Editor’s Note: On January 18, 2023, HaystackID shared an educational webcast on China’s emerging statutes and regulations governing the processing, disclosure, and transfer of data. As Chinese entities increasingly become global commercial players, data located in China becomes increasingly relevant to U.S. disputes and investigations. Highlighting the potential for severe penalties that may pose significant risks for producing parties, our expert panel discussed the challenges of dealing with requests to produce information located in China and shared strategies for obtaining critical evidence while avoiding penalties.
While the entire recorded presentation is available for on-demand viewing, a complete transcript of the presentation is provided for your convenience.
[Webcast Transcript] The Digital Great Wall: Data Protection in Today’s China
+ Zhiwei Chen
Associate, Crowell & Moring
+ Jessica Priselac
Trial Lawyer, Duane Morris LLP
+ Christopher Wall
DPO and Special Counsel for Global Privacy and Forensics, HaystackID
Thank you, and hello and welcome from HaystackID, and I hope everyone’s having a great week thus far, and that at least the next hour with us can make it even better.
My name is Chris Wall, and on behalf of the entire team at HaystackID, we thank you for attending today’s presentation and discussion titled The Great Digital Wall: Data Protection in Today’s China.
We have a fantastic program lined up. Our discussion covers – well, it’s designed to cover a lot of really important and timely topics. We have data transfers, we have discovery, we have China, we have litigation, we have investigations rolled up in there. We’ve got it all in this session. And maybe the only thing that we left out of today’s discussion is AI. But stay tuned, next time, I think the next Lexology/Haystack collaboration is on AI, so we’ll talk about that a little bit later.
Today’s webcast is part of HaystackID’s regular series of educational presentations developed to ensure listeners are proactively prepared to realize their cybersecurity, information governance, and eDiscovery objectives. This webcast is being recorded for future on-demand consumption. We expect the recording and the complete presentation transcript to be available on the HaystackID website soon after we complete today’s live presentation.
Our presenters for today’s webcast include experts with a deep understanding of emerging regulations and practices in data protection and cybersecurity, with a particular insight into the Chinese information ecosystem.
As I mentioned, my name is Chris Wall, and I’m DPO, in-house counsel, and Chair of our Privacy Advisory Practice at HaystackID. And HaystackID is a privacy, data security, and forensic investigations firm. And my job is to guide HaystackID and our clients through the privacy and data protection thicket, as cyber investigations, info gov, and our traditional discovery take them down paths or jurisdictions less trod.
Joining us today, we have two distinguished panelists, and I’ll let them introduce themselves now. Zhiwei.
Thank you, Chris. Hello everyone. My name is Zhiwei Chen from the Shanghai office of Crowell & Moring. My practice areas are mainly focused on trade and data compliance. So, I regularly advise multinationals and Chinese companies on various China-related customs, export control, data privacy, and transport issues. I’m very pleased to have this opportunity to join the distinguished panelists to talk about this interesting topic today.
Thanks, Zhiwei. Jessica.
Hello everyone. My name is Jessica Priselac, and I am Special Counsel at Duane Morris, based in Pittsburgh, Pennsylvania. I am a trial lawyer, and in that context, I often advise clients on many aspects of discovery strategy, including cross-border data transfers. And apart from my legal education, I have attended two Chinese universities and subsequently have advised a number of clients in China with respect to their discovery strategy in US litigation. Back to you, Chris.
Thanks, Jessica. And the third panelist we’ll excuse today, Patrick Zeller. Our apologies to those who dialed in or tuned in today just to listen to Patrick. Due to unforeseen circumstances, Patrick will not be able to join us today on this panel.
But our agenda for today – if we move to that agenda – we plan to cover four primary areas. And I should mention that because this is such a dynamic area, we’ve designed this session to be far less of a discourse and more of a seminar. So, we’ll provide some context first about why we’re having this discussion, and give an overview of the several data protection laws in China today. And then we’ll walk through, specifically, cross-border transfers from China. I think that’s going to be our major emphasis here. And then we’ll talk practically about those transfers, specifically in the context of US discovery in moving data to the US.
And as you have questions during our discussion today, I encourage you – all of our panelists encourage you to put those questions in the chat box on your screen there. We’ll try to address them as we go along.
