Safeguarding company confidentiality in China presents a critical challenge in light of dynamic regulatory environment and rapidly evolving technological landscape. This article examines key strategies and legal considerations, offering insights into safeguarding confidential information against unauthorized access and disclosure.

Legal Framework

The abovementioned confidential information falls under the scope of trade secrets which are protected by Chinese laws. The legal foundation for the protection of trade secrets in China is set forth in the Anti-Unfair Competition Law (《反不正当竞争法》) (“AUCL”), which was most recently amended in 2019. 

Article 9 of AUCL stipulates that trade secrets encompass commercial data, including technical and business information, which is not publicly available, holds commercial value, and is subject to appropriate confidentiality measures by the rights holder. Misappropriation of trade secrets encompasses various activities, including:

1. obtaining trade secrets of another party through theft, bribery, fraud, coercion, hacking, or other improper means;
2. disclosing, using, or enabling others to use trade secrets of another party acquired through the abovementioned improper means;
3. (instigating, inducing, or assisting others in) disclosing, using, or enabling others to use trade secrets in breach of an agreement or a confidentiality obligation imposed by the rights owner; or
4. obtaining, using, or disclosing trade secrets by a third party, while such third party is aware or reasonably expected to be aware that such trade secrets have been misappropriated through any of the abovementioned means.

Consequently, the leakage and exploitation of trade secrets constitute misappropriation. Any party involved in divulging trade secrets or assist in divulging, obtaining, or using trade secrets, including rival companies, will be held liable for their actions. Affected companies are entitled to seek compensation from those responsible for misappropriation of trade secrets. 

In addition to implications related to the protection of trade secrets, employees that misappropriate trade secrets may also breach their employment contracts, thus incurring contractual liabilities.

Protection Strategy

Information leakage by employees, whether intentional or accidental, poses risks to companies. To safeguard against such threats, it is crucial for companies to implement comprehensive strategies to prevent potential leakage. The following protection measures outline a robust approach for mitigating the risk of information leakage and ensuring the integrity of corporate information.

Establishment and Implementation of Policies

Developing comprehensive policies will provide clear guidance to staff regarding permissible use of various types of information to safeguard confidential data. These policies will also empower employees to make informed decisions concerning the protection of confidential information or trade secrets while taking into consideration future developments.

A company’s confidentiality policy is effective only when diligently implemented and consistently enforced. To achieve this, companies should ensure that all employees receive, understand, and acknowledge the policy through signed acknowledgment forms. Additionally, companies should routinely review and update their policies to align their policies with changes in business practices, technological advancements, industry regulations, and emerging threats.

Furthermore, it is recommended to go into details with respect for confidentiality obligation in the employment agreement and employee handbook, to further clarify the information which companies consider confidential. These documents should outline in details confidential information such as personnel appointment, fee rates, client list, and business plan to articulate employees’ duty of confidentiality and specify the potential consequences of unauthorized or improper use or disclosure of confidential information, such as termination of employment, administrative and/or civil action, and/or criminal prosecution.

Identify Confidential Information and Protect Verbal Information

It is crucial for companies to identify information deemed confidential and establish written procedures for recording and handling of such information. Companies should classify and catalog confidential information according to the various departments or levels within the organization. Rather than broadly classifying all company information as confidential, companies should create and routinely update a comprehensive inventory of confidential information based on the confidential information cataloged by each department at various levels. 

A common practice is to label the carriers containing confidential information with markers such as “Confidential”, “Do Not Disclose/Copy”, etc. When stored electronically, the confidential information must be encrypted and/or be subject to restrictive access.

Moreover, verbal information exchanged at internal meetings can also be confidential. Protecting the confidentiality of verbal information can be challenging. In practice, the following measures are commonly adopted by companies to safeguard orally conveyed information:

1. Reminder and acknowledgment: Before a meeting starts, remind all attendees that the meeting is confidential and everything related thereto must be treated as such;
2. Restrict meeting attendance: Limit invitations to only those individuals with a genuine need-to-know regarding the information being discussed; and
3. Enforce a strict no-recording policy: Explicitly prohibit attendees from engaging in any form of unauthorized documentation, including recording and photography, during the meeting.

Security Measures

Implementing robust digital security measures is crucial for protecting confidential information from unauthorized access or theft. Some key practices include:

1. using strong passwords and enforcing multi-factor authentication;
2. regularly updating and patching software and systems;
3. keeping sensitive data encrypted during both storage and transmission processes; 
4. deploying firewalls, encryption, anti-hacker initiatives, anti-virus software, multi-factor authentication tools, and other technical protections;
5. disabling USB ports or other portable devices or drives on company computers/laptops; and
6. embedding blind watermark into the distributed information or images containing confidential information to enhance traceability and deter unauthorized sharing and distribution.

In the event of any litigation caused by dispute over breach of confidentiality, the presence of comprehensive security measures can support a company’s case as they can demonstrate companies have made reasonable efforts to protect trade secrets, increasing the likelihood of judicial recognition and protection.

Regular Training

It is advantageous to cultivate a company-wide culture emphasizing confidentiality and trade secret protection, treating it as an imperative with significant reputational, financial, and legal implications. To achieve this, it is vital to train employees on the importance of confidentiality. Regular reminders and updated training sessions can also help employees remain vigilant and reinforce the importance of confidentiality.

