The regulatory landscape in China around data protection and flows continues to develop. Since the 2017 Cybersecurity Law, China has been refining the legal and regulatory framework for data protection—it has implemented new laws and regulations that set comprehensive rules for data processing activities across all industries in China and cover the rules regarding cross-border data transfers and data localization, which are essential for critical information infrastructure operators[1] and other data processors.

Multinationals are expected to deal with more stringent data regulation requirements and procedures in  M&A transactions where cross-border corporate structures or cross-border data transfers are involved. In particular, these types of transaction parties, including but not limited to sellers, buyers, and their advisors, should closely review and understand the relevant data protection requirements, and conduct the necessary risk assessments as part of compliance with data privacy laws and regulations in China.

How is M&A Being Impacted?

Businesses are more and more frequently depending on information technologies and data processing. When attempting to meet the challenges of the regulatory requirements involved in acquisitions, companies find that their transaction targets’ products and applications often contain commercial information that is processed and generated from various sources and, to a certain extent, may pertain to China national security concerns.

In the healthcare sector, for instance, healthcare applications often manage highly sensitive financial and health-related data. The same is true of the automotive sector where car sharing can be a source of highly sensitive information, such as traffic violations, payment behavior models, or movement profiles. There are similar instances across many other important industries, such as energy, transportation, water and utility services, public communications, finance, government affairs and defense technologies, etc., where general information is processed through mass data collection and turned into a valuable source of knowledge.

Innovation can create value but, without proper compliance and effective data protection mechanisms and procedures, may become a significant risk factor for different stages of M&A transactions, including due diligence, deal structuring, completion hand-over, and post-completion operation. Investors should plan, deploy, and implement protection measures and establish a security management scheme to retain, disseminate, process, and/or analyze the commercial information that is retrieved in the course of a transaction. For instance, we have seen more arrangements where the investors prefer localizing the due diligence exercise (e.g., local team, server and data storage, etc.) to minimize cross-border data transfer risks at a preliminary stage of the deal. Investors may also consider alternative deal structures instead of equity investment, in order to safeguard buyers’ interests against historical liabilities, and formulate a suitable data compliance strategy for the target business. If any commercial data that originates in China is required to be transferred, processed, or analyzed outside of China, investors need to consider, for instance, adding data protection warranties to their purchase agreement and/or reviewing disclosures to ensure all the information set forth therein aligns with the relevant data protection requirements and will not lead to potential problems in post-completion operation.

Potential Regional Compliance Issues

We have also seen a trend that China will be more involved in participating regional, multilateral, and cross-border data transfer systems, particularly in the APEC region. If China were to participate, investors are encouraged to take into account the enforceable privacy code of conduct developed for businesses by the regional economies when carrying out the proposed business investments/M&A transactions in China.  These include the APEC Cross-Border Privacy Rules (“CBPR”)[2] and the Privacy Recognition for Processors (“PRP”)[3], pursuant to which APEC designed the APEC Privacy Framework to provide an accountable approach to managing data privacy protection and the flow of personal information across borders.

Businesses can demonstrate their adherence to the APEC Privacy Framework by certifying their privacy practices to the standards of “data controller” and “data processor” under CBPR and PRP respectively. They will be required to apply to a recognized APEC Accountability Agent, which is a third-party certification body with an APEC economy that has formally joined the CBPR (or PRP) system. The Accountability Agent will evaluate whether the business’s privacy policies and practices comply with CBPR (or PRP) program requirements and will assist the business to come into compliance with them if they do not.

Seyfarth Experience

Seyfarth’s China team proactively advises our multinational clients in connection with their cross-border investments, and businesses and can tap into the team’s valuable knowledge and connections for additional support as required. To find out more about Seyfarth’s experience and how we can support your business in China, please feel free to reach out to our contacts listed on this page.

[1] Pursuant to Article 2 of Critical Information Infrastructure Security Protection Regulations, critical information infrastructure refers to important network infrastructure, information systems, etc., in important industries and sectors, such as public telecommunications and information services, energy, transportation, water, finance, public services, e-government, national defense science, technology, and industry, etc. and where their destruction, loss of functionality, or data leakage may gravely harm national security, the national economy and people’s livelihood, or the public interest.

