Kent Woo

Corporate Compliance | New Specification Under PIPL

On 24 June 2022, the Secretariat of the National Information Security Standardization Technical Committee (TC260) issued the Technical Specification for Certification of Cross-Border Transfers of Personal Information (“Certification Specification”). This article aims to address the impact of the Certification Specification on multinational corporations and their business operation.

Background

According to Article 38 of the Personal Information Protection Law (“PIPL”), companies must meet one of the following criteria in order to transfer personal information of certain scale overseas:

  1. Undergo a security review organized by the Cyberspace Administration of China (“CAC”), except where exempted in relevant laws and regulations; 
  2. Undergo personal information protection certification by a professional institution in accordance with the regulations of the CAC; 
  3. Sign a contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC; and
  4. Meet other conditions set by the CAC or relevant laws and regulations,

whereas the scale of the personal information is not fully clarified in the current legislation yet.

The Certification Specification was formulated to specify the detailed guidance for the second criteria listed above, i.e., the personal information protection certification.

Scope of Applicability

The Certification Specification provides that the certification mechanism applies to cross-border personal information transfers in the following scenario:

  1. cross-border personal information processing activities among the subsidiaries and affiliates of a multinational company or an economic or public entity; and
  2. processing activities that are subject to the extra-territorial effect of Article 3 of the PIPL, namely overseas companies aiming to provide services to natural persons in China or evaluate the activities of natural persons in China.

Scenario 1) relates to multinational company group; and Scenario 2) relates to foreign companies that providing services to natural persons in China.

It should be noted that the Certification Specification appears to expand the extra-territorial effect of the PIPL by requiring overseas data controllers providing services to natural person in China to comply with the certification mechanism. While according to Article 38 of PIPL, such certification may be applied only when the companies transfer personal information overseas.

However, given that the Certification Specification are silent on the threshold for the scale of personal information where a company shall apply for such certification, the actual implementation of the Certification Specification remains to be further clarified by the authority.

How to Apply for Certification

According to the Article 2 of the Certification Specification, the local representatives established or designated by overseas personal information processors can be apply for the certification, as mandated by Article 53 of the PIPL.

Article 2 further provides that the local representatives shall bear the legal responsibility accordingly. Nevertheless, the detailed requirements on the local representatives as well as what legal responsibility shall be borne are not yet clarified in the Certification Specification.

Article 3(f) of the Certification Specification further provides that “the certification of cross-border processing of personal information is a voluntary certification recommended by the state. Qualified data controllers and foreign recipients are encouraged to voluntarily apply for certification of cross-border processing of personal information when processing personal information across borders”. 

In practice, most overseas data controllers are reluctant to voluntarily apply for certification and subject themselves to complex and costly compliance. Unfortunately, the Certification Specification failed to give further explanation on this nor the detailed procedures for the application of certification. Whether overseas data controllers will be required to apply for certification shall wait for further clarifications of the Certification Specification.

In addition, although the Certification Specification already came into effect, it does not provide information about which professional agencies are qualified to conduct the certification, nor how to apply for a certification.

Key Certification Requirements

The basic requirements under the Certification Specification generally align with those under the PIPL but more detailed, namely:

Data controllers and the foreign recipients of the personal information shall sign a legally binding agreement, which should specify at least the following:

  1. the data controller and the foreign recipient;
  2. the categories of personal information being transferred;
  3. the purpose of processing;
  4. the applicable measures to protect the rights and interests of data subjects;
  5. the responsible party within China;
  6. an obligation of the foreign recipient to comply with the data laws of China, acceptance of supervision by the certification body and acceptance of jurisdiction of relevant laws; and
  7. other obligations stipulated by applicable laws and regulations.

The Certification Specification requires both the data controller and the foreign recipient to designate a data protection officer and establish a relevant department focusing on ensuring the fulfillment of requirements for protection of personal data security. This extends the present provisions of the PIPL and imposes an obligation on both the data controller and foreign recipient.

