China Business Law Podcast
S1E6 The Current State of Data Privacy Law in China with Nico Bahmanyar
Welcome to the China Business Law Podcast, a show about the practice of law in China from real in-house and law firm professionals on the ground.
Welcome everybody to another episode of the China Business Law Podcast. I'm your host Art Dicker and today I'm joined by Nicholas Bahmanyar, Nicholas or Nico as I know him is at Leaf which is a law firm predominantly based in China and just recently opened an office in Paris as well.
Hi, Nico, how's it going?
Hi. Thank you for having me. It's a pleasure to be here.
Yeah, it's a pleasure to have you and you know, I know you're an expert in particular on data privacy law and particularly in China and you know a lot of companies and what we're going to get into today, a lot of international companies feel a bit overwhelmed and feel it's a bit daunting to comply with all of these new regulations that are coming out here in China on data privacy.
I think you've suggested when we've talked before that it doesn't have to be that complicated and so I've got some good news to tell people ahead of time that this is hopefully going to be a very inspiring podcast that data Privacy Law is something that folks out there can wrap their heads around so I thought we'd get into it first just with them sort of an introduction 101.
I've seen a lot of new laws come out regarding data privacy and China recently. Can you give our audience a sense of what the landscape looks like right now with some of the regulations out there.
Sure. So especially for people coming from either the US or even better from the EU they are used to GDPR which is a big massive text covering pretty much everything on personal information. China is very different in a sense that you have one overarching text the cybersecurity law, which is only giving really a direction. And in a very Chinese way, you will have one law setting that direction but not a lot of technical detail to implement and to deploy that law. So what is happening is that in, the next five to seven years following that first law a lot of regulation measures and guidelines will be issued. With that law being very empty, it can be daunting for a newcomer in China to find answers to data privacy and to navigating those very complex and numerous laws and regulation on the that cybersecurity.
And that's not necessarily unique to the cyber security law. As you know, recently China's new foreign investment law came out and as also very lacking on a lot of specifics. I think that tends to be the way that regulations are made in China. They start out quite general and then over time the details tend to get filled in
But we have seen some regulations I think come out recently as well in addition to the cyber security law.
Yeah, and you know, thank God for that because when the cyber security law came out it was so shallow in a sense in terms of technical detail that it was actually relying on a very old glossary from 1999. So a lot of the terms were actually completely empty.
From a legal point of view, we had to wait for lower level regulations to explain what is actually the substance in that law. What do you mean by personal data? What do you mean by network operator for the longest time? We didn't know what was a network operator or critical information.
So that was very very difficult just to standby before actually understanding what was the obligation. The very first exercise for any legal adviser or lawyers to look at the law is to understand the terms and that was the first major difficulty.
And the second difficulty is that as opposed to the EU for example, where you have one regulator, China is a little bit different in a sense that you will have different central authorities. So you will have the Cyberspace Administration of China competing with the MIIT, the Ministry of Industry and Information Technology competing with the PSB the Public Security Bureau and so on and so on.
And then you have local authorities. The different layers will not only compete but also sometimes contradict each other when they will issue a regulation. So even when you actually you think that you have the answer to a specific problem reading a regulation, you might want to take this with a little bit of grain of salt to assess if this is coming from a local authority or the central authorities and which is actually the highest ranked one.
Yeah, and that's also something which we don't see quite as much in the EU and US It's generally one regulator is given a clear mandate to govern a certain domain if you like, but in China that happens a lot, you know going back to for example when audio-visual streaming technology came out in China, there was the Ministry of Culture, MIIT. SARFT all of these agencies were trying to almost territory grab on the regulatory space.
And so in some in some ways, I guess what we're seeing on data privacy law and in the cyber security law is comforting in the sense that it's following some similar patterns that we're seeing about how China regulations are made and put into practice.
How about if companies have recently enhanced their global policies for GDPR and so forth how much kind of adaptation do you see companies having to make when they are specifically trying to localize the policies for China?
The first hurdle is to actually shift the mindset from the legal department of a company coming to China to revisit their definition where they think they know in the Chinese legal landscape can change. So this will be a shift and the other one is to look at a broader scope. So yes, you will treat personal information in maybe similar ways if you have a comprehensive policies, but you might actually handle information that was not regulated outside China, but suddenly becomes regulated in China, so you will also expand your scope.
