Photo of Sara Xia

Sara works out of Harris Bricken’s Seattle and Beijing offices, advising clients on legal practices in both China and U.S. Her practice focuses on cybersecurity, data protection law, and privacy law. She also works on mergers and acquisitions, corporate formations, business litigations, and matters involving China’s foreign exchange control policies.

China movie contracts
Photo by George Baird

Over the past couple weeks, the Chinese Internet has been abuzz with chatter about how Chinese movie stars allegedly underreport income via a dual-contract system in which only one contract is disclosed to the tax authorities.

The ruckus started when television personality Cui Yongyuan uploaded a redacted actor employment contract apparently for Chinese A-list actress Fan Bingbing’s work on the upcoming Bruce Willis film Unbreakable Spirit. (Initial reports stated, incorrectly, that the contract was for Fan’s work on the upcoming Feng Xiaogang film Cell Phone 2.)

Cui complained that Fan was massively overpaid – nearly $1.6M for only four days’ work – and her contract was bad for the Chinese film industry. The contract also detailed some of Fan’s allegedly egocentric contractual demands: screenplay rewrites, her own hairstylist and voice artist, luxury car service, a $200+ daily food allowance, and a requirement that the studio also hire her personal makeup artist at more than $12,000/month. Here in the United States, The Smoking Gun and other websites have posted so many celebrity contracts that we are inured to such terms, but Chinese netizens went berserk. Some penned impassioned defenses of Fan; others bemoaned the country’s skewed priorities.

Cui was just getting started. The next day he published a second redacted contract, this one for $7.8M, and intimated that the two contracts were so-called “yin-yang contracts” for Fan Bingbing: a form of tax evasion under which the smaller contract is reported to the tax authorities as income, and the other is unreported and therefore tax-free income.

At this point the Chinese tax authorities got involved and announced they would be investigating various Chinese film companies and also Fan Bingbing’s own production company. Shares in most of China’s major film companies promptly took a dive, presumably on the assumption that accounting flim-flam was rampant.

Meanwhile, the supposed evidence of Fan’s financial misdeeds unraveled nearly from the beginning. Cui conceded that the second contract had no connection to Fan Bingbing and in fact he had no evidence of any tax evasion on her part. Fan has vehemently denied the allegations of a second contract, and has threatened to sue Cui for damage to her reputation. It’s enough to make your head spin.

Actor compensation is an increasingly touchy subject in China, as the government more control over the film industry while also wanting to exert “soft power” through its cultural exports. With the possible exception of Olympic champions, movie stars probably represent China’s most bankable and least controversial form of soft power. But if the stars shine too brightly (or get paid too much), then the optics start to look bad, especially internally. For this reason, last fall the China Alliance of Radio Film and Television passed guidelines (almost certainly at the behest of the Chinese government) seeking to limit actors’ pay in two ways: capping acting fees at 40% of a project’s budget, and capping any one actor’s fee at 70% of the casting budget.

At this point the only thing that seems (relatively) clear is that Fan Bingbing received $1.6M for four days’ work on Unbreakable Spirit. But let’s imagine for a moment that Fan did receive a separate, larger payment via a second contract. There’s no proof this occurred, but even if it did there’s nothing illegal about it, unless the recipient never reported it. Indeed, all of the criticisms leveled against Fan thus far are similarly uncompelling. Consider:

  1. Fan is being paid too much for her acting services. It’s not difficult to muster a convincing argument that as a policy matter celebrities should not be paid more than, say, teachers or scientists. But the producers of Unbreakable Spirit are the ones who have to pay Fan, not the public, and they have obviously made the calculation that Fan is worth it. She is one of the most popular actresses in China, and they’re not running a charity. Why shouldn’t Fan get as much money as possible for her role? Fame (and the attendant paychecks) can be fleeting, and it’s hard to begrudge anyone who demands to be paid what the market says they’re worth. Especially a female actor, in this age of #metoo. If Unbreakable Spirit were an American film no one would think twice about Fan’s compensation.
  2. The contract is with Fan’s company, not her personally. The vast majority of actors in Hollywood are hired through their own companies, usually LLCs called loanout companies. The main reasons for this are to limit liability and to gain preferential tax treatment. The situation in China is similar. Nothing illegal about it.
  3. Fan (might have) signed two contracts for the same film. Fan has her own production company and it’s quite common for big stars to work as actual or de facto producers on a film. That is: they use their fame, connections, and/or money to help get the film financed, made, and distributed. If someone not  an actor did that, they’d be paid as a producer. Nothing illegal or even unusual about having a second contract for different services.
  4. If she signed two contracts, Fan was paid much more for producing than for acting. Actors take lower fees all the time for various reasons. Maybe they love the movie and take less just to get the movie made. Maybe they believe in the movie and will take less upfront for a piece of the profits (or even revenues, as pioneered by Jack Nicholson in 1989’s Batman). Maybe they’re also directing and producing the film and effectively want to invest their sweat equity in the film. It’s also possible Chinese filmmakers may also be trying to avoid the 2017 rule limiting actor compensation. Such a workaround is arguably a gray area but seems difficult to police, especially with talent that legitimately provides more than just acting services. Who should decide the actual value of their acting services?
  5. Fan’s contract requests are outrageous. By Hollywood standards, Fan’s requests for Unbreakable Spirit are neither outrageous nor particularly diva-like; I’ve received bigger, less rational asks from actors who are much less famous. It’s almost expected for an actor (or their agent) to push the envelope and see how much they can get, not least because it establishes a benchmark for the actor’s next picture. And sometimes a seemingly outrageous request has a legitimate purpose, as most famously embodied by Van Halen’s prohibition of brown M&Ms.