Moreover, data processors and foreign recipients must comply with the requirements on the cross-border personal information processing and data controllers are required to carry out data protection impact assessments in order to address the potential impact of changes in the foreign legal environment and cybersecurity environment on data subjects’ rights.

Concluding Remarks

The Certification Specification provides more detailed guidance on the certification mechanism introduced by the PIPL, but many essential questions remain to be addressed. For instance, the Certification Specification are silent on the threshold for the scale of personal information, certification bodies in charge, and the certification procedures. 

In light of the above, data controllers and foreign recipients will have to wait for future enforcement actions and further clarifications of the Certification Specification, which will reveal whether overseas data controllers will be required to apply for certification and clarify further details in this regard.

On the other hand, the rapid finalization of the Certification Specification and the issuance of the finalized Security Assessment Measures (数据出境安全评估办法) and Standard Contracts for Cross-border Transfers of Personal Information (Draft for Comments) (个人信息出境标准合同规定(征求意见稿)) highlight the Chinese government’s recent focus on cross-border data transfers and imply that greater regulatory scrutiny is yet to come.

Given the questions left unanswered by the Certification Specification, data controllers and foreign recipients involved in cross-border personal information transfer activities should pay close attention to future developments in order to pre-empt any regulatory scrutiny.

Exiting From China – Three Options You Should Be Aware Of

Exiting from China is a difficult decision, but recently many business owners have been considering or made such a decision due to various reasons to either reorganize and optimize their corporate structure, save costs, or simply rescue what could possibly be rescued from already sunken costs.

If this is the case for your business, this article will provide a practical guide for self-evaluating the options to wind up a business in a legally compliant manner in China. For ease of reference, we will explain the simplest followed by the more complicated options.

Simplified Deregistration

You may infer from the heading that this should be the simplest way to close a business in China. A simplified deregistration generally applies to small scale companies which either:

  1. have not commenced operations since their establishment;
  2. have not incurred any debts or credits before the deregistration application; or
  3. have properly cleared all their debts and credits, including remuneration and compensation to employees, social security, contractual debts, taxes etc.

However, it should be noted that there are several circumstances where companies are not allowed to apply for simplified deregistration. These circumstances include the company being subject to foreign investment restrictions, the company having its business license revoked, the company having its equity interest frozen or charged, or there being an on-going government investigation against the company, among other things. Moreover, the local Administration for Market Regulation (AMR), that is, the company registry in China, may impose other restrictions on the applicant and the practices in different provinces/cities may vary.

Usually, simplified deregistration would not be a good option unless the company’s operations are very limited, and all debts are properly paid up. This is because shareholders will need to submit an undertaking to the AMR, that all shareholders shall be held liable after the deregistration if creditors show up eventually to collect their payments.

It is therefore desirable to first evaluate the scale of business operations and decide if a simplified deregistration suits the company’s situation. If indeed that is the case, the company should start dismissing employees, terminating contracts with vendors and customers, and wrapping up its business operations. During this process, the shareholder(s) may engage a law firm or consultancy firm to handle all the procedural and documentational requirements for the deregistration application, which usually can be completed via the AMR’s online application system.

Simplified deregistration usually takes less than 3 months, including a mandatory 20 day announcement period during which the decision of deregistration will be published to allow third parties to file an objection against such deregistration.

After the AMR has processed the company’s application, the company will need to complete the post-deregistration formalities, including but not limited to deregistration at other government authorities such as the foreign exchange authority, social insurance authority, and customs authority, closure of the company’s bank accounts, and destruction of the company seals.

Liquidation Deregistration

Usually, liquidation deregistration applies to companies which have a larger scale of operations and a more complicated debt and credit structure. Liquidation deregistration is more common in China than simplified deregistration.

While simplified deregistration does not require a company to set up a liquidation committee, liquidation deregistration requires this. The liquidation committee usually consists of the shareholder(s) or persons elected by the shareholder(s), unless otherwise specified by the company’s Articles of Association. It is not necessary for all the shareholders to sit on the liquidation committee. After the formation of a liquidation committee, the company will need to record the members of the liquidation committee with the AMR.