[2] CBPR is a comprehensive privacy certification that provides organizations with a mechanism for cross-border data transfer and can be used for intra-company transfers, for transfers between unaffiliated companies, as well as for transfer to non CBPR-certified companies anywhere in the world.

[3] PRP is a companion certification to the CBPR designed specifically for data processors that process personal data on behalf of data controllers and focus mostly on data security and the ability to implement the relevant CBPR requirements and other data privacy instructions of controller. Its main purposes are to serve as a due diligence tool for data controllers that are looking for qualified and accountable data processors, as well as assisting small or medium-sized processors that are not widely known in gaining visibility and credibility.

On October 29, 2021, the Cyberspace Administration of China (“CAC“) published the “Draft Measures on Security Assessment of Cross-Border Data Transfer” (“Draft Measures“) for public comment, which outlines the requirements for security assessments on cross-border data transfers. The CAC had released previous draft measures specifying the “Security Assessment” requirements and procedures formulated based on the Cybersecurity Law that had come into effect in 2017. However, the latest Draft Measures further refine the implementation of the “Security Assessment” requirements in line with the recently promulgated Data Security Law and Personal Information Protection Law. Once the latest Draft Measures are approved, they will replace all previous draft measures relating to security assessments of cross-border data transfers.

Security assessment criteria under the Draft Measures

The Draft Measures specify that any of the circumstances below will require a CAC-led security assessment before any cross-border data transfers out of China can occur:

  1. Transfer of personal information and important data collected and generated by operators of critical information infrastructure (important network facilities and information systems which, in case of destruction, may result in serious damages to national security, people’s livelihood and public interests);
  2. Transfer of important data (which, when disclosed, may affect national security, economic security, social stability, or public health, safety, and interest);
  3. Transfer of personal information by a data processor who processes one million or more individuals’ personal information;
  4. Cumulative transfer of personal information of 100,000 or more individuals or sensitive personal information (defined by Personal Information Protection Law) of 10,000 or more individuals; or
  5. Other circumstances to be specified by the CAC.

It is worth noting that even if the criteria outlined above for the Draft Measures are not met, data processors are still required to conduct a self-assessment for any cross-border data transfer. The self-assessment must consider the following factors, including – but not limited to – the legality, legitimacy, and necessity of any such transfer; and risk prevention related to the data privacy rights incorporated in the Personal Information Protection Law. The Draft Measures also specify the application checklist and schedule for CAC-led security assessments. Additionally, CAC-led security assessments results would be valid for two years.

Main observations

The Draft Measures are expected to significantly impact the business operations of multinationals in China, including the global management of data of both customers and employees. We recommend multinationals take the following measures regarding any cross-border data transfer practices in advance of the Draft Measures being approved:

  1. Reviewing and assessing the current practice of cross-border data transfers;
  2. Undertaking consultation with relevant authorities if necessary – and updating – the current policies relating to data and personal information for compliance purposes;
  3. Establishing a standardized anonymization/de-identification mechanism to process personal data and information prior to any cross-border transfers, in order to avoid triggering a CAC-led security assessment, to the extent permitted by law;
  4. Preparing a backup of local (Chinese) data storage facility (either electronic or paper) in case the normal storage facility that is subject to a CAC-led security assessment fails to receive approval for a cross-border transfer; and
  5. Delivering training for employees and advance notices to customers about legal requirements and procedures of cross-border data transfers as a means of risk prevention.

Following the release of the Draft Measures, representatives from many industries in China have expressed concerns relating to the data and personal information security of their customers and employees. The Draft Measures clarify the process for security assessments for cross-border data transfers to both data and personal information providers and processors. This is another step forward in improving and integrating data and personal information related laws and regulations following the promulgation of Cyber Security Law, Data Security Law, and Personal Information Protection Law. Considering China is eager to safeguard its data sovereignty, the final version of the Draft Measures is expected to be released and effective soon.

