Deng Xiaoping initiated the Reform and Opening Up policy and opened the door to the world in 1978. As a result, China’s GDP rose from 367.9 billion yuan in 1978 to 15.45 trillion yuan in 2020 and lifted China from a third-world country to becoming a global economic superpower.

In the last 40 years, China’s significant economic growth has increased its role in the world both as a trade and investment partner and as an international Institution member in the United Nations (1945), World Trade Organisation (2001), and World Bank (1980). As a result, China holds a more influential and significant role in the world today than 40 years ago and more recently demonstrating a more mature and assertive stance.

Internationally, China has increased activism and assertiveness within international institutions (“Institutions”) in recent years. Specifically, China increased engagement in formulating policies and positions within the Institutions and increasingly utilised such Institutions as platforms to articulate its’ position. Equally, today’s institutions represent a broader range of countries with different priorities, needs, and interests than the founding members. Therefore, Institutions are increasingly evolving from the post-second world war era, in which the USA played a primary role in the founding principles of the Institutions.

Domestically, China has adopted a collection of legislation to strengthen the national sovereignty and interests, including:

• The Cyber Security Law of the People’s Republic of China effective from 1 June 2017
• The Export Control Law of the People’s Republic of China effective from 1 December 2020
• Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and other Measures, effective from 9 January 2021
• The Anti-Foreign Sanctions Law of the People’s Republic of China effective from 10 June 2021
• Data Security Law of the People’s Republic of China effective from 1 September 2021

For companies and individuals doing business in or with China, such legislation defines business operations – especially cross-border activities in several areas.

With a rapidly growing middle-class in China, the Chinese market for many companies is an increasingly important and growing market segment. Therefore, companies either invested or planning to invest in the Chinese market cannot disregard national sovereignty and interests’ compliance within their business operations. Below, we highlight the three key areas of national sovereignty and interests’ compliance applicable to companies doing business in or with China.

Cyber and data security

Cybersecurity for many countries is a top national priority to maintain secure networks and protect data from cyber-attacks.

In China, cyber security is centred on the security of the collected data, and companies are obliged to ensure networks collecting and processing the data are secure, monitored and shall not endanger national security or sovereignty.

The Cyber Security Law of the People’s Republic of China (“CSL”) and Data Security Law of the People’s Republic of China (“DSL”) are two primary legislation governing cyberspace and affect all companies working with data collection, processing, and management in China.

Cyber Security Law

The CSL establishes the compliance framework for network operators and is the overarching law for cybersecurity.

Under CSL, the network operator is defined as owners and administrators of the network and network service providers and obliged to ensure servers and data stored, transmitted, or created on such servers are secure and protected from cyber-attacks. Furthermore, the CSL outlines a Critical Information Infrastructure (“CII”), which subjects information crucial to national security and economy to store the collected and produced personal information and important data within the territory of mainland China. Any data required to be transmitted aboard shall be conducted under measures of the Cyberspace Administration of China.

Data Security Law

DSL sets forth an overarching framework to regulate data handling and management accordingly with national sovereignty, security, and development interests.

Under the DSL, the scope and definition of data include any record of information in electronic or other forms and imposes an extraterritorial application to China-related data handling and management.

Organisations and individuals are obliged to ensure and formulate data management policies, cooperate with public security and national security organs that require their data for national security or criminal investigation. Mismanagement of data, specifically those handling important data could face significant liabilities for both the company and individual.

Export Controls

Prior to the adoption of the Export Control Law of the People’s Republic of China (“ECL”), export controls were scattered across several laws. The ECL is the first comprehensive framework establishing export controls, a list of controlled items, and provisioning extra-territorial application to individuals and organisations outside of China who endanger national security and interests.

Under the ECL any export of the controlled items from an individual or organisation within the territory of mainland China to an overseas individual or organisation is subject to certain obligations including obtaining the relevant license from the State Export Control Authorities. Controlled items are defined under the ECL as the following:

• Dual-use items which can be for civil and military purposes or helping to improve military potentials, especially goods, technologies, and services in design, development, production, or application utilised for weapons of mass destruction;
• Military products comprising of equipment, special production facilities, and other related goods, technologies, and services utilised for military purposes;
• Nuclear materials, including nuclear equipment, non-nuclear materials used for nuclear reactors, and related technologies and services;
• Technical materials and data related to the items listed above.