After this has been completed, the liquidation committee can start their work, including conducting a preliminary review of the company’s financial numbers, preparing the balance sheet, profit and loss and cash flow statements (or engaging qualified auditors to do this), and formulating a plan to settle all the debts and dispose of all the assets of the company by sale or auction. The liquidation committee must then prepare a liquidation report on its completed works, and auditors must prepare a qualified auditing report, both of which will need to be submitted to the authorities. If it turns out that the company’s assets are unable to cover all of its debts, the liquidation committee should file for bankruptcy at the local court and hand over all the liquidation matters to the court.

The company must then publish an announcement to liquidate and deregister in the newspaper (or on the AMR’s website, subject to the local requirements), informing creditors to submit their claims. After 45 days of such announcement, the company can proceed to the next step of the liquidation deregistration by filing the application at the AMR.

It is important to deregister with the taxation administration before making an official application to deregister the company at the AMR. The company will need to ensure that it has paid all taxes, surcharges and penalties, and has liquidated its assets before the taxation administration allows the company to continue with the liquidation process.

Like simplified deregistration, all post-deregistration formalities need to be completed for liquidation deregistration.

A liquidation deregistration typically takes more than 6 months, largely depending on the efficiency of the liquidation committee and the conditions of the company’s tax compliance. The AMR’s review will generally not exceed 1 week if all the documents are properly prepared.

Selling the Company

If the company still retains a large amount of assets, satisfactory production lines or customers of value, the shareholder(s) may consider selling the company to potential buyers. Selling a company could be proceeded in two ways: (1) selling the equity interest of the company (an equity deal), or (2) selling the assets of the company (an asset deal). An asset deal is quite similar to a liquidation deregistration during which the shareholder(s) disposes the assets of the company and the applicable taxes are more or less similar. An equity deal, on the other hand, may prove to be more favorable as compared to a liquidation deregistration in many ways. Therefore, we will focus on the transfer of equity to the seller in the following paragraphs.

Usually, the sale of a foreign invested entity in China will be subject to stamp duty tax of 0.05% and income tax of 10% (for company shareholders) or 20% (for individual shareholders). Of course, if the income from selling the company cannot even cover the shareholder(s) investment, then income tax should generally be minimal.

On the other hand, if the shareholder(s) liquidate the company, the shareholder(s) will need to sell the company’s assets. In this regard, the company will need to pay stamp duty, value added tax, and local additional surcharge etc. In addition, when the shareholders receive the remaining distribution of assets after liquidation, income tax will also be applicable. Hence, a liquidation may potentially subject the company and its shareholder(s) to higher taxes.

Moreover, the buyer may retain the employees of the company and therefore save the company the cost of dismissing its employees and having to pay them statutory severance payments.

However, no option for exiting China is perfect and there are still cons if one chooses to sell the company. In an equity deal, the shareholder(s) will need to consider whether any antitrust filings are required both in China and/or any other jurisdictions where the buyer has business operations. Especially when the company’s or the buyer’s market share in the industry is considerably large, the sale and acquisition may mean an antitrust review is required by the relevant authority. Moreover, if the company possesses special permits or licenses that require approval from, for example, authorities that oversee a specific industry, such permits or licenses may need to be renewed for the buyer to continue the company’s operations after it acquires the company.

An equity deal will need professional lawyers and/or financial advisors to guide the company and its shareholders through the process since it involves, legal, financial, and tax due diligence conducted by potential buyers on the company, preparation of complicated transaction documents, lengthy negotiations, specialist knowledge (for example, on foreign exchange restrictions which is quite unique in China and which complicates the cross-border transfer of funds), coverage of the sellers’ representations and warranties, price adjustment mechanisms and/or closing procedures, among other things.

Once the transaction agreements are signed, regulatory filings are also required. Normally, the company should file for the change of shareholders at the AMR, record the foreign investment change through an online registration system, and record the new shareholder at the local administration of foreign exchange and local taxation administration etc. All these filings should be quite straight forward.