Even if Fan Bingbing hasn’t done a single thing wrong (which is very possible), it wouldn’t be surprising to learn that tax evasion is rampant in the film business. Tax evasion is like a national sport in China. Mainland factories regularly misreport income by having payments go to a Hong Kong or Taiwanese holding company. So-called “independent contractors” in China rarely report their income because they and their foreign employer are both operating illegally. And the billion-dollar daigou business is profitable largely through tax and customs fraud.

But if Chinese celebrities are committing tax evasion through two contracts, it’s because they’re not reporting income, not because there’s anything wrong with the two-contract model.

China cyber lawyers cyberlawMany international companies that operate in China have Chinese websites and some kind of network system, whether for selling their own products or solely for internal use. In many cases, these websites and internal systems are hosted on servers outside China. I and the other lawyers on our China cyberlaw team are frequently asked whether a company that collects personal information within China must store that information within China.

The short answer is yes.

China’s Cybersecurity law took effect last year and it requires critical information infrastructure operators (CIIOs) to store personal information and important data collected and generated within the territory of the PRC. Whether a network operator is a CIIO typically depends on its industry and on how much a data breach would harm the public interest. Network operators in industries like public communication and information service providers, energy, finance, and public services are more likely to be considered CIIOs.

China is also in the process of establishing rules for cross-border transmitting of personal information and important data via draft Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (个人信息和重要数据出境安全评估办法, the Measures) and draft Guidelines for Data Cross-Border Transfer Security Assessment (数据出境安全评估指南, the Guidelines). Under the existing drafts, the Measures and the Guidelines will apply to any company that is a network operator engaged in “domestic operation.”

The term “network operator” is defined to include any person or entity that owns and manages any network and also network service providers. If a company uses its internal network for its internal company operations and uses its company website to provide information to its customers and this system and website are owned and managed by its foreign parent, the foreign parent company is a network operator.

Under the Guidelines, domestic operation means providing products or services within China. A foreign network operator that is not registered in China but provides products or services to customers in China is engaged in domestic operation and will be subject to China’s cross-border data transfer requirements.

The Guidelines also set forth how to determine whether a foreign company is engaged in domestic operation. The factors that will lead to such a finding include using the Chinese language, settling payments with RMB, and delivering or distributing products or services to China citizens or companies. If one or more of these exist, a foreign company will be deemed to be engaging in “domestic operation” and therefore will be required to conduct a security assessment before engaging in any cross-border transfer of personal information and important data. But a network operator located in China that provides only products or services to foreign entities and whose operation does not involve any personal information of Chinese citizens or important data will not be considered to be a domestic operation and therefore will not be subject to China’s cross-border data transfer rules.

China Cross-Border Data Transfer Requirements.

Non-CIIO network operators may transmit personal information to a server located outside China so long as the subject of the relevant data has consented to such transmission and so long as the entity (usually a company) that initiates the transfer has undergone a security assessment regarding its data transfers. These requirements are laid out in the Measures and the Guidelines.  The company should conduct the security assessment, either by itself or engaging a third-party professional service provider.  Report of such assessment shall be kept for at least two years. In certain circumstances, the relevant industry regulator will review the assessment.  

Under Article 7 of the second draft of the Draft Measures, the relevant regulatory authority will conduct when the data transfer involves any of the following:

  1. Data containing or accumulatively containing personal information of more than 500,000 individuals
  2. Data related to nuclear facilities, chemical biology, national defense, or military, population and healthcare
  3. Data related to large-scale engineering activities, the marine environment, or sensitive geographical information
  4. Data related to the cybersecurity information of key information infrastructure, such as system vulnerabilities and security protection measures
  5. Other factors that may potentially affect China’s national security and public interests
  • The Required Consent

To transfer personal information outside China, a network operator must first obtain consent from the subject of the personal information. This consent must either be in writing or by some other sort of affirmative action by the subject of the data. Consent can be achieved by, for example, an online pop-up notification asking the data subject to click yes or no, or by sending a text message to the data subject requiring a “yes” or “no” reply to the cross-border transfer.

