As global data flows reach several gigabytes per person per day (the equivalent of hundreds of millions of people streaming videos simultaneously and ceaselessly), and with digital services now representing more than fifty percent of all services (several trillion US dollars annually), China as much as any country is rushing to regulate cyberspace. The rush has resulted in a medley of laws and cacophony of competing market voices and regulatory interpretations. The legal and compliance landscape is not as bleak or complex as it may appear, though enterprises would do well to beware of particular pitfalls and plan their business, tech, and legal structures accordingly.
As one of the country’s few law firms with a foundational focus on tech, DaHui routinely assists both domestic and international clients with all their data, privacy, and cybersecurity matters related to China. We often help multinationals in structuring and implementing dependable data practices, satisfy requirements for cross-border data transfers, perform data due diligence in M&A and investments, carry out data audits, and assist with a wide range of related compliance matters faced by all types of companies doing business in China.
From even before China’s ground-breaking Cybersecurity Law of 2016, our attorneys have an understanding of the concerns about such regulation faced by ventures in TMT, healthcare, finance, etc. or even less directly affected businesses. Setting aside the expenditure of money, time, and manpower, data and privacy protection measures may impact inter-company IT systems, supplier relationships, and even access to financing while also raising questions about IP protection, a company’s own cybersecurity risks, and lost opportunities for product or service offerings.
The inconsistent and sometimes unclear steps taken by Chinese legislators and regulators, as the legal regime is still very much a work in progress, leads to uncertainties and even many unprecedented and cutting-edge legal issues. For example, which rules apply to which cross-border data transfers, is it necessary to carry out so-called “security assessments” or “personal information protection impact assessments”, what should they and standard contracts cover, and how can one be quite sure one is compliant and not at risk of administrative or civil liability?
In this troubling legal environment, DaHui aims to provide clear, sound, and pragmatic advice. In serving as a legal vanguard on such matters, we leverage our firm’s extensive experience with China’s entire regulatory apparatus, focusing not only on written or officially announced laws and regulations, but also on the (usually more important) real-world practices and interpretive frameworks of relevant government actors. In fact, our robust expertise in this space informs practically all matters we handle, enabling us to identify and pre-empt data, privacy, and cybersecurity risks throughout our clients’ activities. As a result, our clients can operate confidently, without falling victim to the paralysis of uncertainty or becoming mired in reactive, “damage control” compliance measures, but rather empowered to focus on growing their business and transforming their commercial goals into reality.
Our services in this area include:
Advised Airbnb on data, privacy and cybersecurity compliance policies and ad hoc issues implicated by its local services, employment matters and other operations.
Advised CBS on local storage, cross-border transfer and other data and cybersecurity compliance issues from localizing one of its online systems.
Assisted China World Trade Center, the largest building complex of Beijing, in implementing cross-border data transfer compliance measures for using cloud-based office software.
Assisted Comcast on ensuring the cybersecurity and employment-related privacy compliance of using office CCTV and of other local operational activities involving collection of personal information.
Advised Elsevier on the full spectrum of data, privacy and cybersecurity regulatory aspects related to launching a suite of localized online information and analytics products and services.
Jan 19, 2024
Nov 17, 2023