Got it. Okay. Well still I think this is maybe not unique to China but we see global multinational companies probably being able to adapt to the China local rules with relative ease. I mean they're used to do having localized policies and so forth and building extensive and sometimes expensive compliance programs.
How about if we get into the issue of smaller companies, you know SMEs out there who don't necessarily have a big operation in China, but still they are aware that the cyber security laws out there. They read a lot of client alerts about it, but still maybe not able to wrap their head around what they actually need to do.
Is there sort of a shortcut or sort of a minimalist approach that a company can put together for their policy that gets them most of the way there and is also not necessarily overwhelmingly expensive and time-consuming.
Yes. So actually the size of the business if it's a SME or a MNC doesn’t really matter in the data privacy world. What matters is how much regulated information they're handling. You can have an MNC not handling a lot of regulated data, but you can have an SME handling lots of regulated data whether it's personal information or critical information.
So the best way to understand how much you need to put in terms of resources, in terms of time and money into becoming compliant in China with the data privacy law is to understand exactly what regulated data you have. And this starts with a very simple exercise of a data inventory. Simply to understand, what do you have in house?
Is your business actually a data driven business or not? If you handle a lot of data, what kind of data is it? If it's personal information, how do you handle this personal information? Is it actually person information that you're handling simply because you have employees and so it's personal information or is actually your business built on personal information because for example, you are an advertising company.
So you can have just a couple of people in China but still handling millions of people's personal information. So this is the first step to understand exactly what you're handling and this is not a hundred percent a legal exercise so you can do this in-house with a tech person.
You can go through all the data that flows in and out and I'm not going to use any collecting or processing terms right now because these are legal terms. I really want to use a very simple definition of that inventory, which is just observing exactly what's going on in terms of data in your company.
So the design inventory is a static view of all the information that flows in your company and you can have a more dynamic view also of those data flow with a data flow diagram. So there you will map essentially what goes where.
I don't know if you're familiar with the Gedanken experiment from Einstein. So he was thinking about how to understand a particle of light, a photon, and he thought about an experiment in his head about riding a particle. So he was literally sitting on a particle.
In his mind he will understand what was going on and the best way to understand what is going on in term of data flow is to do exactly the same, you take a packet of data that you collect yourself, that you process, that you buy, that you share and you follow it through your company and it will reveal amazing things. It will reveal where you acquire your data if it's in China if it's another jurisdiction. You will also discover which SaaS which third-party products you're using and where they are located and if that makes a difference or not and you will follow essentially the life cycle of a data packet. It's also not necessarily rocket science in the sense.
You're right you can generally ignore some of the the legal terms, which if you think about them too much can get confusing. A lot of it is common sense and what is personal information? Well, it's something that identifies a person, right? I mean it's not overly complicated or outside of the box and and then what if I'm processing that information, what is that? Well, am I doing something right? Am I am I trying to draw value from it somehow and and if I'm handling or processing that information, okay, do I have consent to get from the person that gave me that information to do the things that I'm doing.
And a lot of these policies that I've seen, you know, they are very boilerplate and that's generally correct me if I'm wrong....that's fine. I mean, you know as long as you are giving people notice and getting their consent, electronic consent is easy to do these days on a website or whatnot click through.
You can actually I think craft the policy and the terms and conditions quite broadly so correct me if I'm wrong, it doesn't have to be an overly complicated to come up with a policy that gets you most of the way there as far as covering your potential liability and compliance also doesn't necessarily have to be an overly complicated exercise. Am I right to say that?
Yeah, totally actually once you have a clear picture of how you collect the information then you know exactly how you should inform the user. So informing the user is the first step before obtaining the consent because you know that you will collect information for a specific purpose and you will share the information or not to a third party.
And you also know how long you will retain this information internally and when you will destroy it then publishing this to a user informing the user about the data life cycle becomes very very clear and very simple so it doesn't have to be a complicated document. It's more a summary of the data inventory and the data flow.
Essentially explaining your data life cycles to a first time customer. I want to say somebody who's never been into your company doesn't know your business wants to understand in a very very short time in in 10 seconds or less. What is going on with data in your company? That's essentially a privacy notice.
Now at the risk of making this sound overly simplified and easier said than done and we don't want to give our listeners a false sense of security either. Maybe it's time we start to scare them a bit too. You know, there's been a lot of high profile data breaches.
