User Name:     Password:        Join Us
  • 1
  • 2
  • 3
  • 4
  • 5
▪ China’s Market Regulator Reined in Internet Commercial Ads
▪ Stricter than the GDPR, China’s Privacy Law Provides Prohibitive and Control Oblig
▪ China kicked off the 1st national security review on DiDi
▪ Non-prosecution for compliance under ISO 37301 - Dentons lawyers take the world’s
▪ China’s Data Security Law is anything but frightening
▪ Alibaba fined USD 2.68 billion for abusing dominant market position in China
▪ China’s new “Blocking Statute” and the concerns it raised
▪ Survey result: how is bribery risk managed in China?
▪ China’s Administrative Punishment Law Awards Meaningful Credits for Compliance Eff
▪ Salon | How Would the Sanction on Pompeo and Blocking Measures Impact Foreign Comp
▪ Fees to speakers: academic exchange or commercial bribery
▪ China’s Personal Information Protection Law (2)
▪ China’s Personal Information Protection Law (1)
▪ Reading Into China’s Export Control Law
▪ English Translation of Export Control Law of China
▪ China Issued Its List of Unreliable Entities
▪ Demystify Corporate Social Credit System in China
▪ China is deploying “Operation Skynet” to further “Fox Hunt”
▪ China is to award whistleblowers heavily – foreign companies are more vulnerable t
▪ 130 Chinese headhunters arrested, involving breach of 200 million personal info
▪ Corporate Compliance Programs Evaluation Issued by US DOJ (Chinese Translation)
▪ The prospect is promising to commercialize Level-3 autonomous driving in China
▪ Intelligent and digital infrastructures are scheduled to accompany automatic vehic
▪ Will China illegalize VIEs?
▪ You cannot miss the gold rush under China's new Foreign Investment Law
▪ Classified Protection Under China's Cyber Security Law
▪ China is to fast-track law-making in autonomous driving
▪ What compliance obligations to meet to transfer data from within China?
▪ Chinese government uses digital forensics technology to dig bribery evidence
▪ A Chinese medical device distributor fined CNY 50,000 for bribing with Moutai
▪ How would Chinese E-commerce Law affect you (1)?
▪ Conflict between the culture and the Party’s rules: $70 gift money got a director
▪ "Excessive Pricing" from perspective of Competition Law
▪ Does China prohibit cross-border transfer of scientific data?
▪ Hypermarket Caesar jailed for ten years for giving “reward for go-between”
▪ How is environmental protection tax collected in China?
▪ China Redefined Bribery Anticompetitive in Nature
▪ China is to amend its Constitution
▪ Chinese government vowed to crack down on bribe givers more harshly
▪ China has its own Dodd-Frank; the award for whistleblower could be US$ 80K
▪ Chinese government may LIUZHI a suspect of wrongdoing
▪ Cooking clinical trial data is rampant and now criminally punishable in China
▪ 5th Viadrina Compliance Congress
▪ Does a compliance bird eat nothing?
▪ How Are Drugs Being Sold in China Despite the Anti-Corruption Crusading
▪ Chinese whistle-blower lauded while French boss fled out of China
▪ Life Sentence for Deputy Chief Justice of China
▪ Why Is Chinese Anti-bribery Law a Very Important Compliance Obligation?
▪ The Report on Corporate Compliance Management in China (2016)
▪ Use of "predictive coding" in eDiscovery document review…best friend or job replac
 
Home > Data Security and Integrity
What compliance obligations to meet to transfer data from within China?
By Henry Chen | 2018/11/28 23:07:36


When transferring data out of China, many MNCs began to be mindful of their obligations to comply with China's Cyber Security Law.  However, not all of them realized that they have some other compulsory obligations to comply such as state secrets law, competition law, law on protecting commercial secrets, criminal law in relation to personal identifiable information ("PII").


Under some circumstance, even if an MNC headquarters receives data passively (e.g., from a whistleblower), the MNC will have to have a mechanism to manage the concerned risks nonetheless because the MNC headquarters could be implicated for the extra-territorial effects of the laws.