Additionally, China has indicated interest in participating regional interoperability systems such as the APEC Cross-Border Privacy Rules system. This system is based on an “Accountability Agent” certifying compliance with a set of privacy program requirements. This certification can be used to place a business in “deemed compliance” with any local privacy laws of participating economies. Businesses should keep an eye on how CAC and the related ministries move in engaging with these regional cross-border systems. If China were to participate, there could be added clarity in what the requirements are for legal cross-border transfers in China.

Introduction

On June 10, 2021, China officially passed China’s first Data Security Law, which will take effect on September 1, 2021. Following the introduction of the Data Security Law, together with the Cybersecurity Law, which has been implemented since June 1, 2017, and the Personal Information Protection Law, which is undergoing public comment for its second draft released on April 29, 2021, data compliance is becoming increasingly important and complicated for companies operating business in China or with data originating from China.

Background

Before the enactment of the Cybersecurity Law in 2016, China didn’t have any dedicated national legislation on data security, and the duty of protecting data was mainly left to companies that collect and/or use data to implement voluntary protection schemes. The 2016 Cybersecurity Law encompassed the issue of cyber data management and security, but other types of data remain unregulated. The Data Security Law filled up the gap by addressing all types of data (including both electronic and non-electronic data) and covering the full cycle of data activities.

Scope of governance

Under the 2016 Cybersecurity Law, all the network owners, managers, and service providers (the “Network Operators”) are required to implement measures to safeguard network security and integrity, and ensure contents published on the network are legal and appropriate. Although technically speaking every enterprise providing services or operating business through a computer network would fall within the definition of Network Operator, based on the reported enforcement cases since 2017, website and mobile application operators were the primary targets of the crackdowns.

By contrast, the Data Security Law has a much wider jurisdiction. Firstly, unlike the 2016 Cybersecurity Law, which only governs cyber data, the scope of Data Security Law also covers non-electronic data. Secondly, although both laws imposed long-arm jurisdiction over illegal overseas activities, the sanctions under the 2016 Cybersecurity Law are limited to exportation of personal and core data originated from China, importation of illegal data from overseas, and activities severely undermining China’s core information infrastructure facilities, whereas any overseas data processing activity that jeopardizes China’s national security, public interest, or lawful rights of any person or entities are considered illegal under the Data Security Law. Obviously, the Data Security Law is taking a catch-all approach to provide a very broad grounds for future legal enforcement.

Points to note

Data classification system

From the fact that the term “national security” is mentioned 14 times in a law comprised of only 55 provisions, it is quite clear that enhancement of national security is a very big driver behind the promulgation of the Data Security Law, if not the most important one. Pursuant to the Data Security Law, the Chinese government will for the first time establish a centralized classification system by the level of importance of the data. Data that are pertinent to national security, national economy, social welfare, and important public interests will be regarded as core data, and will be subject to stricter scrutiny. In the near future, the Chinese government will publish national, regional, and departmental catalogues with classification guidance for the ease of reinforcing supervision on core data processing activities.

Data security monitoring system

As required by the Data Security Law, all data processors will be required to establish a data security policy and risk monitoring system. Processors of core data are required to report their data protection practice to the government on periodic basis, and processors of non-core data are required to report to the government in event of security failure. Companies who fail to protect their data and cause large scale data leakage may face a fine of up to RMB2 million and risk suspension or closure of business. If the violation concerns core data in jeopardy of China’s national interests, the fine may be up to RMB10 million.

Data exportation

The exportation of core cyber data will continue to be governed by the 2016 Cybersecurity Law, whereas China will introduce the new regime regarding exportation of other data. One of the most notable implications on such data exportation restriction is its counteracting effect against the Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”) promulgated by former US President Donald Trump in 2018. The CLOUD Act enables US law enforcement agencies to demand access to electronic data no matter which country the data is stored in. However, under the 2016 Cybersecurity Law, exportation of personal data and important data stored in core information infrastructure facilities in China are subject to safety review. This measure has been endorsed by the Data Security Law, which further provides that companies who failed to comply with this requirement may be fined up to RMB10 million and risk suspension or closure of business. The Data Security Law also allows countermeasures to be taken in response to any discriminatory measures against China’s data or data development related investment or trade adopted by foreign countries or regions.