It is essential to conduct regular professional ethics education, trade secret compliance, and other specialized training sessions for managerial, technical, and operational staff who have access to sensitive information. Establishing a system of rewards and penalties can further reinforce the significance of confidentiality, ensuring that employees understand the implications of breaches and are committed to upholding established protocols, including confidentiality clauses in the employee handbook.

Actions to be Taken after Leakage

In the event of information leakage, swift and decisive action is of utmost importance to mitigating potential repercussions and safeguarding organizational integrity. This section outlines the structured approach and key steps to be taken immediately after leakage, ensuring a proactive stance to be taken in addressing and rectifying any breach of confidentiality.

Establish Immediate Response Protocol

In the event of a breach of confidentiality, it is crucial to establish an immediate response protocol. This should include activating crisis management to handling such breach. The response team should assess the severity of the breach, determine the scope of the leaked information, and initiate steps to mitigate any further damage. Prompt communication with all relevant stakeholders, including employees, clients, and partners, is also essential to prevent further leaks and maintain transparency and trust.

Track the Leakage and Identify the Person Implicated

Once a leak has been detected, it is vital to swiftly track the source of the leakage and identify the person or persons implicated in such leakage. A thorough analysis of digital records, including access logs and email trails, should be initiated and forensic techniques should be adopted to trace the origin of, and methods deployed in, such leakage.

Simultaneously, interview with employees with access to the leaked information and review of security protocols for potential weaknesses should be conducted. Once the party responsible for such leakage is identified, the following containment measures should be put in place in a timely manner: 

1. restricting access;
2. securing compromised systems; and
3. notifying stakeholders as required if applicable.

Take Legal Actions Against the Person(s) Implicated

Based on the findings of the investigation, legal actions might be taken against the person or persons found responsible for the information leakage. Such actions may include internal disciplinary action, such as termination of employment, as well as legal action, such as pursuit of civil litigation. 

Drawing from our experience, it is advisable to establish a precedent by filing a lawsuit against the employee who leaked the confidential information on purpose. This action would demonstrate the company’s unwavering commitment to the protection of confidential information and send a clear message to all stakeholders about the severe repercussions associated with breaches of confidentiality.

Concluding Remarks

Protecting a company’s confidential information is paramount to maintaining its competitive edge and safeguarding the trust of its stakeholders. It is therefore advisable for companies to contemplate and implement the aforementioned strategies, in order to reduce the risk of trade secret leakage and ensure the confidentiality of confidential information.

As a foreign entity which receives personal information from China, whether it has operations or establishments within the country or not, navigating China’s complex regulatory environment on data protection and privacy can be challenging. This article aims to provide such foreign entities with some basic guidance on complying with the general rules in respect of cross-border transfer of data.

Deciphering the Concept of Foreign Recipients

Before we dive into the details of regulatory requirements, as the first step, it is important to clarify the definition of “foreign recipient” under the relevant Chinese laws. This will help a foreign entity determine whether it qualifies as a “foreign recipient” in the cross-border data transfer activities it is involved in.

However, China’s Personal Information Protection Law (“PIPL”) in fact does not explicitly define “foreign recipient”. Hence, we have to rely on Article 38 thereunder, the closest in PIPL we get as a definition, that stipulates: “a personal information handler that, out of business or other needs, has to transfer personal information outside of the Chinese territory should comply with the prescribed procedures hereunder […]. ”

Based on Article 38, we could define “foreign recipient” as an entity/person that is located outside of the Chinese territory that receives the personal information from a personal information handler within China out of business or other needs. Although the wording seems straightforward, there are still certain subtle aspects that foreign recipients are advised to pay attention to when breaking down this definition: 

1) Personal information

According to the definition in PIPL, the term “personal information” refers to various types of information recorded electronically or by other means that relates to any identified or identifiable natural persons, excluding information that has been anonymized.

2) Personal information handler 

According to the definition in PIPL, “personal information handler” refers to any entity or person who independently decides for what purposes and with what methods any personal information should be processed. 

3) Transferring outside of the Chinese territory

It could refer to several scenarios:

• physically moving the personal information records across any Chinese border;
• transferring personal information from an information system hosted on a server whose data room is located in China to another server whose data room is located outside of China; or
• allowing entities and persons who are located outside of China to access the personal information stored within China.

The Chinese territory excludes Hong Kong SAR, Macau SAR, and Taiwan Province for this purpose as these three regions in fact have their own regulatory regime and jurisdiction.

Along this line, a cross-border transfer occurs when a personal information handler exports personal information to a recipient outside of the Chinese territory. Therefore, a typical scenario would be B2B transfer, where one business transfers the personal information it has collected to another business located abroad. The recipient may then store, analyze, or otherwise process the received personal information. 

In the case of C2B transfer, where an individual in China directly transfers their personal information to an entity outside the Chinese territory, be it for college programs, memberships, booking services, or cross-border payments, we argue that, by definition, the receiving entity could technically be termed a “foreign personal information handler” instead of a “foreign recipient”, as the former refers to an entity outside China that processes data from individuals within China in order to provide services to or analyze specific behavior traits of such individuals. No matter the designation, however, the personal information is still considered as being “transferred across the border” under this scenario.

