Managing the unique challenges of handling corporate data in China
Multinational companies doing business in the People's Republic of China ('PRC') face unique challenges in handling data, particularly when they are faced with cross-border litigation, investigations, audits or risk assessments.
In this article, we consider the complex issues regarding personal information protection and state secrets in China, as well as some tips for multinationals in dealing with data in China.
1 The moving goal posts of personal information protection in China
In August 2014, a Shanghai court convicted a British corporate investigator Peter Humphrey, and his wife, of selling private records of Chinese citizens to clients, including British pharmaceuticals giant GlaxoSmithKline PLC. Mr Humphrey was sentenced to two and a half years in jail and fined RMB 200,000 (US$ 32,200). This case was watched closely by the foreign business community for its impact on how companies collect, store and treat personal information of Chinese citizens.1
Stricter regulations and increasing attention to the protection of personal data in the PRC require corporations and legal counsel to understand the PRC laws surrounding the handling of data, especially the transfer of data across Chinese borders.
The PRC does not have overarching legislation covering the protection of personal information. Instead, there are diverse provisions that seek to protect specific types of personal information, stipulated under the PRC Constitution, Civil Law, Criminal Law and Tort Liability Law, among many others.
From the growing mire of laws, regulations, opinions, measures and decisions, which address on a sector-by-sector basis, the protection of personal information, we highlight two developments that affect multinationals doing business in the PRC.
What's in a decision?
In December 2012, the National People's Congress Standing Committee promulgated The Decision on Strengthening Information Protection on the Internet《关于加强网络信息保护的决定》 (the 'Decision').
The Decision prohibits any entity or individual from stealing, selling, illegally collecting or providing electronic information that identifies an individual and involves individual privacy. The Decision is a legislative document that has equal standing with national laws, and violations are subject to civil, administrative or even criminal liabilities.2
A step in the right direction?
Also in November 2012, the General Administration of Quality Supervision, Inspection and Quarantine ('AQSIQ') promulgated the Information Security Technology – Guidelines on Personal Information Protection within Information Systems for Public and Commercial Services«信息安全技术公共及商用服 务信息系统个人信息保护指南» (the 'Guideline'). The Guideline sets out roles and responsibilities, general principles and technical requirements for the collection, processing, transmission and deletion of personal information through information systems, as summarised in Figure 1 below.
Figure 1: Overview of the Guideline
The Guideline divides personal information into 'personal sensitive information' and 'personal general information'. Personal sensitive information is defined as information that would have an adverse impact on the subject if disclosed or altered, and may include identity card numbers, race, political viewpoint, religion, or biometric information. Personal general information is defined as all other personal information.3
According to the Guideline, if the personal information is sensitive, express consent must be provided by the subject of that information prior to collection. If the personal information is general, tacit consent is assumed unless expressly objected to.4 However, whether the personal information is sensitive or general, the Guideline prohibits transfer of any personal information to an overseas entity or individual without the express consent of the subject, the permission of a competent authority, or other explicit permission by laws or regulation.5
The Guideline serves as a guiding technical, but not legislative, document. However, it may be converted into a national standard and carry legal force in the future.6
2 The great mystery of China secrets
In the well-known 2008 Rio Tinto case, a Chinese court determined that Rio Tinto executive Stern Hu and his colleagues improperly obtained commercially sensitive information about the Chinese iron and steel industry, even though it was believed that sources provided the information voluntarily and without solicitation. For the charge of stealing commercial secrets, Mr Hu was sentenced to a five year jail term and fined RMB 500,000 (US$ 80,600).7 This case suggests that the Chinese courts may infer impropriety in situations where foreign companies accept information passively from Chinese companies, especially if the foreign companies are in a position to exert influence or give favors.8
In another case, a Chinese-born American geologist, Xue Feng, was sentenced to eight years in jail and fined RMB 200,000 (US$ 32,200) for negotiating the sale of a Chinese oil industry database to his US employer IHS Energy, an energy consulting company. The National State Secret Bureau did not classify the information as a state secret until after it had been sold to IHS.9
State secrets uncovered
The PRC Law on Guarding State Secrets«中华人民共和国保守国家秘密法» (the 'Law') was first introduced in May 1989, and was most recently amended in October 2010. The Law defines 'state secrets' as matters that are related to the nation's security and interests, and only authorised to a limited group of individuals for a limited period of time.10 Below, we highlight articles 9 and 48 of the Law, which set out the categories of state secrets and what constitutes a violation under this Law.
Figure 2: State secrets highlights
Anyone who steals, purchases or illegally provides state secrets or intelligence to an organization, 6 institution, or individual outside the country is in violation of the Law and can be punished. Depending on the seriousness of the case, the penalty can be death, imprisonment, criminal detention, or confiscation of property.11
The Law is quite broad and ambiguous. For example, the seventh category gives Chinese authorities the discretion to define what constitutes a state secret. It may be difficult to know what information in an organisation can be defined as a PRC state secret. Data should not be transferred in any form out of the PRC without considering whether any of it might be a state secret.
The Law has not been applied to the Special Administrative Regions of Hong Kong and Macau. Theoretically, data in Hong Kong and Macau should not be subject to the same restrictions that exist under the Law.