And that leads us to our first polling question because that is our agenda. I just walked through our agenda for today. But we recognize that each one of you came into this session with your own agenda or your own things that you wanted to get out of this. And we appreciate every one of you taking time from your schedules to come and listen to us, so we want to make sure that this session, as much as possible, is tailored to you, which leads us to that first polling question.
What is your role within the organization?
And this feedback gives us a little direction on what to focus on during the next hour. We have law firm, consulting, and in-house perspectives on this panel, and we suspect we have a similar composition in our audience today.
Excellent. Well, thank you for that polling. As I expected here, we have a large in-house representation here. So, an in-house corporate perspective. So, thanks for giving that to us.
With that, let’s jump in, and start with some foundation about why we have this whole session, a whole hour here dedicated to how we can use Chinese data in US litigation.
And just to launch into this, I’m going to share a few factoids to start us off.
Since 2017, the use of data – that’s personal data in particular – has surpassed oil as the most valuable commodity in the world. Another factoid, China is home to the most online users in the world. And China companies like Tencent and Alibaba are growing exponentially, probably in large part because of their ability to leverage the value of that personal information. And then finally, I’ll share that PIPL, which many of you are probably familiar with became law in 2021. What’s less well known is that there are other data protection laws are also on the books, and we’re going to talk about those today.
So, data protection in China is probably best described like a very fine wine, very layered and complex. So, those are certainly some interesting facts to get us rolling, but there are lots of countries, some 100+ at the UN’s latest count, that have implemented some form of data protection laws in the last few years.
And so, what is it about China’s move toward privacy and data protection that’s such a big deal? And I’m going to launch with just a question – and I’m going to pose that to you, Zhiwei, if we could just kick it off with that about why China’s move toward privacy and data protection is such a big deal today. Zhiwei.
I think that data in China now is considered as strategic resources now in China. As you just mentioned, there are many companies that are data-driven in China now. So, I think the development of China’s data protection laws, I think they are basically two reasons for its fast development over the past years.
I think, one, is the domestic need in China. Because of these big giants and tech companies, because of their development, and many people in China, they also have concerns about their proxy issues.
And another, I think, reason is related to the geopolitical tensions and also the trend, globally, particularly in the GDPR.
Jessica, anything you want to add to that?
Well, if we look at this slide, I also think it’s important to highlight that even though some of these more recent laws from 2021 and the interpretations of the 2021 statutes have come out more recently, traditionally, when we think of these issues, many of you that have done this before are probably familiar with the myriad of state secret statutes that are in place in China that also serve as blocking statutes when you try to export data out of China.
So, even though this presentation will focus on the more recent laws, I think we all wanted to highlight that these laws are still going to be against the backdrop of the state secrecy statutes and regulations that really have never gone away. So, that will be something you’ll always have to take into consideration when you’re exporting data out of China.
Thanks, Jessica. I don’t think we can underscore that enough. When we look at data protection laws around the world, we all point to the GDPR maybe because that made the biggest splash back in 2018, and we look at the emerging data privacy laws here in the US, and then we look at the PIPL, for instance. We look at what undergirds those laws.
In Europe, of course, the design of the GDPR is to protect the privacy rights of individuals. In the US, being the capitalistic society that we are, all of those laws are designed to protect the consumer. And I think, arguably, within China, you can look at all of these laws as designed to protect the overall common good, or the state. And I think, Jessica, to your point, I think it’s important that we keep in the back of our mind always the protection of the state and the state secrets.
So, anyway, we recognize that China is growing on the world stage, and the reason we’re here having this conversation is because the long arm of US litigation and regulatory actions around the world, I guess, will often involve fact-finding that can only be done with data that’s located in this major financial center that is China.
So, I think if we look at the combination of state secrecy, the CSL, the DSL, and PIPL as a way that China is trying to rein in how personal data is collected and used. I think that’s an accurate characterization.
But let’s look at extraterritoriality also. To whom do these laws – and we’ll look at these three in particular – to whom do they apply?
Zhiwei, would you like to walk us through to whom they apply?
Sure. Actually, the PIPL, they have very explicit rules about the extraterritorial jurisdiction of this law. It applies both in data processing activities within China, and also data processing activity outside of China if the purpose of the processing is to provide [inaudible] to China, or it monitors the behavior of Chinese citizens. So, that’s the extraterritorial jurisdiction of the PIPL.