Observation

So far, the Data Security Law has only set out a skeleton for the governance of data. The meaning of some important concepts remain unclear. For instance, the concept of “public interests” in the Data Security Law is widely used across various Chinese legislations, but there is neither specific definition for it within the Data Security Law itself, nor has the legislator published any guidance providing clarification. Further, it is unclear which governmental authority should be responsible for enforcement. Based on the latest enforcement case report, a large-scale violation of citizens’ information privacy by certain Chinese local companies operating mobile phone apps was sanctioned by a joint group consisting of The Public Security Bureau,  Cyberspace Administration  Office, and Communication Administration Bureau for “jeopardizing public interests.”  However, it is worth noting that the concept of “public interest” is going to be a bit different in the US than in China. Generally speaking, public interest in the US is limited to activities like public health (think pandemic response) or rule of law (think law enforcement). This is a much narrower concept than in other places in the world. As such, it will be prudent to see what the Chinese officials do with their approach to defining “public interest.”

While waiting for further implementation rules, enterprises with data originated from China should start assessing their exposure to risk of data leaks, unauthorized data exportation, and other violations in this new compliance environment, and seek professional advice.

On April 29, 2021, the national legislator in China released the second draft of the Personal Information Protection Law (“PIPL”) to collect public comments until May 28, 2021. The updated draft substantially follows the framework of the first draft, which marks China’s comprehensive system for the protection of personal information, sets forth general rules for the processing and transferring of personal information across China’s borders, and echoes certain mechanisms under the EU’s General Data Protection Regulation (“GDPR”), including application of extraterritorial jurisdiction, with which China would use long-arm jurisdiction to regulate the concerned entities across borders. This approach reflects China’s position that privacy law is an important component of China’s long term strategy on the international stage. In fact, the PIPL expressly contemplates China’s engagement with other jurisdictions (at both the country and regional levels) to try to create “interoperability” with these other privacy systems. Below we summarize key terms of the updated draft PIPL. Continue Reading China Released Second Draft of Personal Information Protection Law

In a long awaited decision, the European Commission (“Commission’) adopted two new sets of standard contractual clauses (“SCCs”) to reflect the EU’s General Data Protection Regulation (“EU GDPR”) and ‘the realities faced by modern business’ (see the Commission’s press release). These replace the current SCCs that were adopted over 10 years ago under the, now repealed, Data Protection Directive. The EU’s Commissioner for Justice, Didier Reynders, cited the SCCs as providing companies with ‘more safety and legal certainty’ and as being ‘user friendly tools’.

It is important to note that the new set of SCCs is significantly different than the previous set. For example, instead of focusing on the status of the parties as “controller” or “processor”, the new SCCs focus on the location of the parties, regardless of status. This is a significant departure from the prior form. Continue Reading Out With the Old, In With the New: New GDPR Standard Contractual Clauses

Seyfarth Synopsis:  On May 12, 2021, President Joe Biden issued a very broad, 34 page “Executive Order on Improving the Nation’s Cybersecurity.” The Executive Order, or “EO”, can be found here. This order comes six months after the notorious SolarWinds attack, and mere weeks after other high-profile attacks have invaded our networks, and shut down pieces of the nation’s critical infrastructure causing gasoline shortages in certain parts of the country.

By “force of law” the EO applies only to the federal government and federal government systems. By extension, the EO applies, or will apply, to thousands of government contractors and subcontractors that provide IT goods and services (e.g., software) to the US government. Notably, many of the cybersecurity provisions have yet to be written and many will have to go through a drafting and comment period. Other of the provisions may look “new” but have actually been around for a while (like multi-factor authentication and end-point solutions).

The order does not touch on every aspect of US business, like critical infrastructure, but it is a wonderfully good start as it sets forth certain policies and procedures that every business must (if you are a government contractor) or at least should consider enacting. The clear implication of the EO is that the government, IT contractors and providers, and the private sector can no longer wait around for the next shoe to drop. The time for action is now.