For companies with an international supply chain or engaged in cross-border research and development, the ESL has a significant impact on exporting operations. For example, foreign items containing components assembled or manufactured in China could be deemed as controlled items or cross-border research or technology transfer, activities such as research, inter-company research (where the research and development centre are in China), or technology sales to foreign enterprises could be classified as related technical material and data – thus subject to export control.

Addressing sanctions

In 2021, China addressed the application of foreign legislation and sanctions to Chinese individuals and legal entities both within and outside of the territory of China. Two main legislation were enacted and established a stricter stance against foreign economic sanctions against Chinese organisations and individuals.

Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and other Measures

Early this year, the Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and other Measures (“Rules”) were promogulated by the Ministry of Commerce. The Rules provision a working mechanism for Chinese companies and individuals affected by extraterritorial foreign legislation that prohibit or restrict engagement in normal economic, trade, and related activities with a third State (or region) or its citizens, legal person, or other organisations. Affected individuals or entities are required to such matters to the State Council within 30 days. The State Council shall issue a prohibition order to oppose an unjustified extra-territorial application of foreign legislation and other measures.

Foreign companies in China especially multinationals should note the Rules stipulate any Chinese entities who comply with the unjustified extra-territorial application of foreign legislation subject to a prohibition order can be pursued in court.

The Anti-Foreign Sanctions Law of the People’s Republic of China

The Anti-Foreign Sanctions Law of the People’s Republic of China (“AFSL”) establishes the regulatory framework for foreign persons, both legal entities and individuals, acting against China’s national interests. Under the AFSL, organisations, individuals, and affiliated individuals who directly or indirectly participate in formulating, deciding, and implementing discriminatory restrictive measures against China shall be included in a Sanctions List (“List”). Those included in the List shall be subject to penalties including visa restrictions, prohibitions, or restricted conduct in transactions, cooperation, or other activities with Chinese organisations or individuals. Therefore, for foreign companies and individuals doing business in or with China, AFSL significantly impacts external conduct and communications, and public relations.

Whilst some may view a more assertive China negatively, China’s international significance and role cannot be disregarded. Specifically, in the business world, companies involved in the Chinese market should evaluate their full operations and third parties’ relations and update relevant policies or establish China-specific policies, otherwise risk legal penalties and economic losses. Unless companies forgo the China market completely, the recent legislative movements in strengthening national sovereignty and interests should be reflected in company operations and policies. Companies generating business from China cannot disregard China’s principles around national sovereignty and interests.

This content appears as a courtesy of Horizons Corporate Advisory, a proud member of the China Collaborative Group (CCG Association). It is informational in nature and does not constitute legal advice or establish an attorney-client relationship between you and its author, publisher or any member of CCG. For more information, please visit www.horizons-advisory.com. 

The post China’s assertive stance and the impacts for your company appeared first on China Collaborative Group.

The Law establishes an overarching framework to regulate data handling and management accordingly with national sovereignty, security, and development interests. Under the Data Security Law, the scope and definition of data include any record of information in electronic or other forms and an extraterritorial application to China-related data handling and management. As a result, companies should be implementing changes for the forthcoming September effective date.

At Horizons, we have been advising clients with China commercial interests to evaluate data handling and management in preparation for the Data Security Law. Specifically, we recommend appointing a specific China data management officer who develops compliance policies and correct implementation to safeguard the company. We highlight below the main takeaways and the practical implications for companies doing business in or with China.

Scope of Data

The Data Security Law defines the scope of data and handling as the following in Article 3:

• Data shall refer to any record of information in electronic or other forms.
• Data handling shall refer to the collection, storage, use, processing, transmission, provision, and disclosure of data.
• Data security shall refer to the ability to ensure data is effectively protected, lawfully used, and kept in a secure state by adopting necessary measures.

In practice, the Data Security Law focuses on data security, electronic and non-electronic forms, and data handling activities. The Cyber Security Law adopted on 1 June 2017 focuses on the supervision and management of information and network systems. Therefore, the scope of Data Security Law is broader and affects all companies handling online and offline data.

Data Classification

The Law designates the State to establish a data classification and grading mechanism based on two aspects:

• degree of importance to economic and social development.
• the level of damage to national security, public interests, organisations where the data is tampered with, destroyed, leaked, or illegally obtained or used.

