Data, Privacy & Cybersecurity

As global data flows reach several gigabytes per person per day (the equivalent of hundreds of millions of people streaming videos simultaneously and ceaselessly), and with digital services now representing more than fifty percent of all services (several trillion US dollars annually), China as much as any country is rushing to regulate cyberspace. The rush has resulted in a medley of laws and cacophony of competing market voices and regulatory interpretations. The legal and compliance landscape is not as bleak or complex as it may appear, though enterprises would do well to beware of particular pitfalls and plan their business, tech, and legal structures accordingly.

As one of the country’s few law firms with a foundational focus on tech, DaHui routinely assists both domestic and international clients with all their data, privacy, and cybersecurity matters related to China. We often help multinationals in structuring and implementing dependable data practices, satisfy requirements for cross-border data transfers, perform data due diligence in M&A and investments, carry out data audits, and assist with a wide range of related compliance matters faced by all types of companies doing business in China.

From even before China’s ground-breaking Cybersecurity Law of 2016, our attorneys have an understanding of the concerns about such regulation faced by ventures in TMT, healthcare, finance, etc. or even less directly affected businesses. Setting aside the expenditure of money, time, and manpower, data and privacy protection measures may impact inter-company IT systems, supplier relationships, and even access to financing while also raising questions about IP protection, a company’s own cybersecurity risks, and lost opportunities for product or service offerings.

The inconsistent and sometimes unclear steps taken by Chinese legislators and regulators, as the legal regime is still very much a work in progress, leads to uncertainties and even many unprecedented and cutting-edge legal issues. For example, which rules apply to which cross-border data transfers, is it necessary to carry out so-called “security assessments” or “personal information protection impact assessments”, what should they and standard contracts cover, and how can one be quite sure one is compliant and not at risk of administrative or civil liability?

In this troubling legal environment, DaHui aims to provide clear, sound, and pragmatic advice. In serving as a legal vanguard on such matters, we leverage our firm’s extensive experience with China’s entire regulatory apparatus, focusing not only on written or officially announced laws and regulations, but also on the (usually more important) real-world practices and interpretive frameworks of relevant government actors. In fact, our robust expertise in this space informs practically all matters we handle, enabling us to identify and pre-empt data, privacy, and cybersecurity risks throughout our clients’ activities. As a result, our clients can operate confidently, without falling victim to the paralysis of uncertainty or becoming mired in reactive, “damage control” compliance measures, but rather empowered to focus on growing their business and transforming their commercial goals into reality.

Our services in this area include:

• Advice on PRC legal implications and compliance in various data collection, processing, and sharing activities, including cross-border data transfers
• Assistance in building up data compliance and privacy protection systems, policies, and security measures
• Advice on cross-border data transfers, including assistance in carrying out data self-assessment, personal information protection impact assessments (PIPIAs), and personal information protection certification, drafting standard contracts (SCs), and carrying out and interfacing with government officials on security assessments and SC filings
• Advice on and assistance with cybersecurity review
• Conducting of personal information protection compliance audits for internal or external purposes, and of data protection due diligence on targets of M&A or investments, and advice on possible risk mitigation measures
• Advice on compliance with the "Multi-Level Protection Scheme" (MLPS)
• Advice on measures in response to data breaches and other cybersecurity incidents
• Assistance with user and regulator inquiries or complaints, internal and government investigations, and designing and implementing rectification measures
• Formulation of user-facing and internal data/privacy policies and practices