Consent can be implied in certain circumstances, such as making international calls, sending an email internationally, international instant messaging, and conducting cross-border transactions via the Internet.

  • The Required Data Security Assessment

The Measures require the company transmitting personal information and important data outside China to conduct (or use a third party to conduct) a security assessment of the cross-border data transfer system it will use to send the personal information and important data. Industry regulators or regulatory authorities will be responsible for monitoring these assessments and they shall do their own cross-border data inspections “regularly.” According to the Guidelines, when there are multiple entities involved in an outbound data transmission, the entity that initiates the transmission shall conduct the security assessment.

Only one security assessment is needed for “continuous” cross-border transmissions. If two separate data transfers occur within a year and the purpose and recipient of both transfers are the same, and the scope, type, and quantity of information are similar, these transmissions will be considered “continuous.” Take for example, a Chinese subsidiary of a foreign retailer that collects its customers’ personal information on any initial order and then transmits that information to its foreign parent company. This sort of transmission may happen instantly many times every day with the receiver, scope and type of information remaining the same. These transmissions would likely be considered continuous and therefore not require a separate security assessment for each single transfer.

In my next post I will provide more on the nuts and bolts of what foreign companies that are doing business in China need to do to comply with China’s cybersecurity and internet privacy laws.

China data protection lawyers
China data protection requirements

Earlier this year, China released the final version of the national standard on personal information protection, GB/T 35273-2017 Information Technology – Personal Information Security Specification (信息安全技术 个人信息安全规范) (the “Specification”).  The Specification will take effect on May 1, 2018.

The Specification is not a law or regulation that requires mandatory compliance. However, it likely will be relied on by Chinese government agencies as a standard to determine whether companies are following China’s data protection rules. Businesses that collect or process personal information in China should check their current practices against this Specification to identify and minimize their potential risks. The below provides the basics on this new Specification.

Personal Information and Sensitive Personal Information. Under the Cybersecurity Law of China, personal information means information that can be used to identify a person if used separately or in combination with other information. This new Specification expands this definition to include information that reflects a person’s activities, such as browsing history.

Sensitive personal information includes information that, if leaked, illegally provided or used inappropriately, will likely threaten personal and property safety and can easily harm personal reputation, physical or mental health or lead to discriminatory treatment. Examples of sensitive personal information include a person’s ID card number, bank account number, and personal information of minors of age 14 or younger.

Data Controller. The new Specification introduces the concept of a personal data controller, which means a natural person or an organization that determines the purposes and means for processing personal data. A data controller is responsible for compliance with applicable laws and regulations in the collection, retention, use, sharing and transfer of personal information, as well as in handling data breaches.

Data Collection. The new Specification states that collecting personal data should be done legally and minimally. It requires a data controller obtain consent from the personal data subject (the natural person whose data is being collected) and further requires explicit consent when sensitive data is being collected. There are a few exceptions when consent is not required. For example, when the collection and use of personal data is necessary for executing and performing contracts, for criminal investigation, or for news reports when the data controller is a news agency.

A data controller shall also establish and publish a privacy policy according to the Specification. A model privacy policy is also attached to the Specification.

Data Retention. Personal information must be retained for the shortest period of time and only to the extent necessary. After personal information has been collected, the data controller must de-identify such information and retain the de-identified information separate from any personal identifiable information. When a data controller ceases operations, it must stop collecting personal information, inform relevant data subjects of the same, and delete or anonymize all of the personal information it has retained.

Use of Data. A data controller must limit access to collected personal information to the minimum extent necessary. Data subjects have the right to access data and to rectify incorrect or incomplete data, the right to erasure and to data portability, as well as the right of account cancellation

Third-Party Processors; Sharing and Transfer of Data. When a data controller outsources data processing to a third party, the data controller must conduct a security assessment to ensure the third-party processor is capable of offering sufficient security. The data controller must also supervise the processor by audits and by imposing contractual obligations regarding data processing security.

If a data controller needs to share or transfer personal information, it must first conduct a security assessment, use effective measures to safeguard data subjects, inform data subjects of the purpose and the recipient of the data transfer and obtain prior consent (a separate consent in addition to the initial consent to collecting and processing data). If a data controller is acquired by or merged with other entities, it must notify the data subjects of this fact and its successor shall continue to perform the original data controller’s responsibilities and obligations.

