What are the regulatory risks when transferring data in or out of China, and what can corporations do to mitigate them?
Since implementing the Cybersecurity Law in June 2017, data compliance has become an increasingly prominent issue. On 10 July 2021, the Cybersecurity Review Office of the State Internet Information Office issued the Cybersecurity Review Measures (Exposure Draft), once again making cross-border data transfer compliance a top market concern. In addition to the overseas listing projects recently under heavy scrutiny, cross-border data transfer compliance has also been the focus in investment and M&A transactions.
From China to overseas – domestic cybersecurity review and cross-border restrictions. According to the above-mentioned review measures, for critical information infrastructure operators purchasing online products and services and data processors working with information that affects or may affect national security, such activities shall be subject to cybersecurity review. “Data processors carrying out data processing” is an addition to the review measures, expanding the scope of cybersecurity review.
Should the review measures come into effect, even if the domestic investor was not a critical information infrastructure operator, as long as the data processed by the domestic investor are deemed to affect or potentially affect national security, the related inbound transfer of overseas data may be required to undergo cybersecurity review.
Such data will become accessible to China’s network security department and other relevant authorities. For this reason, relevant overseas departments, such as the Committee on Foreign Investment of the US, may strengthen their regulation over whether data transferred into China will be accessed by relevant Chinese authorities. They may impose steps to restrict the regular transfer of internal corporate data into China and, consequently, the transaction may fail.
In overseas investment and M&A, there may also be scenarios where overseas data are transferred into, processed and analysed in China. That data may then be transferred abroad to help guide the business operations of overseas companies. In general, the principle dictates that personal and critical data collected and generated during operations in China ought to be stored within the PRC.
However, if there were “dire” business needs for data to be transferred abroad, this may proceed after passing a safety assessment. If such data fall within the scope of the review measures, they will also be subject to cybersecurity review. According to the review measures, cybersecurity review focuses on assessing the potential national security risks posed by procurement, data processing and overseas listing, including the risks arising from the outbound transfer of core data, critical data and mass personal data. Therefore, domestic companies seeking to transfer their analysed and processed data overseas should prepare for the risk of undergoing cybersecurity review and, if failing to obtain approval, being unable to complete the transfer.
From overseas to China – data sovereignty conflicts and the risk of domestic data being accessed by foreign government departments. In cases where foreign investors intend to invest in or acquire a Chinese company and wish to obtain domestic data, the target company will also face the risks of security review and outbound restrictions. Critical data and personal information onshore may also be exposed to sovereignty conflicts or accessed by foreign government departments.
As an example, on 28 March 2018, the US Congress passed the Clarifying Lawful Overseas Use of Data Act, granting US law enforcement the right to access user data stored by US companies in servers overseas. In other words, relevant US departments could directly access the data stored by US companies in China via a legal process without having to go through the assistance system of Chinese law enforcement.
But, according to the PRC Data Security Law, Personal Information Protection Law and International Criminal Judicial Assistance Law, institutions, organisations and individuals within China are not allowed to provide data (including evidence material in electronic or other forms) stored within China for foreign law enforcement authorities or judicial bodies without authorisation. When it comes to transferring data overseas, companies operating in the PRC are in a real dilemma.
Advice on compliance
In the context of increasingly prominent issues with cross-border data transfer compliance, to avoid the risks brought to investment and M&A transactions, investors are advised to make preparations in terms of due diligence, transaction structure design and management of daily operations.
In due diligence, companies should pay attention to data compliance and ascertain the nature of the target company, especially whether it falls into or may fall into the category of being a critical information infrastructure operator or data processor. Furthermore, investors should find out if the target company can distinguish the data collected from different sources, whether it can identify any data of importance or subject to special regulation, whether any data security protection system is in place, whether it scrapes data from public channels, and if it has a history of data security incidents.
When designing transaction structures, companies should take data compliance into account. If the data compliance risk is controllable, companies could consider the general investment and equity acquisition approach. However, in case of any significant latent risk in data compliance, the acquirer may consider asset acquisition or divest the underlying data with compliance risks and inject other assets into the new entity for further investment or equity acquisition. If the transfer involves personal information, companies need to consider informing the individuals, and even regaining the individuals’ consent in certain circumstances (e.g. changes in the scope and purpose of processing personal information).
After the transaction is completed, companies should take further steps to ensure cross-border data transfer compliance in daily operations and management, such as setting up firewalls between domestic and overseas data, formulating a sound internal data storage and transfer system, and making sure all applicable safety assessments have been completed before any cross-border data transfer in order to dispel any doubts that the relevant competent departments may have.