The Data Security Law, it also has an extraterritorial effect. It applies not only to data processing in China. Also, certain processing activities outside of China if they could affect China’s national security. So, the Data Security Law is mainly focused on data protection from a national security perspective.
The Cybersecurity Law, they do not have explicit extraterritorial effects. It mainly applies to construction or use of the network within China.
Jessica, anything else you want to add to that?
No, I think Zhiwei summed it up well.
Yes, and I think especially the extraterritorial application of PIPL is something you want to focus on here. That’s the important focus of our discussion today.
So, let’s turn and talk about – to be specific – China’s data protection laws.
As we talk about these laws, let’s try to keep them in context, bearing in mind that every data protection law from China to Colorado and from the UK to Utah reflects that culture and the values of the jurisdiction that enacts the law. So, let’s look at this framework and then hang some scenarios and compliance plans from them.
So, let’s first look at that framework. Jessica, can you talk to us a little bit about the legal framework for data protection here?
Sure. So, if we start with the background of the traditional aspects that we think are governing data in China, like I said, many of you who are familiar with this area will be cognizant that there are a web of different statutes and regulations and interpretations of what constitutes a state secret under Chinese law.
Six of these main laws are here on this slide. But I think it’s also important to note that there are different state secret regulations that apply to different sectors. So, when you’re thinking about whether something qualifies as a state secret, you have to not only look for the overall statutes that govern these areas, but be very cognizant of the sector that you’re operating in.
And also, you have to be very cognizant of the individuals or entities from whom you’re collecting data. For example, one issue that will come up in a data collection in China that’s unlikely to come up in most litigations is whether an individual or a custodian is a member of the Chinese Communist Party, or a member of the provincial government, for example.
And in those cases, even if you don’t have—
Jessica, let me ask you about that. Just simply a member of the party, how much a member of the party or does that matter? And Zhiwei, you’re welcome to weigh in here too.
Well, Zhiwei can correct me if I’m wrong, but in my experience, you can’t be a little bit of a member. Anybody that is a member of the party or holds a decision within the Chinese Government, their data is going to have to be scrutinized under this myriad of regulations related to state security.
Thanks. And Jessica, you also talked about the sectoral approach. We often talk about a sectoral approach here in the US. But when we talk about a sectoral approach in specific industries or verticals within China where we need to take particular care. What are some of those that you’re talking about? I would guess there’s infrastructure, but specifically, what would you be looking for?
Primarily, I’m thinking of infrastructure. But also, for example, any companies that are in manufacturing, chips, or any kind of equipment that’s going to be used in telecommunications, those types of industries are going to be heavily regulated.
Zhiwei, are there any more hot-button areas that you can think of in terms of sectors?
Yes, I think some other industries like defense, like mapping, like banking. I think these kinds of industries are more sensitive for multinationals who frequently interact with companies in these industries, or SOEs (state-owned enterprises), they are particularly at risk for possessing state secrets.
So, we talk about transportation, electricity, even the postal service.
And in theory, that could extend to just about anything. And I think it’s important that we not make this a restrictive or a comprehensive list, but it truly could extend to anything. It could extend to real estate. It could extend to anything that could potentially have an effect on the security of the state. Is that right?
I agree because the definition of state secrets under PRC law is relatively broad so that it could include certain information, maybe they are considered as commercial information, but they may also have some state secret implications.
So, in practice, one example is that a database contained the location of gas and oil wells were founded by one Chinese court as to containing state secrets.
Now, let’s look at these – we’ve been focusing a lot on state security and state secrets. Let’s talk about the three laws that really everybody has been focusing on since 2017, and in particular, since 2021. CSL, DSL, and PIPL.
So, Zhiwei, can you talk through the recent legislation, especially the DSL and PIPL, but also touch on CSL a little bit. Obviously, the talk lately has been surrounding PIPL, because it’s gotten all the news, and all the conversation in the privacy space, of course, and maybe that’s because of the ubiquity and the big push everyone made for the GDPR leading up to May 2018. And maybe the thought that this is essentially the Chinese GDPR.
While the inclination might be to call the China GDPR, that’s probably not where that legislation stated in China. Maybe, Zhiwei, if you can talk us through that, the metamorphosis or how it grew.
Sure. As you just mentioned, these three laws, the CSL, DSL, and the PIPL, they together represent the troika or three primary laws of China’s data protection framework. And actually, in addition to these three laws, there are also a lot of – the 19 regulations, state standards has been issued, basically, every month even.