You've actually and your firm have written a great article about that listing some of the most high profile and recent cases. Equifax, British Airways, Marriott, Target. Some of the more scandalous ones like Ashley Madison. So my question is on the one hand the policy seems easy enough to put together. Where do things break down?
We know that the human factor is definitely the weakest link. We know that at some point you will have someone in the company clicking on the wrong link or downloading the wrong attachment. What any company needs is some strong enough policies to stop the effect of that behavior, so I don't want to be very reductive, but you cannot trust a hundred percent your staff to keep your information safe.
You need process to add a layer of security and if you don't do this you will have a breach that is bigger than it needs to be. If you have a breach and when I say a breach it doesn't have to be a hacker. It can be simply the someone sending the wrong. email to the wrong person or it can be someone losing a laptop on a business trip.
But making sure that the information that has been lost is very quickly contained because you've identified the incident, because you've secured the device that has been lost, or because you have informed the people both internally and externally that there was an incident.
Then you can stop the effects of that incident and it can just be a very small incident if you have the right policies. So having the right people internally mobilized as soon as you have an incident is absolutely key to stopping the effects.
And I'm going to expand a little bit on the China angle where I mean, you've been here long enough to know that the relationship to risk is very different than the one we have in in Europe or in the US.
I mean, you know you you can drive here pretty much on your phone way above the speed limit and not wearing seatbelts. If you don't have an accident, it's fine right and if you do have an accident, well, it's bad luck. So you will need to treat risk a little bit differently when you talk about data protection in China and there will be a little bit more training on the concept of risk and the concept of a near-miss incident.
So it's not because for example an employer you receive a suspicious email. This should be be flagged and you should have some sort of process to relay the information back to the response team to simply be aware that there was a fraudulent email and something needs to be done. For example on the spam filter to to improve security.
So this is a little bit more here in China because simply the concept of risk is very different than we have in the West.
Yeah, and at the risk of we don't of course want to come across as being culturally snobby or having a sense of cultural superiority, but I think it is fair to say that you know in China the expectations on privacy, on data privacy are different for historical reasons. We can get into a lot of the reasons but I think most people would agree with that.
And that's just ahistorically perhaps the way it's been and that's not unique to China either, you know other countries as well as different countries and different cultures have different privacy expectations based on their their experience.
I can see that for China. You do need maybe different training levels and different kinds of training for staff and other countries as well. And one of the things I think is, looking at some of the companies that have had major data security breaches you kind of have to and again they don't necessarily happen in China, right? They happen in the US or wherever and you have you have to wonder, a company that's truly a global company think how could they ever let this happen?
Right, a S&P 500 or you know Fortune 500 company you would think would have a great system to manage but you hit it right on the head which is the weakest link is sometimes people. Human error is always there whether it's a small company or a big company and and in some ways having worked in in large multinational companies, for technology companies, I know the issue of ownership over policies, process and being accountable for things is actually quite difficult.
Sometimes in multinational companies its kind of the opposite of what we talked about earlier where in China you had different regulators fighting over who gets to have the mandate over data privacy.
For policies in multinational companies actually, sometimes the opposite is true, which is that nobody wants ownership. And that's where I imagine a lot of the breakdown can happen for as even some of these bigger companies where responsibilities are more dispersed.
So yes, it's actually more true with data privacy because as soon as we raised the topic in a MNC everybody's going to look at IT and then IT because they don't understand a lot about the regulation simply because they don't have the language for this is going to turn back to Legal. And then Legal, it doesn't really know what to do about this. So suddenly you have this data privacy topic becoming a hot potato that nobody wants.
So you have obviously a problem on accountability because nobody wants to take care of this but at a very operational level you don't have a lot of budget for this. Simply because first of all no department really wants it and also it doesn't really create value at least that's the perception. So that's a big problem in data privacy.
How do you actually justify as a department if you are IT, if you are Legal, if you are Finance. So you have those departments only perceiving data privacy as a cost center. Nobody sees data privacy as an investment that's going to yield revenue. Data privacy is not as sexy as a marketing campaign, working on the new design for product, a lot of the companies don't see compliance as something that will give them more users or more customers.