Trade or commercial secrets
In March 2010, the State-owned Assets Supervision and Administration Commission of the State Council issued the Interim Provisions on the Protection of Trade Secrets of Central Enterprises«中央企业商业秘 密保护暂行规定». These provisions define 'trade (or commercial) secrets' as business operational and technical information which are unknown to the public, that can bring economic benefits to a central enterprise and for which the central enterprise has taken confidentiality measures. Furthermore, where trade secrets fall within the category of state secrets, they are protected as state secrets pursuant to law.12
Cross-border data transfers
Since 2010, many corporations have chosen to reduce the risks of cross-border transfers by retaining data within PRC borders. For example, over the past few years, the Chinese units of the Big Four accounting firms have refused to provide audit work papers to the U.S. Securities and Exchange Commission for fear of violating the Law.13
It is not clear whether Hong Kong can be considered as part of PRC when dealing with cross-border data transfers. Lawyers have varying views: some view Hong Kong as part of PRC and that transferring data from mainland China to Hong Kong is not a violation of the Law; while others treat Hong Kong as a foreign country and advise against exporting data to Hong Kong, where many Western law firms and discovery vendors have offices.14
3 What does this mean for multinational companies in China?
What should multinational companies do when faced with litigation or an investigation that involves the handling of data in China?
In the past few years, the demand for electronic discovery services has grown in the PRC. Today, data analysis and document review platforms are available in the PRC that allow for documents to be reviewed and cleared of any personal data or secrecy concerns before they are transferred outside of the PRC.
Multinational companies should ensure that they engage reputable electronic discovery or forensic experts that know how to minimize the risk of violating PRC laws that relate to personal data protection and state secrets.
Companies should ask the following when considering an electronic discovery or forensic expert:
- Is the vendor in-country or does it have in-country capabilities?
- Does the vendor conduct its work in a forensic manner and comply with industry best-practice guidelines?
- Does the vendor consult with PRC law firms to determine appropriate procedures for data collection, review and export?
- Does the vendor have secure data storage facilities?
And always remember:
- Do not take data (electronic or paper) out of the PRC without going through a risk assessment of whether it might include any personal information, PRC state secrets or trade secrets.
- Consult PRC legal counsel in the matters of personal data protection and state secret laws to obtain up-to-date legal advice and information on regulatory developments in the PRC.
- Consider where compliance and audit records should be maintained, especially for global organisations.
- When collecting electronic data from an entity in the PRC, consider whether express consent should be obtained from individual custodians if the data might include personal information.
- When exchanging information with Chinese counterparties, obtain explicit assurances to confirm that no information provided constitutes PRC state secrets or trade secrets. If it is unclear, consult with the appropriate compliance or legal departments before accepting such information
1 China sentences GSK-linked investigators to
prison by Brenda Goh and Engen Tham, Reuters on 8 August 2014. (
2 New Developments in Legislation on Personal Electronic Information Protection by Jun He Law Offices. ( http://www.junhe.com/images/ourpublications_en_img/featured_report/6-New_Developments_in_Legislation_on_Personal_ Electronic_Information_Protection20130412.pdf)
3 Translated from paragraph 3.7 and 3.8 of the Guideline.
4Translated from paragraph 5.2.3 of the Guideline.
5 Translated from paragraph 5.4.5 of the Guideline.
6 New Developments in Legislation on Personal Electronic Information Protection by Jun He Law Offices. ( http://www.junhe.com/images/ourpublications_en_img/featured_report/6-New_Developments_in_Legislation_on_Personal_ Electronic_Information_Protection20130412.pdf)
7 Questions remain after Rio Tinto executive Stern Hu sentenced, says Stephen Smith, Michael Sainsbury, The Australian, 29 March 2010 ( http://www.theaustralian.com.au/archive/politics/questions-remain-after-rio-tinto-executive-stern-hu-sentencedsays-stephen-smith/story-e6frgczf-1225847140925)
8 Understanding China's State Secrets Laws by Mitchell A. Silk and Jillian S. Ashley, China Business Review, 1 January 2011 ( http://www.chinabusinessreview.com/understanding-chinas-state-secrets-laws/)
9 Geologist's Sentence Is Questioned, by Michael Wines, The New York Times, 5 July 2010. (http://www.nytimes.com/2010/07/06/world/asia/06china.html)
10Translated from Article 2 of the PRC Law on Guarding State Secrets.
11 Translated from Articles 2, 3 and 4 of Interpretations of the Supreme People's Court on Several Issues Concerning Application of Law for Trial of Cases of Stealing, Spying, Buying or Unlawfully Supplying State Secrets or Intelligence for Entities outside the Territory of China.
12 Articles 2 and 3 in Notice of the State-owned Assets Supervision and Administration Commission of the State Council on Issuing the Interim Provisions on the Protection of Trade Secrets of Central Enterprises (http://en.pkulaw.cn/display.aspx?cgid=129404&lib=law)
13 The Impact of Chinese State Secrecy Laws' on Foreign-Listed Companies by Liza Mark, Bloomberg BNA Securities Regulation & Law Report, 46 SRLR 2172, 12 November 2014. (http://www.haynesboone.com/news-and-events/news/ publications/2014/11/12/impact-of-chinese-state-secrecy-laws-on-foreign-listed-companies)
14 Traps for the Unwary in Disputes Involving China, by Michael W. Vella and Jerry C. Ling, Jones Day Publications, August 2012. (http://www.jonesday.com/traps_for_unwary/)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.