For data identified as important data, a specific catalogue shall be formulated by each region and department. Regional and department shall determine and grade important data accordingly to the relevant industry and areas and establish stricter data protection obligations. Equally, national security data, the lifelines of the national economy, people’s key livelihood, and major public interests shall be classified as core data and subject to a stricter management system.

Therefore, companies should anticipate stricter data management obligations. Specifically for multinationals involved in cross-border data transfer, important or national data could be defined as controlled categories and subject to export controls.

Data Security Protection Obligations

Although obligations are dependent on the type of data handled, we recommend companies appoint specific personnel or management to supervise the data management and ensure policies are correctly implemented. Moreover,

For all companies conducting data handling activities, the Data Security Law stipulates the following obligations:

• establish and perfect a data security management system across the entire workflow;
• adopt lawful and proper methods in collecting data and obtaining data by illegal means is forbidden;
• organise and conduct data security education and training;
• adopt the corresponding technical measures and other necessary measures to ensure data security; and
• take immediate disposal measures, notify users as required and report the matter to the relevant competent department.

For companies handling data classified as important data, the following obligations are provisioned

• specify responsible personnel and management bodies for data security;
• fully implement data security protection responsibilities;
• periodically conduct risk assessments for their data handling activities;
• periodically submit a risk assessment report to the competent department
• the risk assessment shall include the categories and quantities of the important data handled by the organisation, how data is handled, any occurred data security risks, and countermeasures

Moreover, organisations and individuals are obligated to cooperate with public security and national security organs that require their data for national security or criminal investigation. In practice, data privacy policies should be revised accordingly. Where data laws of other jurisdictions may cross over, such as the General Data Protection Regulation, the application of the two could be challenging and specialised advice should be sought.

Extraterritorial Application

Whilst the Data Security Law applies to the data handling activities within the People’s Republic of China (“PRC”), related data handling outside of PRC could be subject to investigation. Specifically, in Article 2, where data handling outside of PRC harms the national security, public interests, or legitimate rights and interests of citizens or organisations of the PC, legal liability shall be investigated. Although specific liabilities are not mentioned, violations of the Data Security Law are subject to civil, public security administration, and criminal penalties. Therefore, companies outside of China handling related China data should still implement China-specific data compliance policies to migrate unintentional violations and risk future liabilities.

Violations of the Data Security Law are subject to fines between 50,000 RMB and 2 million RMB, and companies may concurrently be ordered to suspend relevant business or revocation of business licenses. Consequently, data security protection is significant and shall not be taken lightly.

The Data Security Law paves the significant role of the State in data development and protection, as China advances the digital economy. Mismanagement of data, specifically those handling important data could face significant liabilities for both the company and individual.

If you have questions or would like to know more about the corporate services available to you from Horizons, please contact us at +86 21 5356 3400 or email talktous@horizons-advisory.com.

This content appears as a courtesy of Horizons Corporate Advisory, a proud member of the China Collaborative Group (CCG Association). It is informational in nature and does not constitute legal advice or establish an attorney-client relationship between you and its author, publisher or any member of CCG. For more information, please visit www.horizons-advisory.com. 

The post Are you prepared for the Data Security Law effective from 1 September 2021? appeared first on China Collaborative Group.

Gemäss einer Studie von safetydetectives.com geht man im Jahr 2021 von einem weltweiten Schaden infolge Ransomware Attacken von 20 Milliarden USD aus. Die einzelne Zahlung ist durchschnittlich nur 6’500 USD pro Angriff, wobei aber der Schaden pro Fall rund 380’000 USD beträgt, den Vertrauensverlust und die Ersatzmassnahmen nicht eingerechnet. Attackiert wurde in den USA letztes Jahr jedes zweite Unternehmen – die Bedrohung ist also real und das Schadensrisiko immens. Die Stadtverwaltung in Atlanta musste nach einer Ransomware Attacke 5 Tage geschlossen werden, nachdem 8’000 Computer lahmgelegt worden waren. Der Lösegeldforderung von USD 51’000 stand ein daraus resultierender Schaden von USD 2.7 Mio gegenüber.

This content appears as a courtesy of HütteLAW, a proud member of the China Collaborative Group (CCG Association). It is informational in nature and does not constitute legal advice or establish an attorney-client relationship between you and its author, publisher or any member of CCG. For more information, please visit www.huettelaw.ch.

The post Cyber Attacks – Ransomware appeared first on China Collaborative Group.