With the PRC Data Security Law and the PRC Personal Information Protection Law coming into force on September 1, 2021 and November 1, 2021 respectively (see our earlier articles: China's new data security law and Weaponized Chinese 'GDPR' now launched), data protection has become a quite challenging and complex task for multinational companies due to the long-arm application of the laws as well as the many uncertainties brought by these laws. The vague wording as well as inconsistencies between different rules create a rather complicated maze for data compliance officers. From a very practical point of view, it is a very critical question to ask how these laws have been enforced. A recent case in Shanghai may help shedding some light on this as detailed below.
A Recent Case
A local tech company in Shanghai (Company A) was involved in a serious data breach case. Its CTO – together with some other colleagues – used spider technologies to extract and capture data from an online platform providing food delivery services (Company B). By the time the case was discovered, it had already caused about RMB 40,000 loss to Company B. The case potentially constituted a criminal offense due to illegal theft of others’ data.
When the legal procedures of the case started, Company A proactively cooperated by compensating Company B’s losses, and by entering into a “plea bargain” discussion with the local procurator at the same time. As part of the deal, Company A engaged external professional resources to help building up a complete data compliance system. The system, upon its completion, was further reviewed by an external panel of experts from local regulators, a third-party security company and the industrial association. Upon a hearing on all mitigation measures and the soundness of the overall data compliance system, the expert panel released green light and the local procurator officially decided to drop the case from criminal pursuit.
Interesting aspects about this case are that
- it was widely reported by official media as a positive case on “embracing a data compliance system”, which indicates that the law enforcement agencies tend to encourage more companies to follow by establishing a sound internal data compliance system.
- the involvement of external experts as well as different stakeholders in helping Company A to establish its data compliance system also makes it a positive and exemplary case.
Another Similar Case
This case took place much earlier, even before the PRC Cyber Security Law took effect on June 1, 2017. It was in Lanzhou, the capital city of Gansu Province in northwest China. The local sales team of an international food conglomerate with substantial dairy business (“Company”) obtained large amounts of personal information of families with newborns from local hospitals, with the aim to increase sales of its milk powder. Criminal proceedings were initiated against such offense.
During the court trial at both instances, the defendants alleged that corporate liabilities of the Company instead of personal liabilities should be pursued since the concerned activities were carried out during the course of business of the Company. However, the Company successfully proved that it had strict corporate rules and an employee handbook regulating compliance matters including the protection of personal information. The involved employees had all signed such compliance rules and regularly attended trainings on these topics. Ultimately, the courts of both instances ruled that the Company shall be exempted from liabilities while only the individual shall be held liable. The case was viewed by the legal circle as a very positive landmark case. Although based in large part on the discretion of the judges, it was quite unprecedented when an existing compliance management system successfully helped to exempt a company from criminal prosecution.
What to Learn
Besides the two cases mentioned above, there are other noteworthy developments that may provide additional comfort in this regard. One of them is the revised PRC Anti-unfair Competition Law last revised on April 23, 2019 (“AUCL”). When it comes to commercial bribery in China, the AUCL has been viewed as the most relevant legal basis for compliance cases. In the past, a company could hardly escape from liabilities under the previous version of the AUCL arising from the actions of its employees in the course of business. In contrast, Article 7 of the amended AUCL indicates that companies may be exempted from liability if there is evidence proving otherwise. Another development is a piloting scheme rolled out on June 3, 2021 by the Supreme People’s Procuratorate and several other national level ministries/agencies, which explicitly promotes a (post offense) third party supervision and assessment mechanism to ensure that companies involved in criminal cases fulfill their compliance commitments. Such third parties are supposed to be professionals like lawyers and CPAs. The results of the third-party assessment will become important reference for the procuratorate in deciding what penalties to impose when bringing an indictment.
Although there is currently no explicit legal basis in Chinese law for exemption from legal liability based on an established and functioning compliance management system, the two cases mentioned-above and the latest developments at least indicate that it is worth building-up and maintaining an up-to-date compliance management system. The first case above indicates a good development of such trend in the area of data protection. When the respective laws are still quite fresh to be substantiated, the many uncertainties and ambiguities also leave room for regulators to study and refine their “best enforcement practice” (as could be seen e.g., from some recent “sandbox pilot schemes” in some cities). Considering the general pragmatic culture in China, a proactive and constructive approach to manage regulatory uncertainties and ambiguities is always good and recommendable. This certainly includes but is not limited to building and implementing a functional data compliance system, which includes not only routine paper work but also effective implementation. In this context, certain China specific mechanisms that differ from your existing GDPR focus (e.g., a good data classification system to manage the sensitive “important data” topics) are essential.
A wait-and-see approach is always risky, particularly considering the fact that – unlike the GDPR – a data protection case in China will involve not only corporate level liabilities but also personal liabilities of management both in China and potentially even at headquarters. Vulnerability in this aspect is further increased when businesses in this market are often under pressure to conform to the “popular data practice of other Chinese peers”. Therefore, upfront investment in data compliance management will save you from the risk of being exposed.