For the purpose of this article, when we analyze the compliance requirements for a “foreign recipient”, we will also try to cover these for a “foreign personal information handler” as well since essentially, regardless of its definition under PIPL, the latter also entails foreign entities receiving personal information from China. Hence in a broader sense, it is also a foreign recipient.

Cross-border Transfer Procedures

When cross-border transfer is to happen, there are several procedures an entity has to go through before it may transfer the personal information across the Chinese border. As the laws and regulations in China attach great importance to the role of “personal information handlers”, the obligation of compliance lies largely with the handlers. 

A personal information handler is required to go through one of the three prescribed procedures in Article 38 of PIPL, which are:

1. completing a security assessment administered by the Cyberspace Administration of China (“CAC”);
2. filing a Standard Contract (a template published by CAC) that it has signed with its overseas recipient(s) and the Personal Information Protection Impact Assessment (“PIA”) report with CAC; or
3. obtaining certification by qualified institutions.

Discussions have been focused on these three procedures and how they should be carried out ever since 2021 when PIPL first came into effect. Subsequent regulations and guidance issued with respect to the above mechanisms for cross-border transfer of personal information have been evolving and debated among government authorities, industry participants, and legal professionals until the latest Rules on Regulating and Promoting Cross-border Data Transfer (《规范和促进数据跨境流动规定》) (the “Promoting Rules”) came into force.  

The Promoting Rules is a milestone in Chinese legislation on cross-border transfer of personal information, as it relaxes the threshold for compliance measures and provides several scenarios in which personal information handlers could be exempted from the three procedures for cross-border transfer set forth in Article 38. Such exemption may apply to, for example: 

1. export of personal information (not sensitive) of no more than 100,000 individuals;
2. export of employees’ personal information that is necessary for human resources management;
3. export of personal information of an individual that is necessary for the purpose of concluding and performing a contract to which the individual is a party, such as cross-border shopping, payments, booking of hotels, etc.; or
4. export of personal information out of urgent needs to protect personal or property safety and health.

This brings us back to the discussion with respect to the B2B and C2B transfer of information. It appears that a typical C2B transfer would most likely be exempted from the three cross-border procedures as it normally falls under scenario 3 above, while the B2B transfer may or may not meet the above requirements for exemption.

Regardless of whether it should be exempted from the three procedures in Article 38 above, as long as a personal information handler transfers personal information across any Chinese border, it will need to comply with some general obligations such as obtaining separate consent from the data subject(s) for such transfer, properly disclosing the details of processing to the data subject(s), adopting sufficient data protection measures, conducting PIAs, etc.

Foreign Recipients’ General Compliance Obligation

The above compliance requirements for personal information handlers may give you a general idea of what might be required from a foreign recipient which is in a supportive role in terms of cross-border transfer compliance. 

In the scenario of a B2B transfer, a foreign entity which receives personal information from a domestic personal information handler would normally be a partner or vendor of the personal information handler and hence are required to support the personal information handler in fulfilling its obligations, including:

1. entering into a contract for the commissioned processing of personal information, which shall at least set out the purpose, term, methods of processing, the types of personal information, the personal information protective measures, and the rights and obligations of the parties;
2. assisting the personal information handler in compliance with the three cross-border transfer procedures in ways such as entering into a Standard Contract for processing of personal information or providing support during PIAs where applicable;
3. accepting the supervision of the personal information handler in terms of data processing;
4. processing the personal information strictly in accordance with the agreements in the contract with the personal information handler; either deleting or returning any personal information when the contract is terminated, invalidated, rescinded, revoked, or otherwise ended;
5. not engaging subcontractors without the approval from the personal information handler; and
6. adopting necessary measures to ensure the safety of personal information, which should at least meet the standard of protection required for a domestic personal information handler.

For a foreign recipient who is the partner or vendor contracted by the personal information handler to provide goods or services, normally, it is important to have proper contracts and documents prepared to meet the obligations mentioned above. A foreign recipient aiming to provide top-tier services may choose to take an additional step to assist the personal information handler to prepare the sections in relation to the foreign recipient in a PIA report. Especially for those cross-border transfer activities not covered by exemption scenarios, personal information handlers will need to submit PIA reports to CAC for review. Nonetheless, please note that this approach is proactive and not mandatory under the laws and regulations.

In the scenario of a C2B transfer, for a foreign personal information handler that helps process the personal information of its individual customers in China for the performance of certain contracts to which the individual customers are a party, it could be exempted from Article 38’s three cross-border transfer mechanisms according to the Promoting Rules, but it still has general obligations as discussed above, such as obtaining separate consent from data subjects, making proper disclosure, adopting sufficient security measures, and conducting PIAs, among others.

Conclusion

Even though a foreign recipient may not have any operations or establishments in China, it may still be subject to legal liabilities under PIPL due to this law’s extraterrestrial reach. Furthermore, non-compliance may subject a foreign recipient’s Chinese clients or business partners to penalties as well. 

