standard contract generally stipulates that personal information processors should make reasonable efforts to ensure that overseas recipients take effective technical and management measures. For specific technical and management measures, China's standard contract lists encryption, anonymization, de identification, access control and other measures, and requires to ensure that "these measures maintain an appropriate level of security". For the visits of government agencies in the country where the overseas recipient is located, China's standard contract only requires consideration in the evaluation, and there are no strict restrictions.

5. Responsibility allocation method

As mentioned above, the EU general data protection guidelines divide the subject into data controllers and data processors of personal data. According to the different relationship between data controllers and data processors, different modes of standard contracts apply, which means that the control over the data receiver is different in the process of data transmission. Therefore, under different modes of EU standard contracts, The responsibilities and obligations of both parties to the contract are different.

In contrast, China's standard contracts do not distinguish the role of data processing and are collectively referred to as personal information processors. Therefore, the obligations of personal information processors and overseas recipients are the same, but different in the entrusted processing scenario.