Data Breach Incidents. Data controllers must have security incident response plans in place, provide periodic training and perform emergency drills at least annually. When a data breach occurs, the data controller must record the incident, assess potential impact and take remedial measures. It shall also notify affected data subjects of the incident by email, mail, phone, push notification, or other reasonable and effective method when individual notice is not practically possible.

China online gaming laws
China online gaming laws

About a month ago, the Game Publishing Committee of China’s Audio-Video and Digital Publishing Association (中国音数协游戏工委) reported that China’s State Administration of Press, Publication, Radio, Film and Television (SAPPRFT) “holds a negative attitude” toward last-man-standing games like PLAYERUNKNOWN’S BATTLEGROUNDS (aka PUBG) and it would be difficult for this type of game to obtain a publishing permit in China. As we all know, “difficult” does not mean “impossible” and China’s gaming giant Tencent Holdings Ltd. has announced it will be bringing PUBG to China with a “socialist makeover.”

Though many gamers in China have had chicken dinners, PUBG has never been officially imported into China, meaning no Chinese government approval or local servers. Chinese gamers purchase PUBG (and many other games) through the widely popular gaming platform, Steam and play on servers hosted somewhere in the world other than China, like the US. This sometimes causes unstable network connections. Therefore, an official import is in demand.

  1. China prohibits Foreign investment in online game publishing.

As a basic rule, foreign companies are not allowed to invest in online game publishing in China. Reiterated in the 2016 Administration Rules for Online Publishing Service (2016 OPS Rules), online games are considered online publications and offering such publications via information networks is providing online publishing services. According to the Catalog for the Guidance of Foreign Investment Industries (revised in 2017), online publishing services fall under the industries where foreign investment is prohibited. Foreign developers, therefore, are prohibited from selling or operating online games directly in China.

  1. Licensing is key

Due to the restrictions stated above, foreign game developers must partner with a Chinese entity to enter the Chinese gaming market, and licensing is the way to go.

In choosing a China licensing partner, you want to first find out whether your potential licensee is qualified to sell and operate online games in China. Ideally, this potential licensee should own an Online Culture Business Operation Permit (网络文化经营许可证) and an Internet Publishing Service Permit (互联网出版服务许可证). If the licensee does not have these permits, it will not be able to apply to import foreign online games.

You will also need a solid licensing agreement to protect your legal rights and economic benefits. What we have previously discussed on China licensing agreements remains important and you should read the following:

Once a licensing agreement has been signed, the Chinese licensee will be in charge of registering your game with the Copyright Protection Center of China, applying for import approval, and the actual operation after the approvals. Since you as the foreign game developer will not be directly involved in these steps, it is critical you choose a Chinese partner capable of going through the complex approval process and operating your game smoothly.

  1. Approval authorities and content review

If you remember the fight over World of Warcraft years ago, you already know that GAPP (predecessor of the SAPPRFT ) and the Ministry of Culture (MoC) both asserted authority in approving the import of foreign online games.

As of now, approvals from both agencies are still required according to the 2016 OPS Rules and the Interim Measures for the Administration of Online Games promulgated by the MoC in 2010 (2010 Interim Measures). MoC focuses on the “cultural” perspective of the game, while the SAPPRFT focuses on the “publishing” side of things. Other than the nominal difference, it is unclear as to the exact role each of these two agencies plays in the approval process.

Overall, contents of online games are subject to censorship and games submitted for review must be fully developed and in their final operational version (or public beta version). The standard of content review is unclear. A few examples that may cause a failure to obtain approvals or the Chinese government to require further changes to a game include excessive violence, obscenity, compromising territorial integrity of the state (e.g. marking certain areas as independent countries), or discrediting the Chinese army. Again, an experienced Chinese game operator should be able to help the foreign developer avoid common pitfalls.

China’s online gaming industry is booming despite heavy regulations. Valued at $24.6 billion in 2016 (or more according to different market research reports) and growing. Like really growing. Strategic planning, choosing your Chinese partner wisely, and carefully negotiating and crafting your licensing agreement are nearly all that you need to navigate through this battlefield and earn your “chicken dinner.”

 

China Stock Options and SIPs
China stock options and share incentive plans

Companies often use share incentive programs to motivate employees by tying compensation to their service. Though no foreign person can own stock in a private Chinese company, it is possible for a PRC employee of a foreign company’s Chinese subsidiary to participate in the foreign company’s employee share incentive plan (“SIP”). However, due to China’s currency controls, whether such an employee can actually “cash out” on the benefits of such a program depends on whether the foreign company is or becomes listed on a foreign stock exchange at the time of exercise.