Hence, it is important that a foreign recipient take a more proactive stance towards compliance under China’s data and privacy framework, and pay particular attention to the requirements of cross-border transfer of personal information. As long as there is Chinese customers’ personal data involved, regardless of the scale of operation, it is advisable for a foreign recipient to review and streamline the personal information processing flow and seek advice from advisors with expertise in China on compliance requirements. 

Please note that the foregoing analyses do not apply to the personal information of critical information infrastructure operators (“CIIOs”), which refers to the operators of vital infrastructure for public communication and information services, energy, transportation, water utilities, finance, public services, electronic government services, and other important industries. We have also not covered the concept of important data, referring to the data of which the tampering, damage, leak, or illegal access or use may jeopardize national security, economic vitality, social stability, public health, and safety. CIIOs’ data and important data are subject to more stringent regulations in China with respect to cross-border transfer. Such issues should be addressed and evaluated separately, especially if a foreign recipient suspects that its operation may involve CIIO data or important data. In any case, comprehensive examination of these matters lies outside the purview of this article.

It is commonly understood that attorneys’ fees are not recoverable losses under the laws of China (Hong Kong, Macao, and Taiwan excluded for the purpose of this article) in most types of legal disputes, with a handful of exceptions such as intellectual property and labor disputes. This rule is well-established in practice and applied in numerous cases heard by the Chinese courts, however, at the theoretical level, it is continuously debated among scholars and practitioners.

When it comes to the provision governing the calculation of damages in the United Nations Convention on Contracts for the International Sale of Goods (“CISG”), Article 74 of CISG is silent about whether litigation expenses, including attorneys’ fees, are recoverable in a dispute where CISG is applied. This has led to various interpretations by courts in different jurisdictions. By studying the case reports compiled by Chinese courts that reveal courts’ perspectives on attorneys’ fees under CISG, this article aims to reveal the prevailing opinions held by Chinese courts regarding this matter and to identify potential differences between relevant rules under CISG and Chinese laws, thereby providing predictability for future cases.

To avoid any doubt, the attorneys’ fees discussed herein solely refer to the costs incurred by a claimant within a specific court case and exclude any expenses arising from legal proceedings between the claimant and any third parties, such as its downstream buyers, local authorities, etc.

Interpretations of Article 74 of CISG

On the one hand, it is not surprising that advocates for classifying attorneys’ fees as recoverable losses primarily base their argument on the text of Article 74 of CISG and the principle of protecting bona fide parties. The rationale behind this argument is that attorneys’ fees are actual losses incurred by the parties, as evidenced by case reports from courts in Germany, Japan, and other jurisdictions.[1]

On the other hand, based on the principle of equality, the CISG Advisory Council takes a different stance in Opinion No. 6, maintaining that “although Article 74’s principle of full compensation appears to support the view that litigation expenses should be recoverable in order to make the aggrieved party whole, such an interpretation would be contrary to the principle of equality between buyers and sellers as expressed in Articles 45 and 61.” The underlying rationale is that “if legal expenses were awarded as damages under Article 74, an anomaly would result where only a successful claimant would be able to recover litigation expenses,” and therefore, this will give the prevailing claimants or respondents an unfair advantage.[2] However, the CISG Advisory Council is a private initiative, and as such, its opinions are not legally binding on the CISG contracting states.

Similar viewpoints are found in the case reports of some courts outside China. In some cases, certain courts rule that attorneys’ fees are not recoverable losses under Article 74, but a district court may exercise its inherent authority to penalize a litigant or the litigant’s lawyers for engaging in bad faith litigation practices.[3] In this sense, awarding attorneys’ fees as damages is an issue governed by domestic laws rather than CISG.

Case Study on Chinese Court Practices

Based on a study of accessible case reports, Chinese courts’ practices on whether an aggrieved party is entitled to recover attorneys’ fees as litigation costs under CISG vary. However, a clear pattern emerges: most Chinese courts dismiss such claims, suggesting a prevailing opinion against awarding attorneys’ fees as damages. This tendency has become more pronounced in recent years.

Reasons for Denial of Attorneys’ Fees

The grounds on which the courts deny the recovery of attorneys’ fees may vary, but can be broadly categorized as follows:

However, it is noteworthy that in some cases, courts may deny attorneys’ fees on one of the grounds listed above while granting awards of notarization and translation fees as litigation costs, showing certain inconsistencies in the underlying logics behind such awards.

Reasons for Awards of Attorneys’ Fees

Although less common and less recent, there are some case reports that support the recovery of attorneys’ fees under CISG. The rationale behind the case reports emphasizes the goal of protecting the rights of non-breaching parties, without touching upon the potential controversies surrounding the interpretation and scope of Article 74 of CISG.

The reasonings of awarding attorneys’ fees as reasonable litigation costs include:

By assessing the number of accessible case reports supporting each side, we can see that the Chinese courts tend to deny the recovery of attorneys’ fees and are typically inclined to adhere to previous case reports employing the same reasoning. However, we are under the impression that the courts’ tendency to dismiss the claims for recovery of attorneys’ fees is largely dictated by courts’ practices under Chinese laws, since these case reports seldom touch upon the interpretation of Article 74 of CISG and a significant portion of them reach their conclusions without providing a detailed rationale.