The CSL is China’s first comprehensive legislation which focuses on data protection from a cybersecurity perspective. The CSL, for the first time, introduced the data localization requirement for critical information infrastructure operators.
So, Zhiwei, if I can pause you there? Did the CSL or the DSL really have any primary focus on individual – protection of individual’s personal information, or did that not arise until PIPL?
I guess put another way, the focus of CSL versus DSL and then PIPL. I didn’t mean to cut you off there.
Thank you for this question. The DSL, actually, it applies to all data but has a focus on what we call “court data” and important data. These two categories of data is mainly related to China’s national security and public interests. So, the DSL is mainly intended to enhance the protection of this kind of data from a natural security perspective. But it also can cover personal information, but of course, it’s not the focus of this law.
The CSL, actually, because that’s the first data protection law in China, it was issued five years ago, so that law – of course, the main focus is cybersecurity, but it also has a separate chapter on protection of personal information.
Actually, before the PIPL, when we talk about the protection of personal information, we were mainly referring to the CSL, but in 2021, since the PIPL has already taken effect, and then now when we talk about personal information or data privacy, so actually, we will mainly refer to the PIPL.
Thanks, Zhiwei. And if we take that up to more immediately, I think more recently than PIPL, we’ve got further developments. Can you talk to us about what PIPL means now in practice and in application. Because we should probably talk about some of the most recent developments surrounding PIPL. Can you talk us through that, Zhiwei?
Sure. You can see that all the three laws that actually were issued in 2022. So, last year is a milestone for the development of China’s cross-border legal transfer landscape.
So, as you can see, there are three new regulations. The first one is the Certification Specification. So, this document, actually, intended to provide more detailed guidance on how to conduct certification. However, currently, since so specific certification institutions has been designated by the CAC, the Chinese data protection authority, therefore, so currently it’s not possible for companies to rely on this option to qualify their cross-border data transfers.
The SCC provision, this law is issued by the CAC on June 30, this law introduced China’s version of Standard Contract Clause for public comments. It is still in draft form. But there are, I think – as you can see from the template issued by the CAC, which is an appendix to this law, you can see that it requires that the governing law should be the TRC law. So, for some multinational companies, this might be challenging for them because they have a global approach.
Zhiwei, we’re going to talk about these recent developments in more detail here when we talk specifically about transfers, which is the next thing we’re moving into here. But I think it’s really important to emphasize the points you just made there about these being recent and that they are still, largely, in draft form, right?
So, let’s do that. Let’s move on and talk about what I think a lot of folks have joined us – and that’s actually the focus of this session, which is moving data from China for purposes of discovery or investigations.
And I think that actually leads us to our next polling question. Again, this is for background, so we know which direction to take this discussion here.
What need do you have or what is driving your desire to learn about transfers from China?
I should have mentioned this after our first, none of these are being recorded individually. We’re not reserving any of your responses here.
Awesome. And I appreciate, especially, that top 12% where all of you are overachievers, thank you for joining in here.
But I fully understand that 41%, the vast majority of you on this call right now anticipate the need for regular or recurring transfers from China. Again, I think that’s what’s driving the interest and, frankly, the need for this kind of discussion. So, I want to go back and revisit any potential data transfer from China.
We’ve put together this little Venn diagram to illustrate the considerations behind the analysis, and the overlaps, frankly, between DSL, CSL, and PIPL, just to give it a visual representation here.
We’ve got to recognize those overlaps and the unique considerations prior to any of that data leaving its respective realm and being transmitted to some hosting platform, for instance, for review, for discovery, or being transferred to another jurisdiction outside of China for use for, say, reinvestigation or some kind of production.
But just like transfer, we should also mention here that just like a transfer under the GDPR and a lot of the GDPR-like privacy regulations around the world, transfer under these three laws here is defined very broadly. Transfer includes access, meaning that even if you host that data in China, and simply access it via some platform or via remote access, remote desktop, or some other way from the US, for instance, or from some other jurisdiction, that is still a transfer. I don’t think we can emphasize that enough that it’s that same broad definition of transfer that we should see from other data protection regimes.
Where does that state consideration come into play if we look at our nice little Venn diagram? Let’s go to our next slide.