The primary rules on PRC citizen employees participating in a foreign company’s SIP come from the Circular on Foreign Exchange Administration of Domestic Individuals Participating in Share Incentive Plans of Foreign Listed Companies [2012] No.7 (“Circular 7”,  issued by the State Administration of Foreign Exchange (“SAFE”).

  • Registration and Designated Account

Under Circular 7, a foreign listed company can offer SIPs to its PRC subsidiary’s employees in China via an incentive plan. The incentive plan must be registered with the local SAFE office where the foreign company’s domestic agent is located. This domestic agent can be the PRC subsidiary of the foreign listed company participating in the SIP (if multiple places, then the location of the headquarter) or a third party domestic entity that is qualified to provide asset custodian services.

Once the registration is complete, the domestic agent must open and maintain a domestic foreign exchange account designated for handling foreign payments and collecting money for all domestic individuals participating in the SIP of the overseas listed company. Any payments under the incentive plan must go through this special account before they go to an individual participant’s bank account.

Again, just like China employment contracts, we cannot emphasize enough how SAFE registration is highly local. It is critical to consult with the local SAFE office about specific requirements for registration before submitting an application. And just as is true of pretty much anything and everything in China, you do not want to get halfway through the process before you realize you are doing it wrong because this will make doing it right more difficult or perhaps even impossible.

  • Type of Awards Covered

Under Circular 7, share incentive plans mean any incentive plan where the shares of the foreign listed company are offered to directors, supervisors (officers who supervise directors and senior management of a company, a position created under the PRC Company Law), senior management employees, other employees of the domestic company or individuals who have a labor relationship with the domestic company. This includes employee stock option plans, share ownership plans, and any incentive plans permitted by law.

Though Circular 7 does not enumerate the specific types of awards to which it applies, the relevant registration form provides checkboxes for the following types of awards: stock ownership plans, stock options, stock appreciation rights, phantom stock, restricted stock (units), performance shares (units), and stock purchase plans.

  • Nationality of Participants

Circular 7 defines “domestic individuals” as directors, supervisors, senior management and other employees within the scope of article 52 of the Regulation on Foreign Exchange Administration who are PRC, Hong Kong, Taiwan, and Macao nationals, and other foreign nationals who have resided within China for one year on a continuous basis, except foreign diplomats in China and the representatives of any international organizations in China.

  • PRC Employees and Foreign Private Company Incentive Plans

Certain special rules apply to special purpose vehicles (foreign companies established or controlled by PRC residents or organizations) and PRC law and Circular 7 are silent on domestic individuals participating in purely foreign private companies’ SIPs. This does not mean Chinese individuals are not allowed to participate in a foreign private company’s SIP, but the lack of clear legal authorization makes it practically impossible for PRC individuals to receive benefits or awards under those plans if the foreign company is not yet public by the time of exercise.

And again, because SAFE registration is so highly localized, even though the law does not require registration of a private foreign company’s SIP, it is advisable to consult with the local SAFE office and attempt registration anyway. It doesn’t hurt to ask.

A foreign company with a concrete plan to become publicly listed in the near future can enter into an agreement with its employees in China to offer stock option or other awards. If the company does go public as planned, such awards can then be registered with SAFE and special accounts can be created to process payments in compliance with PRC laws. However, when entering into such agreements, the company should also make sure its employees in China understand that if the company does not go public, the employees may never receive SIP related proceeds due to China’s foreign exchange control rules.

 

 

China cyber law
Screenshot of Hangzhou Cyber-court Website, showing its Chinese name as Hangzhou Railway Transport Court as of end of June.

China has adopted a plan to establish a cyberspace court in Hangzhou lately. The plan is for this court to accept filings electronically, try cases via livestream and hear only e-commerce and Internet related cases.

Why Hangzhou? As a general rule of Chinese civil procedure law, lawsuits must be brought in the place of the defendant’s domicile. For companies, domicile means their principal place of business or the place where it has its registered address. Hangzhou is home to Alibaba and to many other technology companies, it has been dubbed the “capital of Chinese e-commerce,” and it is the site of the China Cross-Border E-Commerce Comprehensive Test Zone (中国(杭州)跨境电子商务综合试验区). Hangzhou courts have experienced a considerable increase in the number of e-commerce related cases, from 600 cases accepted in 2013 to more than 10,000 in 2016.

Before these most recent plans for a cyber-court in Hangzhou, the Zhejiang High Court launched a pilot program to create Zhejiang E-Commerce Online Court System to better handle Hangzhou’s increasing caseload in Hangzhou. Three Hangzhou trial courts and the Intermediate Court of Hangzhou initially joined this system to try certain e-commerce related cases online. Other than a different space (cyberspace versus an actual courtroom) for the actual litigation/trials, there are no significant differences between the online court and traditional courts. The Zhejiang E-Commerce Court website explicitly states that its litigation processes will strictly follow China civil procedure law.

