This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 3 minute read

I spy China with my little eye

Top 3 data-related risks for H2

Our China team is increasingly fielding questions and being asked to advise on substantive projects by organisations headquartered in the US and elsewhere on the enhanced risks that have arisen from recent changes to the PRC data security regime and the uptick in investigations and enforcement by the authorities against foreign enterprises. The Reuters' article below is typical of recent commentary and recalls concerns common across the local business community in Shanghai.

If you have operations with connections to the Chinese mainland, the summary here discusses some of the key issues and actions on which our local team are advising multinationals. Some you may be aware of, some not. To the extent that it would be helpful to discuss any on a call, we are here!

  • Increased data security risks: From 1 July, the illegal collection or provision of any “documents, data, materials or items related to national security and interests” by a non-PRC person or a PRC person in collusion with, or as instigated or funded by, a non-PRC person, will amount to “espionage” in China. While the relevant amendments to PRC law are found in the revised Anti-Espionage Law, this broad definition gives significant discretion to the Chinese national security authorities to determine what information is in-scope of their scrutiny and potentially strict enforcement. 

The revised law also expands the investigative power of these authorities. The investigations undertaken in the last few months against western-funded consultants and other businesses in China have drawn senior attention among foreign governments, trade associations and corporates – heighten risk is perceived in market research activities, information sharing when collaborating with Chinese enterprises, and data storage, processing, and transmission activities when doing business in China.

Recommended actions: Multinationals should exercise renewed caution in vendor and other counterparty engagement by undertaking background checks and other due diligence and implementing robust contractual protections. Consideration should also be given to updating data classification matrices and compliance policies to address the expansion of sensitive data types, as well as organizing staff training on data handling issues to minimise risks.

  • Challenging PRC data exports: China’s data export regime is fully implemented as from 1 June, but multinationals are struggling with compliance. In particular, the new “China SCCs” cannot easily be added to an existing data transfer agreement (or the corresponding terms in other agreements) entered on a multiparty basis with international vendors, customers or an MNC’s own intragroup data transfer agreement. Furthermore, non-PRC ops and compliance teams have expressed concerns in respect of the granularity of detail that must be filed in self-assessment reports with the Chinese authorities, to legitimise data transfers under these standard contracts or the alternative – but even more burdensome and potentially intrusive – regulator-led security assessment regime for CBDTs. Disclosures on technical security capabilities (including details on vendors, overseas server locations and IP addresses) are largely unique to China (e.g., compared to the EU’s GDPR regime).

Recommended actions: Aligning your compliance approach for China’s cross-border transfer requirements with those of multiple other markets requires time and resources to conduct comprehensive analysis, prepare and then implement the flow-down of documents – internally and externally. Cross-functional teams in different geographies should be engaged now – if not already – on compliance projects that many first-mover multinationals are still running almost 12 months on.

  • Scrutiny of global IT deployment: Many multinationals are (re-)assessing their IT systems and use by China operations and personnel, given continued geopolitical tensions and more general cybersecurity threats perceived in China. Following the cybersecurity review of Micron and the seizure of devices and detention of staff in recent national security investigations against other foreign-headquartered groups, IT security teams are concerned that non-segregation of China IT systems from global systems (to allow use of shared network applications) leaves global data vulnerable to infiltration.

Recommended actions: Organisations that we are working with are assessing the applicability of these regulator-led cybersecurity reviews to their everyday business and seeking to better understand Chinese laws on data sovereignty and investigative powers (in some cases as part of GDPR-related transfer impact assessments pursuant to the requirements set by Schrems-II).

"These laws provide the PRC (People's Republic of China) government with expanded legal grounds for accessing and controlling data held by U.S. firms in China," the NCSC said.

Subscribe to our Tech Insights blog for insights, updates and news from our experts - subscribe now!

Tags

us v china, data and cyber