We’ve incorporated it into this rather than – well, let me go back to my Venn diagram. The Venn diagram, if we were to incorporate that, it’s going to fall right down here as the underlying consideration that undergirds/underpins any of these other considerations under PIPL, CSL, or DSL.
Jessica, anything else you want to add about that Venn diagram or the considerations here and how they interplay with one another?
Sure. The way I think about this is it’s just similar to what Chris just described which is the largest basket, generally speaking, is going to be that data that is potentially subject to state security laws. And if we start thinking about certain exceptions or narrowing your data, that’s when some of these other considerations and statutes are going to come into play.
Thanks. Zhiwei, anything else you want to add here just with our little graphic?
I think as you show me in this chart, actually, personal information actually is a major content for the PIPL, but also the other two laws also have implications under certain circumstances, for example, the CSL.
The CSL, as you know, they are many of our cybersecurity laws. So, we have some clients, they also would like to know about China’s cybersecurity incident response obligations. So, generally, if there is a cybersecurity incident, if they are a network operator, under the CSL, they need to report such incidents to the Government. But the CSL, if the company collects or processes any personal information, then the CSL requires them – they need also to notify the users or data [cyber checks] if such incidents could affect their data privacy.
Thanks, Zhiwei. So, if we look at our diagram – this all contemplates a data transfer outside of China, and we compare this… many of our listeners here are probably familiar with data transfer mechanisms in the EU under the GDPR, for instance. And under the GDPR, you can make a data transfer based on an adequacy decision.
So, for instance, from the EU, you can make a transfer to the UK currently, or to Israel, or to some other jurisdiction that the EU has deemed having adequate protections or can give adequate protections to data being exported from the EU.
Is there anything similar from China? So, has taken an adequacy decision, for instance, for any other jurisdiction outside of China, for instance, the EU? Let me put that to Zhiwei, and then Jessica, I’m going to ask you to weigh in too.
No, China does not have such kind of adequacy decisions. So, for China, the main mechanism used for data transfer is the security assessment, the certification, and SCC.
Thanks. Jessica, anything else you want to add here?
Yes, I think this gets to your first point, Chris, and I agree with Zhiwei. But back to your original point, when you’re considering comparing these laws to the EU – comparing the Chinese laws to the EU laws, it does come back again to this idea that, unlike other countries, the thrust of these laws is much more focused on protection of the state, and it’s more akin to an analysis under a more traditional blocking statute, even though the titles of some of these recent statutes make it seem that they’re more focused on individual data protection.
Thanks. We also have a question here about data that’s to be hosted and processed exclusively in China. Let’s say it’s critical Chinese infrastructure, for instance.
As we talk about these transfer mechanisms, maybe we can talk about transfers within China and any considerations we might want to make for those.
Let’s move to the next one where we talk about our analysis, how we determine what analysis we need to go through when making any of these transfers.
Jessica, can you walk us through that analysis, where it begins in determining what we need to think about, I guess? Just where it begins, what we need to think about, and what we look at along the way before we make a transfer.
Sure. So, when we’re looking at the data that’s to be collected and transferred outside of China, we want to start with the most broad and general provisions of these statutes, so that we can make sure that when we’re analyzing the data, we’re starting from the point of collecting and grouping that data that we think is most likely to be subject to one of these statutes.
Then once we have that set of data, we move to step two and then we bring into the consideration of “Are there any applicable exceptions to these data privacy and data transfer statutes that are applicable to the larger set of data so that you can further narrow it down?”
And then if one and two are met, the thing you have to determine what the appropriate mechanism is to transfer the data and, frankly, determine whether there is a mechanism at all to transfer the data. Because there will be situations in which there won’t be a mechanism to export data out of China and – under any of these statutes and the data will have to stay in China.
Well, let’s talk about those mechanisms. Jessica, thanks for walking us through that three-part analysis.
But we mentioned earlier that there are draft forms, draft mechanisms for data transfers from China. And Zhiwei, I’m going to ask you if you can maybe walk us through what those mechanisms are. Again, we mentioned earlier that these are – at least two of these three are in draft form. So, maybe you can walk us through what they are and maybe how they compare to something many, on our call here, might be familiar with under GDPR and GDPR-like data protection regimes.
Sure. I think as Chris just mentioned, actually, at this stage, the only data transfer mechanism that is available for companies is the Security Assessment by the CAC. So, China has issued regulation on this.