So despite being aspirational (at least for today and for some time in the future), the EO makes probably its most important point in its opening statement (Section 1. “Policy”): “We are all in this together.” Indeed the EO opens by noting:

“(C)ybersecurity requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”

Let’s examine below certain pieces of the EO as it applies both to the federal government and government IT contractors and providers. The private sector should note that, similar to other “standards” like the NIST Cybersecurity Framework (issued under the Obama Administration in February 2014), to the extent it doesn’t follow the guidance and the policies in the EO, they might fall squarely in the headlights of plaintiffs’ class action counsel who may say, if it was in the EO, why didn’t you follow the same guidance.

Removing Barriers to Sharing Threat Information

Given their position in providing IT goods and services to the government, the EO notes that the IT providers are in a very good position to know better than the government the threat landscape and incident information that affect the federal systems they serve. But by contract, the IT provider might be precluded from sharing that information with the government.

In response, the EO pledges that within 120 days, amendments to the contractual language already in use by the federal government is to be recommended to ensure that information pertaining to cyber threat intelligence as well as cyber incident response information can be shared promptly, ideally within three days (a three-day period is already in place under certain federal, state and EU guidelines). The EO is clear on this point: information sharing is one of its highest priorities.

Modernizing Federal Government Cybersecurity

Another high priority of the Biden Administration is the modernization of the federal government cybersecurity architecture (see Section Three of the EO):

“To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”

What does this mean at the end of the day?

  • Recognizing that the Cloud is likely the future of data storage for the majority of the US Government, yet the cloud has its own set of unique risks and thus needs its own security and incident response strategy;
  • That the government will move towards a recognized system of identity and access management, including mandatory multi-factor authentication; and that
  • The government will adopt encryption of data at rest and in transit.

Enhancing Software Supply Chain Security

This section clearly relates to the government’s previous responses to the SolarWinds cybersecurity attack in December 2020. Here, the EO calls upon the National Institute of Standards and Technology to produce guidelines for enhancing the software supply chain security. This guidance shall include standards, procedures or criteria regarding:

  • secure software development environments, including such actions as:
    • using administratively separate build environments;
    • auditing trust relationships;
    • establishing multi-factor, risk-based authentication and conditional access across the enterprise;
    • documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software;
    • employing encryption for data; and
    • monitoring operations and alerts and responding to attempted and actual cyber incidents;
  • generating and, when requested by a purchaser, providing artifacts that demonstrate conformance to the processes set forth in subsection (e)(i);
  • employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code;
  • employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release.

Improving Detection of Cybersecurity Vulnerabilities and Incidents

Finally, like is more common already in the private sector, the EO urges the adoption of endpoint detection and response initiatives to support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response. The hope is that such initiatives will support a “playbook” that would better demonstrate the EO’s mandate to provide a better level of incident response and remediation capabilities throughout all levels and departments of the levels of government.

The above is just a partial list of initiatives that the Biden Administration has put forth in the EO. There are indeed other initiatives that bear close examination like the NIST Cybersecurity Framework, and there are other technologies, like machine learning anomaly detection devices that also can potentially make the federal government more “cyber safe.” But, the most important part of the EO is that now “there is a plan.” A plan that will be reviewed by experts like the NIST, and thereafter refined and put into place. And with all good fortune that plan will spread like wildfire across the whole private sector as well. Then all parts of government and industry will likely be more cyber safe.

There have been seminal events in the cybersecurity space since 2012, but there has likely been no event in recent times bigger than the SolarWinds attack which was first announced in December 2020. Though it likely had “nation-state” origins, the SolarWinds attack raised a number of serious issues for US companies and indeed the US Government itself.

We don’t have all the answers but we have some. Join us on Wednesday, May 26, 2021 from 12 p.m.  to 1:15 p.m. CT, when this all-star panel will discuss critical issues raised by the attack like: patch management, software development, third party vendor risk management, and vulnerability management. The panel will also discuss strategies to increase cyber-risk and systemic-risk communications between the board, C-Suite and IT so that issues are both raised, appreciated, and dealt with on a timely basis. Cybersecurity is a team sport, and indeed likely one of the most important ones of our generation. We hope you can join us for this event.