Trends of Future Chinese Court Practices

As indicated above, given the current court practices in China, the likelihood of claiming attorneys’ fees as recoverable losses under CISG before Chinese courts is relatively low. This trend is expected to persist in the near future. 

A case report recently published in the Database of Cases of People’s Republic Courts (in Chinese: 人民法院案例库) states that the CISG Advisory Council Opinions could be taken as a reference when interpreting the articles of CISG,[4] further bolstering our stance on the trend. As the case reports in this Database are selected by the Supreme People’s Court of China, this development, to a certain extent, indicates the Supreme Court’s inclination towards considering such opinions. This recent case report provides Chinese courts a legal ground to interpret Article 74 of CISG along with the CISG Advisory Council Opinion No. 6, with the latter arguing against the recovery of attorneys’ fees. This case report, together with the CISG Advisory Council Opinion No. 6, may provide guidance for future practices of Chinese courts.

Despite the above-mentioned developments, it remains possible for claimants to argue for recovery of attorneys’ fees, given that the CISG Advisory Council Opinion No.6 is not binding and there have been no case reports directly addressing the issue. To recover attorneys’ fees, it is imperative to demonstrate the bad faith of the respondent, the significant losses incurred by the claimant due to the breach, the efforts made by the claimant for resolving the dispute, and the work performed by the attorneys.

Concluding Remarks

In contrast to the practices of some other jurisdictions, Chinese courts generally hold a negative attitude towards treating attorneys’ fees as recoverable losses. Although attorneys’ fees may not constitute a substantial portion of the claims in a dispute, they in some cases can be an important consideration for a claimant to decide whether to pursue legal action. Consequently, we find it of great importance to understand the stance of Chinese courts on this issue, which will greatly facilitate our efforts of protecting our clients’ interests.

[Note] 

[1] See a summary on the website of CISG Online: https://cisg-online.org/cisg-article-by-article/part-3/art.-74-cisg/loss-by-category-of-loss/attorneys-fees.

[2] CISG-AC Opinion No 6, Calculation of Damages under CISG Article 74. Rapporteur: Professor John Y. Gotanda, Villanova University School of Law, Villanova, Pennsylvania, USA. Available at: https://cisgac.com/opinions/cisgac-opinion-no-6/.

[3] Zapata Hermanos Sucesores, S.A. v. Hearthside Baking Comp., U.S. Court of Appeals (7th Circuit), November 19, 2002, available at: https://cisg-online.org/search-for-cases?caseId=6625.

[4] A German Medical Technology Company v. a Ningbo Company over Contract of International Sales of Goods, Zhejiang High Court, Case No. (2022) Zhejiang Civil Final No. 1205, February 16, 2023. The reference number in the Database of Cases of People’s Republic Courts is 2024-10-2-084-001.

On April 12, 2024, China’s three major stock markets, the Shenzhen Stock Exchange (SZSE), the Shanghai Stock Exchange (SSE), and the Beijing Stock Exchange (BSE), issued their respective Guidelines on Self-Regulation of Listed Companies – Sustainability Report (Trial) (collectively, “Sustainability Report Guidelines”).  

The Sustainability Report Guidelines, effective on May 1, 2024, are a milestone as they mandate the first-ever disclosure requirements for listed companies about information related to environmental, social, and governance (“ESG”) issues, two years after the China Securities Regulatory Commission (“CSRC”) stated in 2022 its intention to establish corporate sustainability disclosure requirements to support the sustainable development of listed companies. 

This article aims to introduce the scope of disclosure in the Sustainability Report Guidelines, highlight certain reporting requirements, and set out their implications for foreign investors.

Scope of Disclosure

As mentioned in our previous article, ESG in China – Opportunities and Challenges for Foreign Investors, much of the emphasis on ESG in China has been placed on ESG disclosure in recent years, and stock exchanges in China have been particularly active in developing an ESG disclosure regime in this regard.

Prior to the promulgation of the Sustainability Report Guidelines, China only imposed compulsory ESG disclosure obligations on certain companies, typically “dirty” manufacturing companies and those that had previously violated environmental or labor regulations. For other companies, ESG disclosure is generally on a voluntary basis.

The Sustainability Report Guidelines, however, impose clear and mandatory disclosure requirements for specific listed companies.  The scope of mandatory disclosures of different stock exchanges is listed in detail in the table below:

It is noteworthy that, in contrast with the SZSE and the SSE, the BSE has decided to only require voluntary disclosure for its listed companies.  This may be due to the fact that the BSE primarily targets small and medium-sized enterprises, which are generally still at the stage of development and may have limited disclosure capabilities.

Overall, although only approximately 500 companies fall within the scope of mandatory disclosure under the Sustainability Report Guidelines, the new requirements help further standardize the ESG reporting practices among Chinese companies, which will better inform foreign investors of the actions taken by companies to address and manage the impacts, risks, and opportunities related to sustainable development.

Highlights of Reporting Requirements

An overarching principle of the Sustainability Report Guidelines is the double materiality approach (“Double Materiality Principle”) on sustainability disclosure topics. The Double Materiality Principle requires regulated companies to identify whether each topic is expected to have a major impact on their business model, operations, development strategy, financial position, operating results, cash flows, financing methods, and costs over the short, medium, and long term (financial materiality) and whether a company’s performance in related issues has a material impact on the economy, society, and environment (impact materiality).