What Cases Will the Cyber-Court Handle? The Cyber-court will have general jurisdiction over certain Internet and e-commerce related cases in the Hangzhou area. Although the Cyber-court’s website is currently inaccessible, according to the Zhejiang E-Commerce Court website, the following cases (over which the existing trial courts in Hangzhou would normally have original jurisdiction) will be tried by the Cyber-court beginning on August 18, 2017:

  • Disputes regarding online purchases of goods, online service agreements, and small [online?] loan agreements;
  • Disputes regarding “internet copyright” ownership and infringement;
  • Infringement on personal rights (e.g. defamation) using the Internet;
  • Product liability claims for goods purchased online;
  • Domain name disputes;
  • Disputes arising from Internet based administration;
  • Other civil and administrative cases concerning the Internet assigned to the Cyber-court by a higher court.

No matter in which district of Hangzhou a defendant is domiciled, cases that come within the above list should be filed with the Cyber-court instead of with the trial court in the previously relevant district.

How to file a case with the Cyber-court and Attend trials? Please note that because the Cyber-court’s website is currently offline and inaccessible we have had to base the information in this section on what we obtained from the website back when it was live in July and from news reports. The Cyber-court will use an online platform that allows people to file cases and attend trials. To be able to use this platform, users must first verify their identity and then register for an account. There are two options for doing this. One is to physically go to Hangzhou and show your ID to the court clerk, which to a large extent defeats much of the purpose of having the online court system. The other is to have your identity verified through Alipay (Alibaba’s payment service). If you already have an Alipay account and Alipay has verified your identity (because you probably used Taobao before), such a verification will be accepted by the cyber-court’s system.

Once you have a cyber-court account, you can file a complaint, submit evidence, and request service of process through this platform.

You can attend your trial remotely by entering a verification code on a webpage. Transmission of audio or video of any hearings and trials and the evidence presented and other data exchanges will be encrypted using security technologies provided by Alibaba Cloud.

Implications. For people who do not live in Hangzhou area and want to sue someone there based on causes that are within the Cyber-court’s jurisdiction, the new system sure will make that more convenient. It also will likely make rulings on internet and internet related cases more consistent and thereby give more and better guidance to potential and actual litigants

But I also wonder whether all of what has been put under the cyber-court’s jurisdiction makes sense. Take product liability as an example. How is a product liability claim for goods purchased online any different than that for goods purchased physically in a store? In what will the cyber-court be better able to handle such a claim? There may be difference in online and offline purchase agreements for issues such as where the defendant resides, the place of execution or performance of the agreement or jurisdiction. But those are typically answered by existing product liability law, contract law, and civil procedure law and there is no single “Product Liability Law for Cyberspace.” Do we need a separate cyberspace law or is it just the Law of the Horse? Many countries, including China, have separate maritime and IP courts and those have generally worked well. Does it make sense to have a separate court handle internet disputes? I hate to sound trite, but time will tell. Is this a genuine attempt to reform e-commerce and embrace technology? Will this one cyber-court eventually assume nationwide jurisdiction of internet claims (not likely)? Will other regions in China create their own cyber-courts? What have other countries done on this front? Please comment below if you know!

Does it make sense to have the system rely so heavily on one company’s technology (Alibaba’s)? Did it have any real choice? How secure is Alibaba’s technology as to data and privacy protection? What protections are in place to prevent Alibaba from appropriating and using the litigation data?

Finally, as with most new developments involving cyberspace and e-commerce in China much about the cyber-Court remains  unclear and will likely change, and fast. I will be covering the changes so please stay tuned.

Picture for China Cybersecurity law 101

China’s Cybersecurity Law (CSL) became effective on June 1, 2017 and it regulates the construction, operation, maintenance and use of networks, as well as network security supervision and management within mainland China. The Cyberspace Administration of China (CAC) is the primary governmental authority supervising and enforcing the CSL.

The CSL regulates cybersecurity from different aspects, including network operation security, network information security, as well as monitoring, early warning, and emergency responses.

1. Network Operations Security

Under the CSL, all network operators are required to perform the following duties to protect their networks from interference, damage, or unauthorized visits, as well as to prevent data leaks, thefts or falsification:

  • Create internal security management systems and operating policies, appointing dedicated network security persons;
  • Adopt technological measures to prevent computer viruses, cyber-attacks, network intrusions and other harmful activities;
  • Monitor and record network operational status and network security incidents, and retain relevant network logs for at least six months;
  • Take measures to classify data, back up and encrypt important data.