So, generally, this is an official process for companies to qualify their data transfers. So, it will require you to do a self-assessment, and then you also need to go through a Government-led assessment, so it’s very complicated, and you need to do a lot of homework. So, this is why many companies, they will review the data they process, and also, they will try what they can to reduce the amount of data below the threshold which will trigger a CAC Security Assessment.
The second one is the SCC. I think from the data processing perspective, SCC may be the most user-friendly approach to qualify a data transfer, because this option does not require a review by Government authorities, or certification by third-party institutions. And you just only need a contract between the data exporter and the data recipient.
However, the SCC option only applies when a compulsory CAC Security Assessment is not triggered, because the threshold which will trigger the CAC assessment is not that high. So, the application scope of SCC may be limited by the [inaudible] to looking at how this SCC draft provisions will go.
So, for the two that you’ve talked about so far, Standard Contractual Clauses, that’s roughly analogous, obviously, to the Standard Contractual Clauses that we use for transfers from the EU, right?
What rough analog would you compare the existing and the available transfer mechanisms, the Security Assessment? Is there anything under the GDPR that’s roughly equivalent?
You mean the China’s – these three mechanisms compared with GDPR’s mechanism, right?
I think the SCC, of course, the GDPR also has the equivalent one. The certification is quite, I think – they have the Binding Corporate Rules. This is similar, but still, I think this will need certification by third-party institutions.
So, I guess if you had to make an analogy – and I know these are very rough, again, especially since they’ve not taken effect, but maybe that’s the closest there would be to an adequacy decision, certification.
Jessica, anything you want to add here?
No, thanks, Chris.
Zhiwei has created this, and I’m not sure we have time to go through the entire flow. Zhiwei has kind of walked us through some of this already when we talked about the CAC Security Assessment. But Zhiwei, could you walk us through a very high level, and then I want to go on and talk briefly about comity, and then we have a hypothetical where we can address at least one of the questions some of our audience have asked here.
Yes, sure. As you can see from this chart. Actually, the CAC Security Assessment is complicated. But to it simple, generally, the CAC Security Assessment process is a two-step process.
So, you need to conduct a self-assessment first. So, if you have identified any incompliance or gaps in this process, you still have the opportunity to remediate such incompliance before the formal submission to the CAC. And then once the self-assessment is completed, the company should apply to the CAC for a Government-led assessment.
And the Government-led assessment also includes a two-step review. The first step is the completeness review by the provincial CAC, and once this first step is crossed, then the material would be forwarded to the central CAC for a substantive review. So, that’s the general, I think, process of this CAC assessment process.
Thanks, Zhiwei. So, we’ve talked generally about data transfers, transfers that apply to just about any movement of data from China. I’d love to pivot a little bit to discovery-specific issues, and I want to talk briefly about comity, because whenever we’ve talked about international issues, whether it’s data transfer or otherwise, we have to bring in this question of comity, especially so far as it touches US law.
So, Jessica, can you talk a little bit about Aérospatiale in this context and especially when it comes to struggles that parties might have in bringing data to the US from China?
Sure, thanks, Chris. And I know we’re a little short on time, so just to summarize. Aérospatiale is the standard by which a court will determine whether it will abide by a foreign country’s blocking statute. And there’s a series of factors, which the court applies. It is a multi-factor balancing test, which makes it difficult to predict how any one court will interpret those factors. But simply put, if you are in a situation where the export of data from China is either going to be delayed due to these regulations and statutes, or you’ve made the determination that the data that the court has ordered you to produce cannot be exported from China, you’ll have to go to the court and plead your case under this statute.
And in this respect, China is no different than any other country that has a blocking statute that applies to export of data to the United States.
Even though it’s not formally a blocking statute, right, Jessica? Even though it’s simply—
So, let’s go ahead and look at our hypothetical. I’m going to read through or just present the fact pattern here briefly. But as you look through this, there is a question that a couple of our audience members have asked and that is what happens if you have an entity that does business in both, say, the US and in China, and they want to make intracompany (within the company) transfers within the organization. Hopefully, this hypothetical – and as we walk through it – will help answer that question.
But in this case, we have a US-based company called Xsecure that makes network security hardware and it has a Chinese subsidiary called Xsecure China. And it’s a big operation with 6,000 employees and 90,000 customers in China alone. So, it’s no small undertaking.