An equity deal generally takes around 3 to 6 months but sometimes takes longer depending on the negotiation process between the parties.

Concluding Remarks

To sum up, a company’s China exit plan needs to be tailor-made based on the company’s specific circumstances and there is no uniform approach for all companies.

It would certainly not be wise to simply leave China without completing all company deregistration filings and procedures as required under the laws of this country, as this may lead to heavy penalties from the government. If you intend to temporarily close your business, please note that China now allows a short dormancy period of 3 years for companies that face difficulties in their operations due to natural disasters, accidental disasters, public health events, social safety events etc., subject to approval by the AMR.

Professional opinions should always be sought before any actions are taken to avoid potential legal issues and liabilities in the future.

Corporate Compliance | Person-In-Charge Under PIPL in China

With the development of the legislation in data protection in China, especially after the promulgation of the Personal Information Protection Law (“PIPL”, effective on 1 November 2021) and the Data Security Law (effective on 1 September 2021), it becomes inevitable for corporations to bring data protection compliance to the next level. Many companies may consider reviewing its policies and workflow management to provide a sufficient and compliant protection for their customers and employees with respect to data security.

An effective system with a person-in-charge for the data compliance in a company (“Person-in-Charge”) is highly advisable to plan and organize the compliance in this regard.

This Q&A has been prepared to help understand the current responsibilities imposed by legislation on the Person-in-Charge in order to arrange the position properly. 

1. Which Companies Should Have The Person-in-Charge?

According to Article 52 of the PIPL, the personal information processor whose processing of data has reached the threshold amount specified by the national network information department shall designate the person-in-charge of personal information protection.

Although the threshold amount has not yet clarified by the authority, a reasonable reference may be considered is 500,000 pursuant to Article 11.1(c) of GB-T35273-2020 Information Security Technology-Personal Information Security Specification: a company shall have a full-time Person-in-Charge, if the company handles or is expected to handle personal information of more than 1 million people within 12 months; or handles sensitive personal information of more than 100,000 people.

As such, it is advisable for companies meeting the above threshold to appoint the Person-in-Charge as a precautious step for the company data protection compliance.

Moreover, it should be noted that for companies that do not have an office in China and still want to provide services in China, a special agency or a designated Person-in-Charge in China is necessary in accordance with Article 53 of the PIPL.

Our experience is that, many major domestic and international companies have updated its Privacy Policy and published the information of its Person-in-Charge.

2. Who Can Be The Person-In-Charge?

An employee, for instance, the head of legal or the head of IT, or even external professional consultant could be the Person-in-Charge. Current regulations do not impose compulsory requirements of qualification on the Peron-in-Charge. As a common practice, many companies choose to have an outsourced Person-in-Charge, such as professors, lawyers etc., who have expertise in data protection and are comparatively independent from the company, considering that an employee may have a conflict of interest to supervise its own employer.

However, for the purpose of compliance, to appoint someone who is not an employee, a well-developed service agreement and a Non-Disclosure Agreement should be in place in order to shield the company from any potential risk.

3. What Qualifications Does The Person-In-Charge Need To Have?

As mentioned above, the PIPL does not mandate any requirement for the Person-in-Charge with respect to its expertise, independency or certain certificates. Nowadays, there are several data protection related certificates available but they are not required by the laws and authorities.

In any event, to better perform its duty, the Person-in-Charge should be familiar with the data processing activities, has acquired proper relevant training or has appropriate knowledge of data protection law and practices.