But more and more, and this is still a very slow trend but it's definitely a trend and an emerging trend, people actually putting data privacy as a strength as a part of their value proposition and this becomes especially true with companies targeting fairly young users. So I want to say millenniums see because there is a very strong attachment to personal information and to owning their data, so with a little bit older generation, it's less of a problem.
But I see more and more companies and I've seen companies for example in New Zealand putting this forward and it's very interesting because New Zealand has been perceived as a little bit of a petri dish when it comes to new features. So this is where you see companies actually putting forward data privacy as part of the value proposition but more and more I think that the Chinese customer is going to become more demanding on having their personal information being protected and this is actually I think going to be a the next big trend in China.
So doing business the old-fashioned way where you can just collect any information and share any information with whoever is not going to work for a very long time. And that's going to be not totally market-driven but also is going to be driven by very very strong sanctions and because you know, unfortunately the legal world is a scary world.
There are very strong sections in China way stronger than in the EU, for example, the GDPR data protection officer in the EU cannot be sanctioned, cannot go to jail, cannot be demoted or fired because there was some data breach. It's in the GDPR. However in China you have personal liability when a network operator fails to respect the obligations related to data privacy or data protection.
What it means is simply if a company has a breach not only the legal representative of the company can pay a fine, but the person in charge of network security and data protection can also go to jail. Can also be banned for life to hold a position in this industry. So the consequence of a violation of the data privacy laws in China are much heavier. And when you come back to those company arriving in China and thinking that they knew that the privacy because of GDPR are for example, they actually need to understand that they don't know that much simply because the rules here are very very different and everything has a different meaning.
Well, yeah, that's quite sobering for people to wrap their heads around. I mean that's because obviously responsibility is hard to pin on someone but someone like the legal rep or the highest person in charge of the policies is certainly going to be the first person that people look at and I'm sure that's why people don't always want to be the legal representative of the company in China. It's not a sought-after position necessarily.
One of the things I thought we were we should at least get a quick take from you on was, because we're recording this during the coronavirus situation, which has been going on for a few weeks now in China and and now outside of China, do you see an impact if any on data privacy on maybe data collection regarding data privacy?
Specifically it still needs to be addressed as a crisis and you can look at it as a fantastic opportunity to assess your level of preparedness when it comes to a crisis and how that will affect your access to data. If for example, your office is completely closed. Can you still access to your data that you have?
Essential backups that we call Golden Discs, it's essentially the vital information for your company to continue business. If let's say your office is closed or worst case scenario a building goes into flames and everything is lost. So the coronavirus is a good opportunity to to look at.
How ready you are to face a crisis and it's also a fantastic opportunity to work on anything data related because data should be pretty much available whether you're at the office or not, and I think it's a great time to look into it.
And to your earlier point about companies wanting to get a little more automated and take the human element in the risk of human error more and more out of the equation. This is a perfect testing ground for that because where people are dispersed and people are not able to come into the office this you can actually see where if any of your process may have the potential to break down. So I think in that sense, this is like you said, this is an opportunity.
Unity for that kind of a an assessment and maybe to improve and get your get your systems more automated.
Well, Nico, I want to thank you so much. You know this really has been a great for our audience. I'm sure going to get quite a lot out of this. You know, it's a topic I said at the beginning where it can seem a little bit daunting and people hear a lot of horror stories and it's you know, there's a lot of confusion about language and technical terms and you know legal department versus the IT department not wanting to take ownership, all the things we've talked about but I think you've done a great job of breaking it down for people and explaining in a way that they can understand and it's not necessarily an overwhelming challenge.
And so I think you know people will really appreciate all the knowledge you've given them on this episode. So thanks so much for coming on the on the show.
Well, thank you all for having me and it was really my pleasure to give a glimpse on on data privacy. And in China, it is not as complicated as it looks when you take everything brick by brick in a very engineering way. So I hope that people will get a better understanding of what it means to be compliant with the privacy regulation in China.
And how rare is that for lawyers to actually say something is not that complicated. To their clients or potential clients or friends or listeners. So well one last housekeeping thing, what's the best way for people to reach out to you? I'll put the show up and tag you on LinkedIn, is Linkedin a good way to people to reach out to you?
Yeah. LinkedIn is actually great.
Yeah, so you're active on LinkedIn. So people can continue their perfect. Well, thanks again Nico for joining and and so how pleasure you could come on. Yeah. Well, that's a wrap.