Speakers

Paul A. Ferrillo, Privacy & Cybersecurity Partner, Seyfarth

Jerry Bessette, Senior VP, Booz Allen’s Cyber Incident Response Program

Chris Cummiskey, CEO, Cummiskey Strategic Solutions, LLC

Kate Fazzini, CEO, Flore Albo LLC

Robert Zukis, CEO, Digital Directors Network

If you have any questions, please contact Morgan Coury at mcoury@seyfarth.com and reference this event.

*This webinar is accredited for CLE in CA, IL, NJ, and NY. Credit will be applied for as requested for TX, GA, WA, NC, FL and VA. The following jurisdictions accept reciprocal credit with these accredited states, and individuals can use the certificate they receive to gain CLE credit therein: AZ, CT, ME, NH. The following jurisdictions do not require CLE, but attendees will receive general certificates of attendance: DC, MA, MD, MI, SD. For all other jurisdictions, a general certificate of attendance and the necessary materials will be issued that can be used in other jurisdictions for self-application.

This was originally published as a Seyfarth Legal Update.

Seyfarth Synopsis: As the world progresses with COVID vaccinations, the scenario where you have to show a COVID passport before crossing a border, taking a public mode of transportation, or entering a public space like a cinema no longer seems like a scene out of a dystopian sci-fi movie. Colloquially dubbed the “COVID passport,” the concept refers to various forms of a certificate of COVID vaccination and/or negative test status recognized on a national or inter-state basis, the use of which remains a controversial topic at this juncture, giving rise to technical, legal and ethical concerns.

Having said that, some countries have already adopted or proposed adopting various versions of COVID passports on a national or inter-member states basis, such as the “Green Pass” for visiting certain premises or events within Israel[1], the “Green Health Code” for domestic travel and entry into certain premises within mainland China[2], and the proposed “Digital Green Certificate” for travelling between member countries of EU and abroad[3]. The decentralized initial approach and the practical challenges of implementing an universally recognized COVID passport remains as the world grapples with the COVID-19 pandemic. Continue Reading Overview of Technology and Data Privacy Issues Arising from COVID Passports

Seyfarth Synopsis: Both Portland and New York City have followed the example set by Illinois’ Biometric Information Privacy Act (“BIPA”), a statute that has spawned thousands of cookie-cutter class action suits regarding the alleged collection of biometric information. Like BIPA, these new ordinances create a private right of action for individuals that could subject local businesses to potentially millions of dollars in liability. Businesses in these cities should carefully review these new ordinances as well as any technology they be using that has the potential to collect biometric information.

Continue Reading Portland, OR and New York City Follow Illinois’ Lead on Private Rights of Action in Biometric Privacy Legislation

Cross-posted from Seyfarth’s Workplace Class Action Blog.

Seyfarth Synopsis: Following in the footsteps of New York, Maryland recently introduced a standalone biometric information privacy bill, House Bill 218, that mirrors Illinois’ highly litigious Biometric Information Privacy Act (740 ILCS § 14/1 et seq., “BIPA”) in many respects. Most notably, as presently drafted, Maryland’s proposed bill, like Illinois’ BIPA, provides for a private right of action, statutory penalties, and plaintiffs’ attorneys’ fees – which has spawned thousands of class actions in the Land of Lincoln. If enacted, the Maryland bill would become only the second biometric privacy act in the United States to provide a private right of action and plaintiffs’ attorneys’ fees for successful litigants. This represents a significant development for companies and employers operating in Maryland in light of the explosion of class action litigation that has arisen from Illinois’ BIPA in recent years. Moreover, the recent introduction of such bills in Maryland and New York signal that states are increasingly modeling proposed biometric privacy litigation on Illinois’ BIPA. Employers must take notice and monitor such developments to avoid being subject to a class action lawsuit – particularly as the purposes for utilizing such technology continue to expand. Continue Reading Maryland Joins Growing Number Of States Introducing Biometric Information Privacy Bills With Potential To Spur Class Action Litigation