4. What Responsibilities Do The Person-In-Charge Have?

The PIPL only stipulates the responsibilities of the Person-in-Charge as “supervising the personal information processing activities and the protection measures taken”. Therefore, the detailed responsibilities remain to be further clarified. It is common practice for the Person-in-Charge to fulfill the following duties:

  1. To plan, organize and implement the data protection work comprehensively, including but not limited to the formulation of a data security management system, the implementation of a data protection plan, the selection and appointment of a data security management team, and the granting of management authority, etc.
  1. To keep up with the latest relevant laws and regulations and supervise the business on the compliance closely. To update the data protection policies and workplans and analyze the potential risks and irregularities.
  1. To actively cooperate with the competent authorities in their regulatory work, including daily consultation on the data processing activities of the company, timely submission of the relevant reports, cooperation with the regulatory authorities to obtain the required data and information, etc.
  1. To coordinate the personnel of all parties to avoid data security incidents. To actively organize and carry out personal information security training for the relevant staff enhancing the data compliance awareness of the personnel, and to conduct irregular anonymous spot checks.
  1. To fulfill other obligations imposed by laws and regulations, including data retention and deletion, disclosure by means of complaints and reporting, data security incident reporting, etc.

5. What Liabilities Do The Person-In-Charge Need To Bear?

The PIPL will penalize “directly responsible individuals” for violations, and a Person-in-Charge could be a directly responsible individual. In this case, administrative penalties shall apply including a fine ranging from 10,000 RMB to 1 million RMB. In serious cases, criminal penalties may be imposed.

In any event, the risk and liabilities for the Person-in-Charge should be low if the person performs his/her duty diligently. The detailed requirements and standards to determine the Person-in-Charge’s performance remain to be further clarified by the authority.

6. What’s The Difference Between The Person-In-Charge And Data Protection Officer (“DPO”) Under GDPR?

It is true that the Person-in-Charge is similar with DPO under GDPR, but the two concepts are not completely the same. DPO emphasizes more on its independency from the data controller while the Person-in-Charge pays more attention to organize and plan the compliance for the company comprehensively and does not specifically focus on independency.

Moreover, to facilitate DPO’s performance of its duty, GDPR endeavors to limit its personal liabilities incurred while the Person-in-Charge tends to bear a bit more legal liability on the information protection.

Concluding Remarks

To conclude, it is fundamental for companies to follow the latest legislation on data protection in China since the new laws have been passed over the past few years. Consequently, the approach that companies handle data and personal information in China has to progress accordingly. Companies are advised to take actions as soon as practically possible to ensure that their China-related privacy practices are compliant with the requirements prescribed therein. As one of the key points, the establishment and management of the Person-in-Charge in a company should be taken into serious consideration.

Obtaining Consent When Collecting and Using Personal Information

The issue of personal information protection has been attracting an increasing amount of attention from enterprises and users in recent years. One very important part of personal information protection is obtaining users’ consent in the process of collecting and using their personal information, which enterprises must pay great attention to.

The purpose of this article is to explain, from a legal compliance perspective, how enterprises should obtain users’ consent when collecting and using their personal information, especially when doing so through Apps.

Definition and Method of Consent

Article 4 of the General Data Protection Regulation (“GDPR”), a regulation for personal data[1] protection and privacy in the European Union and European Economic Area, defines consent as “any freely given, specific, informed and unambiguous…statement or…clear affirmative action” by which a person gives permission for their personal data to be processed in a particular way.

The Information Security Technology— Personal Information Security Specification (“PI Specification”), which details specific guidelines for consent and how personal information should be collected, used and shared in China, categorizes the method of consent into “express consent” and “authorized consent”. “Express consent” refers to the behavior of the personal information subject who voluntarily makes a statement in paper or electronic form through written or verbal means, or makes an affirmative action on his or her own to expressly authorize the specific processing of his or her personal information. Affirmative action includes the personal information subject actively ticking a box, clicking “agree”, “register”, “send”, “call “, or providing the personal information by filling out a form etc.

In contrast, “authorized consent” refers to the act of express authorization by the  personal information subject for the specific processing of his or her personal information, which includes both authorization through positive actions (i.e., express consent) and authorization through negative inactions (e.g., the personal information subject in the information collection area does not leave the area after being informed of the collection of his or her information).