Specifically, under the Sustainability Report Guidelines, regulated companies will be obliged to disclose information across a myriad of ESG-related issues, including climate change (Articles 21 – 28), environmental compliance management (Article 33), data security and customer privacy protection (Article 48), anti-commercial bribery and anti-corruption (Article 55), anti-unfair competition (Article 56), etc. This article will highlight some of these issues below.

Climate Change

In recent years, China has been actively addressing climate change issues and making significant progress in meeting its national strategy of the “Dual Carbon” goal in 2020, which aims to peak carbon emissions before 2030 and achieve carbon neutrality by 2060. In particular, there has been increasing regulatory attention to carbon trading in China.  The Interim Regulations on Administration of Carbon Emissions Trading (《碳排放权交易管理暂行条例》) promulgated by the State Council and coming into force this May set out the general regulatory legal framework over carbon emissions allowance in the carbon trading market in China.

Local governments have also been active in developing the carbon trading regime by releasing local policies and regulations. For example, in August 2023, the Department of Ecology and Environment of Guangdong Province released the Implementation Plan of Guangdong Emissions Trading to Support Peaking Carbon Emissions and Achieving Carbon Neutrality (2023-2030) (《广东省碳交易支持碳达峰碳中和实施方案（2023-2030年）》), which aims to effectively give full play to the role of the carbon trading market in Guangdong Province.

The Sustainability Report Guidelines further specify the required disclosure items for listed companies that participate in carbon trading. For example, Article 24 encourages entities to entrust third-party agencies to disclose and verify the company’s greenhouse gas (GHG) emissions data, as well as other related data. In addition, if the relevant entity participates in carbon trading, it shall disclose whether such trading has been settled within the reporting period and whether any rectification or investigation imposed by the relevant regulatory authorities is involved.

Data Security and Customer Privacy Protection

In recent years, China has introduced several landmark data protection laws and regulations to establish a comprehensive regulatory framework for data security and data protection.

The importance of sound data security and privacy policies for enterprises is further emphasized in recent ESG-specific legislation. Notably, Article 48 of the Sustainability Report Guidelines stipulates that the relevant entity shall disclose the basic information of data security and customer privacy protection during the reporting period, including but not limited to: 

1. establishment and operation of the data security management system, as well as specific measures and certification obtained (if any);
2. details of the data security incidents that occurred during the reporting period, including the impacts, the amounts involved, the corrective measures taken, and the corresponding effects (if any);
3. information on the construction and operation of the customer privacy protection system; and
4. details of events related to the leakage of the privacy of the customers that occurred during the reporting period, including the impacts, the amount involved, the corrective measures taken, and the corresponding effects (if any).

The Sustainability Report Guidelines further demonstrate that data security and privacy protection are essential aspects of corporate sustainability and an integral part of ESG disclosures. Given the nature of the data-driven business of many companies nowadays, companies need to be more aware than ever of the need to strictly follow and comply with privacy laws and standards in China to avoid any breach of data protection laws and corresponding penalties by Chinese regulatory authorities.

Anti-Unfair Competition

It is a worldwide issue that companies may exaggerate their ESG performance and contribution through incomplete or fabricated ESG disclosures by, for example, engaging in “greenwashing” to attract investors. Greenwashing is banned in many jurisdictions to better protect investors and consumers.

China has not enacted a specialized law to regulate greenwashing, but it regulates such misconduct through specific bodies of laws, including the Advertising Law (《广告法》), the Anti-Unfair Competition Law (《反不正当竞争法》), the Law on the Protection of Rights and Interests of Consumers (《消费者权益保护法》), etc.

Article 56 of the Sustainability Report Guidelines stipulates that the regulated entity shall disclose the specific information of its anti-unfair competition work during the reporting period, including but not limited to the specific measures for preventing unfair competition (such as false advertising, monopolies, trade secret infringements, etc.).

The requirements under the Sustainability Report Guidelines add another layer of protection for investors by requiring companies to disclose ESG-related information objectively and truthfully and by emphasizing that the companies shall not disclose information relating to sustainable development selectively, and shall not mislead investors and other interested parties, no matter whether such disclosures are mandated or voluntary.

Concluding Remarks

In sum, as an effort to join other major markets in moving towards greater transparency and mandatory sustainability reporting requirements for companies, the Chinese government is expected to take further strides towards strengthening environmental regulations, addressing social issues, and improving corporate governance by imposing compulsory ESG disclosure requirements on a larger scope of companies.

As stipulated in the revised Company Law (《公司法》), which is to take effect from this July, companies shall take into full consideration the interests of their employees, consumers, and other stakeholders, as well as social and public interests, including the protection of the environment, and shall assume social responsibilities when engaging in business operations. The revised Company Law clearly marks a pioneering effort in establishing ESG-related obligations for all companies, even though the requirements are only high-level at this stage. 

As we are still expecting further implementation rules to be promulgated to provide further guidance for companies in this regard, it is crucial for foreign investors to keep an eye on the Chinese markets to stay up-to-date on the country’s ESG disclosure requirements, as well as other recognized international standards, such as the International Financial Reporting Standards (“IFRS”) and the Sustainability Disclosure Standards developed by the International Sustainability Standards Board (“ISSB”), which, although not explicitly referred to in the Sustainability Report Guidelines, pose substantial impacts on the measurements and methods ultimately adopted therein.