Certainly, an MNC shall balance well between doing business and staying in compliance with Chinese laws.  Some companies are over-concerned with their compliance obligations.  For example, some companies are advised that the companies will have to obtain the consent of a person who is subject to a whistleblowing before the PII of the person is transferred outside China.  This advice is ridiculously non-practical.  The adviser obviously did not distinguish a whistleblowing from the commercial or illegitimate use of PII.  In addition, whistleblowing is privileged, so should the transfer of PII that is related with whistleblowing or investigation.


We are writing this article about what are compliance obligations to meet when data are transferred from within China, what are the possible risks and what control measures shall be taken to manage well the risks.




1.       What data could cause compliance concerns if inappropriately handled/transferred?


For transboundary data transfer, we should be concerned with personal identifiable information ("PII") under the Cyber Security Law, but we should be also concerned with the transfer of the data other than PII. 


There are five kinds of data that could cause compliance concerns if inappropriately transferred.  They are PII, state secrets, commercial secrets, competitive intelligence, and important data (collectively referred as “Critical Information”).  Please see the following table:


What Data

Criminal liability

Administrative liability

Civil liability

PII

Both the businesses and their personnel could be subject to the crime of infringing upon PI. The maximum sentence is seven years in prison.

A fine of RMB 500,000; revocation of business license

Compensation for damage

State secrets

Both the businesses and their personnel could be subject to various crimes of infringing upon state secrets. The maximum sentence for non-intentional crimes is seven years in prison; the maximum sentence for intentional espionage could be death penalty

Businesses could be punished administratively.

Commercial secrets

Both the businesses and their personnel could be punished for infringing upon commercial secrets. The maximum sentence is seven years in prison

A maximum fine of three million yuan

Civil compensation of up to three million yuan

Competitive intelligence

A fine from 1-10% of last annual sales

Important data

A fine of 500,000 yuan;  revocation of business license


1.1         Personal identifiable information


1.  What are the primary applicable laws?

--Cyber Security Law ("CSL")

--Measures on the Security Assessment of Cross-border Transfer of Personal Information and Important Data (the Draft Measures) ("MSA")

--Criminal law


2.  What is PII?

PII refers to all kinds of information recorded by electronic or other means that can identify the personal identity of a natural person individually or combined with other information.  It includes but is not limited to a person's name, date of birth, identification number, personal biometrics information, address, telephone number, etc.


Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases of Infringing on Citizens' Personal Information ("PII Judicial Interpretation") also provides a similar definition.


3.  Is there any justification for the transboundary transfer of PII?  If so, what is the justification?

(1) Consent is the justification for the transboundary transfer of PII

The CSL does not stipulate the pre-condition for transboundary transfer of PII.  However, because transboundary transfer of PII is one of ways to use PI, Article 41 of CSL in relation to "consent" for use of PI is applicable for transfer of PII.  Article 41 provides that "to collect and use personal information, network operators shall follow the principles of legality, rightfulness and necessity, disclose the rules for collection and use, explicitly indicate the purposes, means and scope of collecting and using information, and obtain the consent of the persons whose information is collected."


The Consumer Protection Law has similar provisions.


(2) Security assessment would be required if an MNC is a CII operator

If MNC China is a critical information infrastructure ("CII") operator, it may not transfer PI data outside China unless some certain security assessment is conducted.  The CSL regards CII operators as those in "important industries and fields such as public communications and information services, energy, transport, water conservancy, finance, public services and e-governmental affairs and critical information infrastructure that will result in serious damage to state security, the national economy and the people's livelihood and public interest if it is destroyed, loses functions or encounters data leakage."  The State Council is making implementation rules of the CSL to specify what is CII, after which we may know if MNC China could be a CII operator and if security assessment is necessary for transboundary flow.


  1.2         State secrets


1.  What are the primary applicable laws?

-- Law of the People's Republic of China on Guarding State Secrets ("State Secrets Law”)

--Criminal Law


2.  What are state secrets?

There is not a clear definition of “state secret”.  State secret has following features:

(1)   Secret matters in major decisions on state affairs;

(2)   Secrets in national defense construction and activities of the armed forces;

(3)   Secret affairs in diplomatic and foreign affairs activities and secret affairs under the obligation of confidentiality;

(4)   Secrets in national economic and social development;

(5)   Secrets in science and technology;

(6)   Secret matters in activities to safeguard national security and to track down criminal crimes;

(7)   Other confidential matters determined by the state administration of confidentiality (Article 9 of the State Secrets Law).