Furthermore, “separate consent” and “written consent” is a new requirement introduced by the second draft version of the Personal Information Protection Law (“PIPL Draft”), although such requirement is not yet clearly defined. According to the PIPL Draft, situations requiring separate and/or written consent include:

  1. the personal information being provided to a third party or made public;
  1. the collection of personal images and personal identity characteristic information through devices in public places and providing this to other persons or making it public;
  1. the processing of sensitive personal information; and
  1. the transferring of personal information outside the territory of China, etc.

Principles for Notification and Consent

The draft Information Security Technology—Guidelines for Personal Information Notices and Consent (for Public Comment) (“Draft Guidelines”) set out the principle of express consent as precedence, and authorized consent as exception.

In addition to the general principle of lawfulness, legitimacy and necessity, the Draft Guidelines stipulates the following basic principles when implementing the notification of consent in order to ensure that the notification process and the process of obtaining consent are effective and efficient:

With respect to the notification process:

  1. Open and Transparent – announcing the scope and purpose of collecting and using personal information, not concealing the personal information collected by the product or service and the purpose of its use, and not inducing the personal information subject to skip the content of the notice by deliberately obscuring or hiding it.
  1. Communicate One by One – informing the personal information subject of the relevant content one by one, or in case of significant difficulties, by means of announcement.
  1. Simultaneous and Real-Time – when personal information processing scenarios such as collection and use of specific business functions are involved, or when personal information collection behavior is triggered, informing the personal information subject immediately.
  1. True and Accurate – reflecting the true and accurate scope and purpose of personal information collection and use of products or services.
  1. Specific and Clear – the type and purpose of personal information to be collected and used must be combined with the actual business scenario, without the use of formatted terms.
  1. Clear and Easy to Understand – the text of the notification should be in accordance with the language habits of the personal information subject(e.g. simplified Chinese), using standardized language, figures, diagrams, etc., and should avoid the use of ambiguous language.

With respect to obtaining consent:

  1. Consistent with Notification – the scope of authorization to obtain consent should be consistent with what is notified.
  1. Self-Determined Choice – the option to obtain consent should be actively displayed to the personal information  subject to support his or her own choice, and when consent is not given, only the normal use of the current type of service should be affected.
  1. Appropriate Timing – consent should be obtained from the personal information subject before the act of personal information subject collection occurs and when the content of the notification is communicated simultaneously, so as to improve the personal information subject’s understanding of the relevance of business functions related to the personal information collected.
  1. Independence and Classified – after distinguishing the type of service of the product or service, the consent of the personal information subject should be separately obtained, and the personal information subject should not be forced to accept or reject all personal information that may be collected all at once.  

Exceptions for Obtaining Consent

Obtaining Consent is generally required when personal information is collected and used, the purpose of use is changed, the personal information is provided to the public, and in other cases.

Unlike the GDPR, the lawful basis for processing personal information in China is relatively limited under the current legal framework (which includes the Cybersecurity Law as the main overarching law), with consent being typically required in connection with the general processing of personal data. China’s new Civil Code, which came into force on January 1, 2021, extended the legal basis for processing personal information, and the PIPL Draft, which currently follows the personal information-related provisions contained within the Civil Code, is expected to contain more exceptions for obtaining consent in the final version.

Under the Civil Code, the infringer shall not bear civil liability when processing personal information under the following circumstances:

  1. When the processing is essential for:
    • acts performed reasonably within the scope agreed by the natural person or his or her guardian;
    • reasonably processing the information made public by the natural person himself or herself or other information that has been legally made public; and
    • other reasonable acts performed to protect the public interests or the legitimate rights and interests of the natural persons.
  1. Actions for the public interest such as news reporting and public opinion supervision within the reasonable scope of processing.
  1. Other circumstances as stipulated by laws and administrative regulations.