The CSL states that China has (or will have) a tiered network security protection system and network operators must perform the above duties to ensure network security and to meet the requirements of such a system. This indicates network operator obligations vary depending on their tier.

China currently has two existing network security related tiered protection systems. One is the Computer Information Systems Security Tiered Protection (计算机信息系统安全等级保护制度), the other is Telecommunication Networks Security Tiered Protection (通信网络安全分级保护制度), though the contents of these two overlap regarding network security. Both of these protection systems put computer information systems or telecom networks into five levels of protection, depending on a system’s importance in national security, economic development, and social life, and potential damages to these aspects in the event of network interference. Whether the tiered system mentioned in the CSL will be similar to these two existing systems or a completely new one is not yet clear. But these systems and related national standards likely will be helpful guides to understanding the concept of China’s tiered protection system.

Critical Information Infrastructure Operators

Critical information Infrastructure (CII) and CII operators must comply with more stringent requirements on top of those applicable to all network operators. The CSL provides for the State to implement key protections for CII in public communication and information services, power, traffic, water, finance, public service, electronic government affairs, and other CII that may endanger national security, national welfare and the people’s livelihood, or the public interest in the event of destruction, malfunction or data leakage. No clear definition of CII is found in the CSL and the catchall language leaves plenty of room for interpretation.

However, there is a Network Security Check Practice Guide (网络安全检查操作指南, the “Guide”) created by the CAC[1] before the CSL became effective that may give some guidance in determining CIIs. The Guide lists out fourteen industries[2] and a few key businesses in each industry. If a network or information system is mainly used to support any of these key businesses in  corresponding industry and meets other specific conditions, such a network or system will likely be deemed to be a critical information infrastructure.  For example, online shopping is a key business in the telecommunication and the Internet industry, according to this Guide. One of the conditions for a platform to be determined as a CII is that the platform has more than 10 million registered users or more than 1 million active users.

Though a clear definition and scope of CII have not yet been clarified, the CSL does require CII operators comply with the following, in addition to the requirements for all network operators:\

— Annual security assessment

CII operators shall review their networks’ security and assess potential risk at least once a year, either by themselves or through a third-party service provider.

— Procurement Security Review

When purchasing network products and services, CII operators must sign a security and confidentiality agreement with their vendor, clearly setting out the duties and responsibilities for security and confidentiality. If a vendor procurement may impact national security, CII operators must also go through a national security review by the State network administration (CAC) and other relevant departments of the State Council. The Security Assessment Measures for Network Products and Services provides further details in this regard, which became effective on the same day as the CSL.

— Data localization

CII Operators are required to keep within mainland China all personal information and important data collected and generated within mainland China. They are not allowed to transmit such data overseas without firs passing a security review.

The Draft Data Transfer Measures released in April 2017 (“First Draft”) appear to expand the scope of undertakings for such data localization and security review requirements to non-CII operators, which raised concerns for many foreign companies doing business in China. In a revised draft of the First Draft in May (“Second Draft”), this localization requirement was removed. The Second Draft focuses only on security assessment of cross border data transfer.

— Other requirements

Other requirements for CII operators include the following:

  • Set up dedicated security management and persons responsible for security management, and conduct security background checks on those responsible persons and of personnel in critical positions.
  • Regularly educate, train, and evaluate employees on cybersecurity;
  • Back up important systems and databases in preparation for disasters;
  • Establish emergency response plans for network security incidents and perform drills periodically; and other obligations by law or administrative regulations.

2.  Network Information Security

“Network Information Security” essentially refers to the protection of personal information collected and stored by network operators. All network operators are subject to the following requirements when collecting and using personal information:

  • Maintain strict confidentiality of collected user information.
  • Collect and use personal information legally, properly, and only to the extent the collection is necessary.
  • Disclose the purpose, method, and scope of collection and use, and obtain consent from the person whose personal information is to be collected; personal information irrelevant to the service provided shall not be collected.
  • Networker operators shall not disclose, alter, or destroy collected personal information.
  • In the event of data breach or a likely data breach, network operators must take remedial actions, promptly inform users, and report to the competent government agencies according to relevant regulations.
  • In case of illegal or unauthorized collection and use of personal information, a person is entitled to ask a network operator to delete such personal information; when information collected is wrong, an individual can request correction.

3. Monitor, early warnings and Emergency Response.

 In terms of establishing cybersecurity monitoring, early warnings of potential risk and emergency response plans, the CSL also sets out the responsibilities of the CAC, network operators, local government, and industry specific departments.

——————–

[1] We found different versions of this Guide on the Internet (websites of universities, local governments, etc.), each of which claims to have been released by the CAC. However, the CAC website did not itself have its own guidance on its website when we looked for it.