On April 22, 2024, the People’s Bank of China (“PBOC”) published on its website the draft version of the Implementation Rules for the Regulation on Supervision and Administration of Non-bank Payment Institutions (《非银行支付机构监督管理条例实施细则征求意见稿》) (“Draft Rules”) to solicit public comments. The Draft Rules is the first implementation rules for the Regulation on Supervision and Administration of Non-bank Payment Institutions (《非银行支付机构监督管理条例》) (“New Regulation”) which came into effect on May 1, 2024. This article aims to provide an overview of the key changes introduced by the Draft Rules. 

1. Business Types

According to the New Regulation, China-based payment services providers (“PSPs”) and all foreign PSPs that provide cross-border payment services to Chinese users are required to obtain Payment Services Permits (支付业务许可证) issued by PBOC. Under the legal framework prior to the implementation of the New Regulation, a Payment Services Permit may cover one or more of the following business types:

• Internet Payment (互联网支付);
• Mobile Phone Payment (移动电话支付);
• Prepaid Card Issuance and Acceptance (预付卡发行与受理) or Prepaid Card Acceptance (预付卡受理);
• Bankcard Acquiring Business (银行卡收单); and
• Digital TV Payment (数字电视支付).

Due to the rapid technology developments which have revolutionized people’s way of life, the categorization system above has grown increasingly inadequate in accurately classifying contemporary payment services. The New Regulation therefore introduced a simplified categorization for issuing the Payment Services Permits, featuring only two categories, namely, Stored Value Account Operation (储值账户运营) and Payment Processing Operation (支付交易处理). Article 57 of the Draft Rules outlines how the existing business types may be aligned with the New Regulation’s categorization, as shown below:

2. Registered Capital

Prior to the implementation of the New Regulation, PSPs were generally subject to a uniform CNY 100 million minimum registered capital requirement, regardless of their different scopes of business. In the New Regulation, however, PBOC is given the leeway to impose different thresholds of registered capital to fit different business types. The Draft Rules now takes a step further and proposes to clarify the calculation method for such capital thresholds, as summarized below:

Minimum Registered Capital = Base Registered Capital + Added Capital

Where the Base Registered Capital is CNY 100 million, and the Added Capital is calculated as below:

It should be noted that if a PSP fits descriptions in categories 1), 3), and/or 5) above, then its applicable Added Capital should be the sum of the amounts specified in all applicable categories.

3. Net Asset to Customer Reserve Fund Balance Ratio

The New Regulation also introduces a new principle that PSPs should have sufficient net assets to operate. Article 61 of the Draft Rules proposes that the minimum net assets of the PSP should satisfy certain thresholds calculated based on the daily average of the balance of customer reserve funds:

According to Article 78 of the Draft Rules, DAB shall be calculated as the mean of the customer reserve fund balances recorded at the end of each day throughout the most recent calendar year (January 1 to December 31). 

4. Transitional Period for Existing PSPs

For PSPs licensed to operate before the effective date of the New Regulation, there could be a risk if they do not currently meet the minimum registered capital requirements and minimum net assets requirements proposed in the Draft Rules. According to Article 76 of the Draft Rules, existing PSPs shall have until the expiry of their current payment business license (i.e., until the next license renewal) to meet the qualification requirements and net asset to customer reserve fund balance ratio requirements (as discussed above). For a PSP whose license will expire within 12 months, the transitional period will be extended to 12 months.

5. Missing Clarity for Foreign-based PSPs

The New Regulation has drawn a lot of attention from foreign-based PSPs largely due to the requirements under the second paragraph of Article 2, which requires any non-bank institution outside China that intends to provide cross-border payment services to domestic users to establish a non-bank payment institution in China.

In current practice, many foreign-based PSPs provide cross-border payment services and foreign exchange settlement to their PRC customers through their Chinese partners who possess a payment services license and qualification to process cross-border RMB/foreign currency transactions. While both the foreign-based PSPs and their local partners are eagerly waiting for the other shoe to drop – if their business model can continue, or the foreign-based PSPs must conduct business via a Chinese PSP in its own name, both the New Regulation and the Draft Rules are still silent on this issue.

6. Concluding Remarks

The Draft Rules has provided much-needed clarification on certain issues regarding the transition from the existing legal framework to the New Regulation, such as the categorization of business types, registered capital, net assets, and the transitional period.

On the other hand, the Draft Rules remains silent on certain vague areas under the New Regulation, such as the definition of the cross-border payment services provided by foreign non-bank payment institutions. Please note that the Draft Rules is still in public consultation phase. As such, it is important to recognize that the final versions of the implementation rules may be different from the current draft. We will closely monitor further legislative actions.

On December 17, 2023, the State Council of China promulgated the Regulations on Supervision and Administration of Non-bank Payment Institutions (in Chinese: 非银行支付机构监督管理条例) (“New Regulations”). The formal promulgation of the New Regulations concludes the three years of public reviews and discussions over the draft for comment version of the Regulations on Supervision and Administration of Non-bank Payment Institutions which was promulgated on January 20, 2021 (“Draft for Comments”). This article seeks to provide a brief overview on the key points introduced by the New Regulations.