In practice, "state secret" has the following characteristics:

(1) Vital importance to the national security and interests

(2) Determined by relevant authority under statutory procedures

(3) Known by a limited scope of persons during a period of time


Because the definition of state secret is not clear in law or practice, as a result, a large amount of uncertain information could fall within the scope of the “state secret”.  This implies that uncertainty will be vested into companies when trading or requesting information from state-owned enterprise or from the public organ.  The ambiguity of the elements of state secret restricts case analysis, and causes low predictability of the outcome and difficulty in risk management.  Take the auto industry for example, sensors-collected data such as GPS, GNSS, Lidar, Radar, Camera and so on could be deemed as state secrets. 


3.  Case study 1: The case of Zhang Changsheng and Ye Jifeng (1986)

This case reveals that the determination of “state secret” could be arbitrary in practice. 


Around 1986, Zhang and Ye provided some data to some non-Chinese companies (including some Hong Kong companies) in relation to the import of automobiles during the period from 1984 to 1985.  The Intermediate People’s Court in Beijing identified the information as state secrets without any legal analysis.  The defendants appealed to the High People’s Court but the court upheld the verdict.


4.  Is there any justification for transboundary flow of state secret?  If so, what is the justification?

There is not any legal justification for transboundary transfer of state secrets.  Instead, the State Secrets Law requires that the state secrets be safeguarded carefully and closely.  As such, state secrets are the information should be screened for transboundary transfer.


1.3         Commercial secrets


1.  What are the primary applicable laws?

-- Anti-Unfair Competition Law of the People's Republic of China (2017 Revision) ("AUCL")

--Criminal Law.


2.  What is commercial secret?

Commercial secrets refer to the technical information and business information that are not known to the public, of commercial value, and which are subject to the relevant confidentiality measures adopted by the right holder.


3.  Is there any legal justification for transboundary flow of commercial secrets?  If so, what is the justification?

Disposal of (including transboundary transfer of) commercial secrets largely depends if the disposal is legitimately authorized or justified.  Under the circumstance of whistleblowing, if there is any disclosure of commercial secret, the disclosure may not be authorized or justified.  Therefore, it is quite necessary to screen out commercial secrets for transboundary transfer.


1.4         Competitive intelligence


1.  What are the primary applicable laws?

Anti-Monopoly Law of the People's Republic of China ("AML")


2.  What is competitive intelligence?

Competitive intelligence is not a legal term; it is a term of art for this memo.  Competitive intelligence refers to information relating to the operating environment, competitors, and used to gain or maintain competitive advantage, including pricing, quantity, etc.  Exchange of competitive intelligence could result in the violation of AML (e.g., price fixing or price cartel).


3.  Is there any legal justification for transboundary flow of competitive intelligence?  If so, what is the justification?

The sharing of competitive intelligence (such as pricing, quantity and other information with competitors) may be regarded as the conclusion and enforcement of horizontal monopoly agreements.  There is hardly any justification for the sharing of competitive intelligence.  Any transboundary transfer of competitive intelligence (even if linked to whistleblowing hints), if not handled carefully, could be viewed as the forming of horizontal monopoly agreements.  Therefore, competitive intelligence should be screened out for transboundary data transfer.


4.  Case study 2: Liuzhou rice powder stores on monopoly-agreements.

The case is not about transboundary transfer of data.  However, it nonetheless reveals that the sharing of competitive intelligence could cause, under some extreme circumstance, criminal liability in China.


There were 16 rice powder factories in Liuzhou City in 2010.  In January 2010, 15 of the 16 Liuzhou factories entered into a collusion agreement with Xian Yi Ge Food Factory (Xian Yi Ge) to raise the price of rice powder, and Xian Yi Ge adopted carrot-and-stick measures to make sure the agreement would be executed.  As a result of the agreement, the colluding rice powder factories issued notice of a 25 percent-plus price increase to downstream business operators, including rice powder wholesalers, retailers, rice powder food peddlers and stores.  The subsequent dramatic food cost increase caused a significant outcry in Liuzhou. 