Some of those Chinese clients are state-owned or Government entities, that should raise red flags for folks. Xsecure China collects personal information from its employees for HR purposes, and it also collects bank info for those employees so they can do payroll.
So, all of that personal information is manually logged into a US-hosted HR platform, which we’ve titled HRisUS. Xsecure China’s customer and vendor management system is all hosted in China, and that management system includes names and regular personal identifiers like email for one contact per customer or per vendor. And only the folks at Xsecure China in China can access the management system, except for the parent company’s global IT team. They can access for maintenance, or once in a while, they can go in and update that manually and enter customer info if they need to.
And so, finally, one last wrinkle here, the China subsidiary gives its vendors the right to audit and document sales of their products.
A big breath here. There’s a lot to unpack with this hypothetical, but I think it should address at least the question about what do we do about intracompany transfers.
So, where do we begin? Where do we begin with this analysis? And I think that does lead us to our next polling question.
Where do you start your analysis?
Poll closed. And I’m going to put it over there for everybody to see. Can everybody see that?
Identify all potential transfers. That is right. That is where you probably want to start. Although I like the fact that your homework is done for you with item number C, because that’s already done. There’s only one transfer mechanism available to us today. So, whoever chose that one, in a way, you’re very right. That’s already been decided for us.
Where do we start, practically? Identifying those potential transfers. Those potential transfers we need to look at – well, especially, for any transfers outside of China.
So, Zhiwei, let’s lead off with you. If you were to do this analysis for your hypothetical client, Xsecure, with headquarters in the US and sizable operations in China, where would you start?
Yes, thank you, Chris. I think just like most of our audience has given the right answer, I think we should start from whether there’s regulated transfers. So, we need to do identify the transfer scenarios.
So, here, in this hypothetical case, at least you will find that there are three transfers. HR manually enters the employee data to HR systems which is hosted in a US server, so that’s a transfer. Remote access to the customer and vendor data stored in Chinese servers by their US IT team, that’s also another transfer. And the third one is the provision of the sales records to vendors for audit purposes, so that’s also another transfer.
So, when you identify those transfers, so you will see – you also need… we will suggest our clients to do a data map. You need to understand what data is transferred under PRC law, because there are different requirements for different types of data. So, you need to know whether the data transfer is personal information or sensitive personal information, or important data.
So, I saw that the second choice is about the industry. I think industry is, of course, also relevant, sometimes very important. Just like in this hypothetical, you can see that Xsecure is a security hardware manufacturer. So, when this company – they provide some sales information to their vendors, and they also have some customers who are SOEs or Government-related entities, so that could be very sensitive and considered as important data. Actually, China has already issued – drafted national standards which also lists this as an example of important data.
Thanks, Zhiwei. So, absolutely, in looking at those data transfers, the fact that this is also a network security hardware manufacturer in China, it implicates – or we need to make sure that we’re considering natural security concerns also.
Can we talk specifically about the intracompany transfers here that we’re looking at? Do they need to go through a CAC Security Assessment for those transfers, for instance, between – or to give access to Xsecure’s US-based global IT team so they can access their vendor and customer database?
—all within the company.
Even though that’s all within the same company, it’s all within Xsecure?
Yes, even if it’s all within the same company. But if you have remote access to data on a server located in China, that’s also considered as a transfer. Contrary to some common beliefs, actually, the amount of data which is considered to be transferred out of China is not the amount of data actually accessed by the global IT team. Instead, it is the total amount of data stored in the Chinese server to which the US IT team has been granted access to.
Thanks, Zhiwei. So, for many of our audience here are familiar with the GDPR. And under the GDPR, you could likely set up that kind of scenario, that kind of transfer or access by the global IT team to China-hosted customer and vendor database by using BCRs (Binding Corporate Rules), or you could use Standard Contractual Clauses for that transfer, for that access, right?
But ideally, I think you’d probably want to have BCRs in place for that. Where we have no BCRs currently or BCR equivalent in China today, the best course for that would be to use – the best course would be what, Zhiwei?
—global IT access.
For these kinds of intracompany transfers, actually, the application scope of certification is specifically applied to these kinds of intracompany transfers. But the condition is that your transfer does not trigger the security assessment. So, they have a threshold there. So, you can see that if your transfer has reached 100,000 personal information, or 10,000 sensitive personal information then, actually, you need to do a security assessment. You do not have a choice. You have to do that. But if you fall below that threshold, you can choose SCC or certification, but currently, that’s not available.