[2] The different versions of the Guidance we saw are substantially similar. As for the industries listed, one version includes education, news websites, and commercial platforms as key businesses industries, while another does not have these three lists 11 industries. We refer to the former version only for the purpose of this blog post.

China Cybersecurity law
China’s new Cybersecurity Law becomes effective on June 1
China’s new Cybersecurity Law will become effective on June 1, 2017. In addition to focusing on cybersecurity, the law also details how companies are to handle personal information and data. In determining what is allowed and not allowed for handling personal information in China, it is important to examine The Decision on Strengthening Information Protection on Networks (2012), The Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems (2013), and The Provisions on Protecting the Personal Information of Telecommunications and InternetUsers (2013). There are also many industry-specific rules, including such rules for banking and credit information services. China’s new Cybersecurity Law adopts and modifies existing regulations and codifies them.

Under the new Cybersecurity Law, collecting any user’s personal information requires the user’s consent and network operators must keep collected information strictly confidential. Personal information is defined as information that can be used on its own or with other information to determine the identity of a natural person, including the person’s name, date of birth, ID card number, biological identification information (e.g. fingerprints and irises), address, and telephone number. Once such information has been de-identified, it is no longer subject to the requirement for personal information under the law.

According to the new Cybersecurity Law, network operators are subject to the following requirements when collecting and using personal information:

  • Collection and use of personal information must be legal, proper and necessary.
  • Network operators must clearly state the purpose, method, and scope of collection and use, and obtain consent from the person whose personal information is to be collected; personal information irrelevant to the service provided shall not be collected.
  • Network operators shall not disclose, alter, or destroy collected personal information; without the consent of the person from whom the information was gathered, such information shall not be provided to others.
  • In the event of a data breach or a likely data breach, network operators must take remedial actions, promptly inform users, and report to the competent government agencies according to relevant regulations.
  • In case of an illegal or unauthorized collection and use of personal information, a person is entitled to ask a network operator to delete such personal information; when information collected is wrong, an individual can request correction.

Who are the network operators to which the new law will apply? Owners of networks, administrators of networks, and network service providers. Telecom and Internet service providers, clearly, but “network” is broad enough to go well beyond that.

Networks are systems consisting of computers or other data terminal equipment and relevant devices that collect, store, transmit, exchange, and process information according to certain rules and procedures (Article 76 of the new Cybersecurity Law). If you have a couple of computers at home that can share files, and perhaps a printer connected to them, you technically have a network. The law is not likely to go that far, but the generic definitions of network and network operators leave a lot of room for interpretation, which is exactly how the Chinese government wants it.

The new Cybersecurity Law also requires critical information infrastructure operators (CIIOs) store within China personal information and important data gathered and generated within China and conduct annual security risk assessments regarding their data. Though the definition of CIIO is yet to be clarified, we already know China’s yet to be finalized Measures for Security Assessment of Personal Information and Important Data Leaving the Country will likely require foreign companies doing business in China make big changes in how they handle data. The Cyberspace Administration of China (CAC) published a draft of Measures for Security Assessment of Personal Information and Important Data Leaving the Country back in April, raising many concerns for foreign businesses operating in China.

These Measures for Security Assessment would expand the data localization requirement to all network operators. This would mean that pretty much all personal information and important data collected by network operators within the PRC must be stored within China and not leave China, other than for “genuine business need” and after a security assessment. And if you think you may be a network operator, you probably are.

Since the new Cybersecurity Law does not differentiate between internal and external networks, it is broad enough to include any company that owns an internal network. Will your China WFOE be able to transmit employee information back to its overseas headquarters? In China’s Cybersecurity Law and Employee Personal Information, we set out best practices for doing this, but that was written before publication of the Draft Measures. Should the Draft Measures become effective — as expected — our views on data transfers will almost certainly toughen. Foreign companies are already setting up data centers in China so as to be able to keep data local and many of our clients are looking at doing the same.

We have been reluctant to write much about data and privacy protection in China because existing laws are both unclear and in a massive state of flux. But because this is so important and because this reluctance cannot extend to a client who needs to know what it must do now with specific data, we plan to write more often about these topics in the weeks and months ahead.

Please stay tuned.

Editor’s Note: Sara Xia is an experienced lawyer with law degrees from Shanghai University of Finance and Economics and the University of Washington. Sara practiced law in China from 2010 to 2013 and then in 2015 she became licensed to practice law in California and 2016 in Washington. Sara recently joined Harris Bricken to assist our clients with their cyberlaw and corporate matters, mostly while working out of Seattle, Beijing and San Francisco.