Kristine Chung, Partner, Risk Assurance, PwC Hong Kong
Data has become an important asset for many businesses. Converting data into value in a secure and ethical manner is the business imperative of the next decade. While it presents a huge opportunity for business to use data to drive business initiatives and strategies, it comes with great compliance challenges to keep data practices in check.
Recently, there has been a number of enforcement actions including cybersecurity reviews against multiple companies, especially Internet companies that have access to a wide range of consumer data in Mainland China. The regulator has issued multiple important laws in the data space, such as the Cybersecurity Law, Data Security Law (DSL) and the Personal Information Protection Law (PIPL), to become the cornerstones for Mainland China’s data sovereignty.
These laws aim to cover wide-ranging data processing activities in Mainland China and create binding compliance obligations for these activities. Its extraterritorial effect impacts companies that offer products or services that involve processing personal data from the Mainland, even if they have no business presence there.
The following new key requirements impacts how the accounting profession assess business risk along the data value chain and lifecycle.
Data localization: Companies that meet the criteria for critical information infrastructure operator (CIIO) or process large volumes of Mainland Chinese personal data are subject to data localization requirements.
Cross-border data transfers: To transfer personal data outside of Mainland China, apart from requiring multi-level consent from the individual, security risk assessment and implementing security measures to safeguard the data is required. Cross-border data transfer compliance will become more complex and time-consuming as it relates not only to transfers within a corporate group, but also to the compliance between companies and their foreign suppliers, customers, investors and other relevant third parties, and certain business arrangements will also need to be adjusted in accordance with the law.
Data processing agreement: The data processor should submit the agreement or other legal document entered into between the data processor and the overseas recipient when applying for a security assessment. Such an agreement is required to include information such as the purpose, method and scope of the transfer, the requirements on the overseas storage of the data concerned, the obligations and liabilities of the overseas recipient and the dispute resolution mechanism.
Data responsible person: For foreign companies with no business presence in the Mainland, a representative or special agency will need to be appointed to oversee the company’s data compliance.
Although the new data security laws may become a critical turning point for many companies, it is an important step to strengthen the protection of personal data. Regulators will stay active in enforcing the laws against non-compliance. It is essential for companies to start formulating and update their data management strategies for the Mainland China market.
“Converting data into value in a secure and ethical manner is the business imperative of the next decade.”
Simon Hui, Partner, Baker McKenzie
Mainland China has strengthened its commitment to protect personal information by adopting the new PIPL, which gives data subjects the power to control and determine how, with whom and for what purposes their personal information can be shared, analysed or handled.
In the context of compliance investigations, typical activities can include accessing and analysing employees’ personal information. The investigation team may also want to engage external professional assistance or share such information with head offices located outside Mainland China. Under the PIPL, these activities require general or specific consent from the data subject, which may not be feasible in light of the sensitive and confidential nature of an investigation. The new PIPL obligations, therefore, have created practical challenges for businesses seeking to conduct an internal investigation as part of their corporate compliance or internal controls programme.
Examples of activities involving personal information include collecting employees’ personal information (e.g. education and work history), reviewing records of work emails related to potential non-compliant matters or incidents, and using information provided by whistleblowers; obtaining sensitive information of employees, such as bank accounts, expense and reimbursement records and their location during relevant periods; and accessing and processing personal information of third parties, such as business partners and customers.
Once an investigation has commenced, obtaining express consent from an individual who is under investigation to provide personal information becomes challenging. In addition to the express consent mentioned, Article 13 of the PIPL also establishes six grounds which exempt the requirement for express consent for processing personal information. Three exemptions are relevant to compliance investigations. However, we consider that these exemptions contain certain limitations.
Based on the current rules, it may be difficult in practical terms to delineate the boundary between when express consent from the data subject may be required in an internal investigation, and when the exemptions can be invoked. A company conducting an investigation will need to be aware of the limitations under the exemptions and should not fully rely on these grounds to overcome the restrictions imposed by the PIPL. Failing to address these issues in advance may impact the credibility of an investigation or, in a worst case scenario, lead to the inability to continue the investigation.
“Obtaining express consent from an individual who is under investigation to provide personal information becomes challenging.”
Kareena Teh, Partner, LC Lawyers LLP
Mainland China’s DSL and the PIPL came into effect on 1 September and 1 November 2021, respectively. They have far-reaching implications for accounting firms, particularly those operating in or performing services for Mainland-based clients. Care needs to be taken to comply with the DSL and the PIPL in transferring data out of and processing personal data of persons in the Mainland.
A key issue to consider is whether your firm or your Mainland clients are CIIOs. Additional requirements apply to CIIOs.
Under the DSL, which controls data transfer, CIIOs have to store important data (broadly defined as data closely related to national security, economic development or public interest) collected and produced in the Mainland within the Mainland. Such data will have to be reviewed in the Mainland. If the data has to be transferred overseas for review, a security assessment will first have to be undertaken.
Under the PIPL, which controls the processing of personal data of persons in the Mainland, CIIOs and personal information processors (PIP) processing personal data collected or produced in the Mainland over certain thresholds prescribed by the Cyberspace Administration of China (CAC) have to store such data in the Mainland. A PIP that wishes to transfer such data outside the Mainland must either pass the security assessment, obtain certification from a professional institution in accordance with the CAC’s regulations, or enter into a standard contract with the overseas recipient specifying their respective rights and obligations. Additionally, they must obtain the specific consent of the persons concerned and inform them of certain specified information, including the identity and contact details of the recipient, the purpose and method of processing etc.
Extra care should also be exercised when dealing with data requests from foreign judicial or enforcement authorities. The DSL and the PIPL prohibit providing data and/or personal data stored in the Mainland to any foreign judicial or enforcement authorities without the approval of relevant Mainland authorities.
There are other DSL and PIPL requirements that may have implications. Accounting firms should assess whether their Mainland operations, data access and transfer arrangements with their Mainland clients comply with all the requirements.
“A key issue to consider is whether your firm or your Mainland clients are critical information infrastructure operators.”