So, currently, our single option is CAC assessments. Do you have a timeframe, Zhiwei, that you can speculate for us about when we might see these other two transfer mechanisms made available?
I think the Chinese data authorities, basically, they have three priorities, I think, top priorities in their head.
The first one is, of course, data transfers. The other two is important data, CIIO (Critical Information Infrastructure Operator). So, I guess that for the SCC and the certification, I guess, they probably will have more guidance sometime this year.
Thank you. So, we’re coming up at the top of the hour and we committed to wrap this up. But before we leave, I do want to talk about tips and leave our audience with some practical tips here.
And Jessica, sitting on this side of the pond from China, I’m going to start with you with some practical tips for practitioners who might be looking at needing to move data from China to the US, or to another jurisdiction outside of China.
Where would you start with practical tips for our audience?
Sure. And just in terms of practical tips, the number one thing is to – before you begin determining what even applies, you have to really know your data. Interview your clients. Interview your internal and external clients. Understand what the Chinese subsidiary or the company has in its possession. And importantly, physically, where that data is located.
Even though we are all so used to electronic records, there are still a number of industries – I can think of many companies in the life sciences industry, also in certain transportation industries – where the official records are still kept on paper, and you’re going to have to know where that is. Because even though we talk a lot about electronic transfers out of China, in the first instance, that electronic transfer might be on a hard copy. And from a logistical perspective, that means not just knowing what this data is, but where it’s located and what form it’s in.
And I think for many of us that are so used to everything being electronic, the reality is, on the ground in China, some of the information you might need could very well not be electronic.
I don’t want to hog this. So, Zhiwei, do you want to weigh in?
Yes, I think another one is that you should know how many people are affected by the transfer, because under the current existing regulations in China, so they will look at how many people are affected to determine whether CAC’s Security Assessment is triggered.
For example, if your company has 100 employees and this employee data will be transferred in different systems, but when they are determining whether your transfer has triggered a CAC Security Assessment, they will look at how many employees are involved, which is 100 even if the same personal information, or different personal information of these 100 employees are transferred to the US, for example, in different scenarios. But given it only involves 100 employees, so the number is 100, so that’s the thought behind the threshold.
Those are great tips. And I’m going to leave the audience with three more. Make sure you’re going local. Make sure if you’re looking at a transfer, involve a China DPO, either in-house, or there are China DPOs for hire. And potentially the need to have that DPO be independent of your firm or your company to provide you that independence as they provide counsel to you.
Retain local counsel. There’s real value always in having someone local, in-country who can provide you with insights into how things are done, not just what the law says but how things are done.
And then be cautious, always. The current legislation – as hopefully we’ve illustrated over the last hour – it is ambiguous and it’s still developing. So, you want to take a cautious and very conservative approach to any proposed transfer analysis before you make the transfer.
And with that, we are at the top of the hour. And so, I thank Jessica and Zhiwei for sharing your insights over the past hour or so. And we also thank everyone who took time out of their schedules today to join us for the last hour. We know your time is valuable and we appreciate you sharing it with us.
We hope that you can attend our February 2023 webcast. As I mentioned at the outset of today’s webinar, we packed a lot in today, but we didn’t talk about AI. That, as it happens, is on the agenda for next month when you can tune in to join a discussion titled Today’s Privacy Reality: AI Assessments, Breach, and DSARS. And you can learn more about that webcast, or register for any of HaystackID’s upcoming webcasts and review our library of on-demand webcasts – which will include this one, by the way, this one is being recorded, it will also be in that library – at HaystackID.com.
Thank you all. We appreciate your participation today.
HaystackID is a specialized eDiscovery services firm that supports law firms and corporate legal departments through its HaystackID Discovery Intelligence, HaystackID Core, and HaystackID Global Advisory offerings. In addition to increased offerings, HaystackID has expanded with five investments since 2018. Repeatedly recognized as a trusted service provider by prestigious publishers such as Chambers, Gartner, IDC MarketScape, and The National Law Journal, HaystackID implements innovative cyber discovery services, enterprise solutions, and legal discovery offerings to leading companies across North America and Europe, all while providing best-in-class customer service and prioritizing security, privacy, and integrity. For more information about its suite of services, including programs and solutions for unique legal enterprise needs, please visit HaystackID.com.