The Liuzhou government responded quickly by forming a joint investigation team.  Within three days, the Liuzhou City government ordered all of the colluding rice powder factories to unconditionally rescind their price increase.  Within a week 12 people were arrested, including Xian Yi Ge’s legal representative.  By mid-February five individuals were criminally detained on the suspicion of committing the crime of forcing other person(s) to transact with their companies.  Simultaneously, the Pricing Bureau of Liuzhou City issued the first round of administrative punishment decisions, by which two Liuzhou rice powder factories were fined RMB 300,000 (US$44,118) each.  Although news reports did not mention by which law the Pricing Bureau issued the penalizing decisions, the applicable statute could have been either the Price Law or the AML.  Given that Article 14.1 of the Price Law is similar to Article 13.1 of the AML, either statute could be applied in this or future similar cases.  And to the extent that the penalized activity involved predatory pricing and tie-ins, provisions of the AUCL could also apply.


5.  Case study 3: Japanese automobile parts manufacturers sharing competitive intelligence

This case is about transboundary transfer or sharing of competitive intelligence among Japanese businesses, which formed price cartel and  were thus punished by Chinese government.


From 2000 to 2010, Sumitomo and eight other parts companies held frequent talks in Japan.  In the meetings, they negotiated prices with each other, and have reached many agreements and implemented them.  The products involved in the Chinese market include starters and generators.  The NDRC imposed a fine of 830 million yuan to the participating Japanese companies in 2014.  Four other Japanese bearing enterprises took advantage of the opportunity of Asian seminar and export market conference to discuss the policy, timing and range of bearing price increase and exchange the price increase.  The NDRC imposed 400 million yuan on the violators.


1.5         Important data


1.  What are applicable laws?

--CSL

--MSA


2.  What is important data?

Important data refers to data closely related to national security, economic development and social and public interests.  This includes data on nuclear facilities, chemical biology, defense industry, population health and other fields, as well as large-scale engineering activities, marine environment and sensitive geographic information data (Article 37 of CSL).


3.  Is there any legal justification for transboundary flow of important data?  If so, what is the justification?

Important data collected by CII operators, like personal information, cannot be exported without security assessment.  Therefore, important data shall be screened out for transboundary transfer unless the security assessment suggests otherwise.


  2.     Would an MNC (and/or its personnel) be punishable if data are mishandled (including directly transferred to MNC headquarters from whistleblowers)?


The answer is yes even if MNC headquarters receives the data passively from the whistleblowers from within China because the law (e.g., Criminal Law, AML) that is related with the Critical Information (except for important data) has extra-territorial effects.


CSL does not have extraterritorial effect, which does not mean the transboundary transfer of PI could be less watched for screening.  As mentioned above, one of the primary laws on PI is the Criminal Law. 


As such, we suggest that even if MNC headquarters passively receives whistleblowing hints as well as other data from within China, there should be a process established to do the screening job or manage risks otherwise.


Case study 4: Rio Tinto on state/commercial secrets

This case indicates that the Criminal Law has very strong extraterritorial effect.  Non-Chinese nationals could be punished under the Criminal Law.  For the same effect, case study 3 indicates that AML has extra-territorial effects as well.


The Rio Tinto espionage case began with the arrest on 5 July 2009, of four staff in the Shanghai office of the Rio Tinto Group, in the People's Republic of China, who were subsequently accused of bribery and espionage.  Two days later, an important executive of the Shougang Group and Laigang Group was also arrested.  The Rio Tinto employees, Australian Stern Hu and three Chinese colleagues, Wang Yong, Ge Minqiang and Liu Caikui, went on trial in Shanghai on Monday, 22 March 2010.


The investigation unveiled that computers of Rio Tinto's Shanghai office, which were taken away by authorities, contained confidential information about dozens of steel companies that had signed long-term contracts with Rio Tinto.  The data includes detailed purchasing plan, raw material inventory, production arrangement and other data, including monthly steel production and sales of large steel enterprises.


On March 29, 2010, the second instance court found those staffs of Rio Tinto guilty of bribery and stealing commercial secrets.


 

Following the trial, Stern Hu was sentenced to 10 years jail.  Hu and other convicted executives have also had their employment terminated by Rio Tinto.


3.       Could MNC headquarters (and its personnel) be implicated if MNC China transfers its data to MNC headquarters?


The answer is yes.  MNC headquarters could be implicated if MNC China mishandles its data in China and MNC headquarters is involved in mishandling.  Inappropriate transfer is just one of the mishandlings.  There are some other mishandlings as the below case indicates. 


