Entities operating in China may want to transfer business data originating in the country to an office overseas for internal reporting or analysis. But before they do, they should consider the restrictions that may apply under PRC law to the overseas transfer.
Personal data stored on information systems
Personal data that is stored on an entity’s information systems in the PRC is subject to the requirements of the National Standard – Information Security Technology – Guidelines for Personal Information Protection within Public and Commercial Services Information Systems.
The National Standard requires that the individuals’ express consent is obtained to transmit their personal information overseas (unless the data export is clearly authorized under applicable PRC law or regulations or is authorized by the competent PRC authority). The individuals must also be informed of the name, address and contact person of the overseas recipient of their personal data.
The overseas recipient must also meet the requirements set out in the National Standards, such as implementing protective measures against loss, leakage, destruction and tampering of the personal information. To this effect, the recipient should be required to enter into a written data transfer agreement with the organisation sending the personal information from China to clarify the recipient’s responsibilities for the protection of the personal information and undertakings on the management, use, retention and onward disclosure of the personal information.
Although the National Standard is a non-binding advisory guideline for which there is no fixed sanction for failure to comply, the Chinese authorities actively encourage entities to implement the National Standard on a voluntary basis.
Meanwhile, the Personal Information Regulation for Telecoms and Internet Users requires telecoms operators and internet information service providers to obtain the consent of the individuals to any disclosure of their personal data to third parties and to the purposes of the intended transfer. Any entity that provides information through the internet to users must comply with the Regulation meaning that personal data collected through a wide range of commercial websites operated in China would fall within its scope. Failure to obtain the requisite consents risks large fines and criminal prosecution.
In addition, customer data export restrictions apply across a number of industry sectors, including banking and insurance.
In order to disclose employees’ personal information to third parties overseas, including other group companies, employers in China are required to obtain the employees’ written consent to comply with the Provisions on Employment Service and Employment Management. Therefore, if an entity is planning to send HR records or other documents that may contain personal information of PRC employees to other group entities or service providers overseas, it must first have obtained the written consent of the employees. This can be obtained through a specific term in the employees’ employment contract or through a separate consent form drafted for this purpose and signed by the employee.
Information that contains ‘state secrets’ or intelligence
The transfer of information that is classified as a ‘state secret’ is barred from being sent out of China under the PRC Protection of State Secrets Law, unless the competent authorities’ permission has been obtained.
What qualifies as a ‘state secret’?
‘State secrets’ are broadly defined under the law and may potentially include any confidential information that, if disclosed, could harm Chinese economic, political, defence or diplomatic interests (eg. scientific or technological secrets, etc.) or that are otherwise classified as state secrets by the National State Secrets Bureau.
There is a risk that information contained in business documents may be deemed a state secret, particularly when it relates to Chinese state-owned enterprises (SOEs). In 2010, the Shanghai No.1 Intermediate People’s Court found four employees of the British-Australian mining company Rio Tinto guilty of possessing state secrets in the form of commercial information about a Chinese SOE iron-ore company. The same year, an American businessman was also deemed to violate the PRC Protection of State Secrets Law after being found in possession of a database on the location of state-owned oil and gas wells.
Although a new implementing regulation came into effect in March 2014 which encourages the PRC authorities not to categorise as 'state secrets' information which ought to be publically available, they retain considerable discretion to decide what information may fall within the scope of the law.
Entities that deal with SOEs in China, or have SOE business partners, may receive information that might be classified as ‘state secrets’, which could take the form of unannounced development strategies, board appointments or research projects of the SOE.
How to mitigate the ‘state secrets’ risk
It is important to get assurances from any SOE partner or customer that they are authorised to share state secret information with the entity, and that they will label the information as ‘state secrets’ so it can be segregated in files and removed from any documents or data to be transferred overseas. A practical level of comfort may also be obtained by implementing strict confidentiality controls on the overseas recipient of the information, to ensure that the transfer is not disclosed.
Specific IT arrangements for ‘state secrets’
In addition, the PRC Protection of State Secrets Law prohibits any computers or equipment on which state secrets are stored from being connected to the internet or other public information networks. It also bars state secret information from being stored or handled on equipment not designated for this purpose. Entities in possession of information marked as a ‘state secret’ need to have appropriate IT facilities and policies in place to meet the requirements. In practice, this may mean storing information that relates to SOEs or activities in sensitive areas on a closed private network that is not connected to the internet to which access is restricted to employees located in China only.
Entities are not prevented from transferring documents that contain proprietary information out of China. If, however, an entity wishes to take advantage of protection of its proprietary technical and business information against unauthorized misappropriation, disclosure or use under the PRC Anti-Unfair Competition Law at a future time, it must be careful that the overseas transfer of the information will not disqualify it from such protection. Under the Anti-Unfair Competition Law, the entity must show that its trade secrets have been protected by measures to maintain its confidentiality.
To prove that reasonable protective measures have been adopted to prevent disclosure, the entity should enter into a confidentiality agreement with any overseas party (including another group entity) with which it shares the proprietary information.
Jurisdiction of other regulators
The transfer of the information overseas may expose the information to the jurisdiction of an overseas regulator or authority, which would not otherwise have jurisdiction over the information had it remained in China. Documents created in China, when transferred to another jurisdiction, may fall within the jurisdiction of the foreign regulator and authorities in the country of the recipient who may be able to require production of the documents upon request. The potential jurisdictional impact of sending the information to the intended recipient in the foreign country should therefore be considered.
Before sending information and data out of China, entities should carefully review the specific content to ensure that only permitted information will be transferred and that, in the case of personal data, the necessary consents and contractual precautions with the overseas recipient are in place to allow the transfer.