Reclassification of Payment Business

The current prevailing legal framework in China on the regulation of payment services was established around 2010, with the main regulation being the Administrative Measures of People’s Bank of China on Payment Services Provided by Non-financial Institutions (in Chinese: 非金融机构支付服务管理办法) (“PBoC Measures”).

The PBoC Measures regulates the payment business in three categories:

With the development of various recent technologies, especially QR code payment services, the boundaries between online payment and other categories of payment services are very much blurred. As a result, the market sometimes finds it difficult to determine the applicable regulation category for certain products.

The New Regulations simplifies the categorization. Based on whether the payer’s prepaid funds can be received, payment business is divided into two types, namely, stored-value account operation and payment transaction processing. 

It is noteworthy that the two categories system under the New Regulations is not a “natural transition” from the PBoC Measures system. As such, after the New Regulations take effect on May 1, 2024, how the currently existing payment licenses under each of the three categories operate under the new two-category system, is yet to be clarified by the authorities.

Services to Corporate Customers

In the Draft for Comments, it was proposed that there should be restrictions on the opening of accounts for corporate users (“2B Accounts”). The legislators were concerned that, compared with commercial banks, payment institutions very often have weaker KYC (a.k.a. know your customers) and KYB (a.k.a. know your business) systems. In a few recent case reports, it is also indeed true that certain payment institutions provided payment services to corporate accounts which are related to criminal activities such as telephone fraud, etc. due to failure to verify transaction parties and relevant information.

The New Regulations replaces the restriction by a general proposal, which recommends that “the government shall encourage non-bank payment institutions to cooperate with commercial banks, in order to provide payment services for institutional users through bank accounts”.

It is our understanding that the legislation has moved away from the restriction of 2B business for payment institutions, and embraces a more carefully monitored arrangement, with still room for 2B business.

Clarification on Cross-border Payment Business by Foreign Institutions

Article 2 of the New Regulations stipulates that, where a non-bank institution outside China intends to provide cross-border payment services to domestic users, it shall establish a non-bank payment institution in China pursuant to the provisions hereof, unless otherwise stipulated by the State.

For a long time, there have been no unified and explicit normative documents regarding the cross-border payment services provided by foreign payment institutions.

Based on the wording of the New Regulations, it should not be necessary for foreign institutions to maintain a licensed business presence in China if its operations are for payment transactions completely outside China, regardless of whether its customers are based in China or not.

The wording of the New Regulations also seems not to forbid the current practice in the market where foreign institutions cooperate with Chinese payment service providers to provide cross-border payment services. Article 19 of the New Regulations clearly stipulates that payment institutions providing payment services for cross-border transactions shall comply with the relevant provisions on cross-border payment, cross-border RMB business, foreign exchange management and cross-border data flow.

Considering that the PBoC issued the Administrative Measures on Cross-border Payment Services in 2021 (“Exposure Draft”) after the Regulations had established the regulatory framework of the payment industry, we believe that we can look forward to the promulgation of detailed rules on cross-border payments soon.

Stricter Requirements on Personal Information Protection

Article 32 of the New Regulations sets forth requirements relating to the protection of personal information obtained by payment institutions. In general, the New Regulations reflect the relevant requirements expressly provided in China’s Personal Information Protection Law. For example, the New Regulations emphasize the principle of legality, appropriateness, necessity and integrity in the processing of users’ information, require payment institutions to disclose the rules for processing users’ information, expressly state the purpose, methods, and scope of processing users’ information, and obtain users’ consent (unless otherwise required by laws and administrative regulations). The New Regulations also requires payment institutions not to collect users’ information unrelated to the services they provide, and not to refuse to provide services for reasons such as users’ disagreement with the processing of users’ information or withdrawal of users’ consent.

In addition, when sharing users’ information with affiliated companies, the New Regulations requires payment institutions to inform users of the name and contact details of such affiliated companies, to obtain the users’ separate consent on the content of information to be shared, as well as the purpose, duration, methods, and protection measures for the processing of information, etc. Furthermore, the New Regulations requires payment institutions to supervise their affiliated companies to ensure compliance with the laws and regulations and controllable risks. These requirements are significantly stricter than those under the Draft for Comments, and it is the first time that a financial regulatory document explicitly stipulates the sharing of users’ information by relevant financial institutions with affiliated companies.

Concluding Remarks

The New Regulations comprehensively iterates and upgrades the regulatory rules in the payment industry. With respect to the type of business, the New Regulations reclassifies the payment business into two types and makes room for payment institutions to conduct 2B business. The New Regulations explicitly provides for the supervision of cross-border business. In terms of data and systems management, the New Regulations emphasizes the independence of payment institutions’ operations and systems and provide for the protection of personal information. During a press interview on December 18, 2023, the respective responsible persons from the People’s Banks of China and Ministry of Justice introduced that the authorities next work plan will be making the rules for the transition from the PBoC Measures to the New Regulations, and further refining the administrative approvals and punishment procedures. We will continue to follow up with the latest developments.