The key issue, again, is whether there is any risk management mechanism no matter who transfers the Critical Information to MNC headquarters: whistleblowers or MNC China. 


If an inappropriate transfer (if any) is an active and voluntary action of MNC China, the transfer would be seemingly more culpable.  In other words, MNC China will have to take initiative to do the screening job for transboundary flow of data.  In addition, a robust risk management mechanism shall be established as well.  


Case study 5: Roadway D&B punished buying PII

This case clearly indicates that the headquarters (a regional headquarters located in Hong Kong) could be implicated from the wrongdoing of its joint venture in mainland China.


Shanghai's prosecutor charged Shanghai Roadway D&B Marketing Services Co., Ltd. with illegally obtaining private information on Chinese citizens.   The Chinese press reported that the private information included personal data (income, job titles and addresses) of 150 million Chinese citizens.


The Shanghai Zhabei District Court found Roadway guilty of illegally purchasing personal information of Chinese citizens and it fined Roadway around USD $160,500.


Because this crime was allegedly committed by an entity and not an individual, Chinese law imposes responsibility for the entity's crime on "the responsible persons who are directly in charge" and on "the other persons who are directly responsible".


Four Roadway employees allegedly involved with the buying of information were convicted and they were sentenced to up to two years in jail.


Here's the kicker: Two of the four eventually convicted Roadway employees heard about a Beijing criminal case involving the purchasing of private information and they mentioned that case to the two other Roadway employees and they also consulted with Roadway's lawyer about whether those purchases were legal or not.  The lawyer did not tell them "yes or no" regarding legality.  He instead proposed that Roadway changed the title of their purchase contracts from "Contract for Purchasing Information and Data" to "Contract on the Advice and Consultation for Commercial Data", as though that would in some way help.  In light of the lawyer's advice, Roadway continued purchasing the private data and that decision became "perfect incriminating evidence to prove that Roadway and the other four accused individuals intentionally committed the crime of breaching privacy."


The director of data operations for the greater China region of the Roadway D&B's Hong Kong office was sentenced for his supervisory duties.


Under Chinese law, the punishment of a company is not exempted from the punishment of the company's leaders and employees directly involved.  Even the leaders of higher-level companies may be held jointly liable for failing to perform their supervisory duties well.


What’s more important is that company could constitute crime under Chinese criminal law.  Thus, illegal process of PII and other critical information in China could cause criminal liability for the entity in China as well as its overseas institutions.  In such cases, the directors of the company, regardless of his or her nationality, could be held guilty and may even face criminal liabilities, like being sentenced to jail.


4.        Can MNC China provide its internal investigations to MNC headquarters even if the Critical Information is involved?


The internal investigations can be transferred to MNC headquarters if no Critical Information is involved.  However, the internal investigations can be transferred to MNC headquarters even if PII is involved.


4.1   How can PII, if related with investigation, be transferred outside China?

Law is not clear, but in practice, PII can be transferred outside China from the spirit of law and from the practical point of view.


First, whistleblowing is privileged as a matter of law.  A lot of Chinese laws and regulations stipulate that whistleblowing is not only a right but also an obligation.


Supervision Law of the People's Republic of China stipulates that the authorities should accept the whistleblowing hints and conduct investigations (Article 35).  There are similar provisions under the Criminal Procedural Law (Article 46).  PII is an indispensable part of whistleblowing; PII can be transferred if it is part of whistleblowing.


Second, corporate whistleblowing is privileged from the spirit of law. Corporate whistleblowing is helpful to detect non-compliances or violations of law.  With the whistleblowing tips and the follow-up internal investigations, the concerned company would then be able to decide if there is any non-compliance or even crime, and if the company would report the crime to the police.  From the spirit of law, corporate whistleblowing should be privileged; PII if related to corporate investigations should be transferrable.


Last but not the least, PII that is transferred for internal investigation is distinguishable from the PII for commercial or illegitimate usage.


Using PII for whistleblowing is for the detection of non-compliances or even crimes, which is totally distinguishable from using PII for commercial purposes without consent or some other illegitimate purposes.  There are lots of distinguishing factors.  For example, unlike the latter, PII that is provided for whistleblowing or investigation is limited in number of items.


4.2   Could other Critical Information be transferred outside China?

The answer is no.  Unlike PII, other Critical Information is not indispensable for whistleblowing or investigation.


5.        Any information for and on investigations must be legitimately obtained and handled?


Any information for and on investigations must be legitimately obtained.  Otherwise, there could be administrative or even criminal liabilities occurred (as case study 6 indicates).


In addition, the Critical Information must be carefully handled to minimize any possible risk exposure.  For example, PII could be aliased or anonymized so that those do not need to know could not know.  In addition, MNC shall consider establishing a mechanism to manage well the risks no matter which entity (MNC headquarters or MNC China) is the first receiver of the Critical Information.


The risk management mechanism includes modular control on data screening, but also addressing some other risk aspects.


To have a better chance to withstand any challenge from the government or any other stakeholder on data screening or handling, we propose that outside counsel be hired to provide independent professional judgments.


Case study 6: Peter Humphrey criminally punished for illegitimately obtaining PI

Between April 2009 and July 2013, Peter Humphrey and his wife used companies registered in Shanghai to conduct "background checks" on companies and individuals, entrusted by clients both at home and abroad. 


At prices ranging from 800 yuan to 2,000 yuan per piece, the two have purchased 256 pieces of information, including household registration, immigration records and telephone records.  And they sold to the clients after producing the survey reports.


In April 2013, general manager Mark Reilly, director of the legal department and other executives of GSK China take the initiative to contact Peter Humphrey, entrust him to investigate those so-called "whistleblowers" illegally, who are involved in reporting bribery problems relating to GSK China.


6.       Conclusions and suggestions


When transferring data out of China, many MNCs shall be mindful of their obligations to comply with China's Cyber Security Law.  However, the MNCs shall be aware that they have some other compulsory obligations to comply such as state secrets law, competition law, law on protecting commercial secrets, criminal law in relation to personal identifiable information.


Under some circumstance, even if an MNC headquarters receives data passively (e.g., from a whistleblower), the MNC will have to have a mechanism to manage the concerned risks nonetheless because the MNC headquarters could be implicated for the extra-territorial effects of the laws.


Transboundary transfer of personal information related with whistleblowing or investigations is totally distinguishable from the commercial or illegitimate use of personal information.  Whistleblowing is privileged, so is the transfer of personal information that is related with whistleblowing or investigation.


Personal information and other critical data must be legitimately obtained and carefully handled to minimize any possible risk exposure.  For example, personal information could be aliased or anonymized so that those do not need to know could not know. 


MNCs shall consider establishing a mechanism to manage well the risks no matter which entity (MNC headquarters or MNC China) is the first receiver of critical data.  The risk management mechanism includes modular control on data screening, but also addressing some other risk aspects.


To have a better chance to withstand any challenge from the government or any other stakeholder on data screening or handling, we propose that outside counsel be hired to provide independent professional judgments.


*Henry Chen, former AP Compliance Director of Ford, is licensed to practice law in China and New York State of the USA.  Henry provided policy analysis and legal services to to one of the world largest Internet search engine service providers on its autonomous driving projects, Henry also provided legal and compliance services to the largest automotive manufacturers in the world.  Henry's practice areas include risk management of compliance risks on monopoly, bribery, data privacy and security; PR and crisis management on governmental investigations; setting up compliance management system; conducting internal investigations on corporate frauds.  Henry is a member of Chinese delegation on ISO TC309 of the Organization of Governance regarding ISO19600 Compliance Management System, ISO37001 Anti-Bribery Management System and other international standards.  Henry is the author of the book Risk Management on Commercial Bribery in China.  

Henry is accessible via henry.chen@dentons.cn



    
Tweet Like Email LinkedIn
There are no comments for this journal entry. To create a new comment, use the form below.
    Enter your information below to add a new comment.
Author:   
Email:    (optional)
URL:    (optional)
Content:  
    
  Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.
The Compliance Reviews COPYRIGHT © 2013-19 All Rights Reserved. Supported by International Risk and Compliance Association and International Risk and Compliance Institute Limited. 沪ICP备10034943号-8
沪ICP备19033746号-4
沪公网安备31010502002477号