The PI Specification also provides detailed exceptions to obtaining consent of the personal information subject for the collection and use of his or her personal information as follows:

  1. When related to the fulfillment of personal information controllers’ obligations imposed by laws and regulations.
  1. When directly related to national security and national defense.
  1. When directly related to public safety, public health, and significant public interests.
  1. When directly related to criminal investigation, prosecution, trial, judgment and enforcement, etc.
  1. When safeguarding the major lawful rights and interests, such as life and property, of personal information subjects or other persons, and it is difficult to obtain the authorized consent of the personal information subject.
  1. When the personal information subject voluntarily discloses the collected personal information to the general public.
  1. When necessary to sign and perform a contract according to the personal information subject’s request (note, however, that the main function of the personal information protection policy is to disclose the scope and rules of the collection and use of personal information by the controller of personal information, which should not be treated as a contract in this context).
  1. When the personal information is collected from legitimate public information channels, such as legitimate news reports and government information available to the public.
  1. When necessary to maintain the safe and stable operation of the provided products or services, such as to detect and handle product or service malfunctions.
  1. When necessary for the personal information controller, such as a news agency, to make legal news reports.
  1. When necessary for the personal information controller, such as an academic research institute, to conduct statistical or academic research in the public interest, and the personal information has been de-identified in the publication of the academic research or results.

Rules Related to Obtaining Consent Through Apps

The protection of personal information collected and used in connection with Apps has recently attracted much attention. In recent years, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation (hereinafter collectively referred to as “regulatory departments”) have carried out several rounds of special rectification due to actual or potential personal information breaches that arose or may have arisen as a result of the increasingly large amount of personal information collected and used by Apps.

With regard to the issue of illegal collection and use of personal information through Apps, regulatory departments have set up corresponding user reporting channels to receive user complaints and reports and handle them accordingly. For example, the working group on the illegal collection and use of personal information by Apps has set up a public number for “Apps personal information reporting” and the website pip.tc260.org.cn; the Cyberspace Administration of China has set up the “illegal and undesirable information reporting center”; and the Internet Society of China, entrusted by the Ministry of Industry and Information Technology, has set up a center for reporting and handling undesirable information and spam disseminated through a network, and from time to time publicizing a list of Apps that illegally collect and use personal information.

For those Apps for which a public notification has been issued, if the enterprise refuses to rectify the problems, it may be subject to penalties based on the Cybersecurity Law and other laws and regulations, including but not limited to warnings, confiscation of illegal income, and a fine of more than double or less than ten times the illegal income (without illegal income, a fine of less than one million yuan), suspension of business, revocation of business and other licenses, closure of the website, etc. In addition, serious cases, such as the illegal sale or provision of citizens’ personal information to others, may further incur criminal liability.

A series of standards provides basic guidelines for the protection and regulation of personal information, including the Method for Identifying the Illegal Collection and Use of Personal Information by Apps, the Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps etc. The following guidelines from these standards are worth noting:

  1. Consent shall be obtained before the collection of personal information or permitting access to the personal information which may be collected in the future, and the user must be provided with the option to agree or disagree.
  1. Personal information should not be collected in any form after a user has explicitly disagreed with the collection.
  1. Consent should not be frequently requested after the user explicitly disagrees with the collection (which may interfere with the normal use of the personal information), such as frequently asking the user (more than once in 48 hours) each time they reopen the App or use a business function (although the action of asking for consent for a specific function that the user actively chooses to use is not considered a frequent interference).
  1. Consent should not be asked for in a non-explicit manner, such as setting users to agree to the privacy policy by default. If the user’s consent is sought by requiring users to click “Next”, “Register”, “Login means consent”, etc., in addition to prominently displaying the privacy policy and other rules of collection and use, the user’s consent must also be explicitly stated. Furthermore, the logical relationship between the execution of the above actions and consent to the privacy policy must also be made clear in order to achieve the effect of actively reminding users to read the privacy policy followed by seeking their consent.
  1. Not obtaining the user’s consent should not change the status of his or her permission to have his or her personal information collected.
  1. Users shall not be misled to agree to having their personal information collected in an improper way, and they shall not be intentionally deceived by, for example, disguising the true purpose of collecting and using their personal information. Furthermore, users shall not be induced to agree to having their personal information collected or to permit access to the personal information which may be collected in the future (for example, the App prompts users to permit access to the address book in order to participate in activities such as red packets, gold coins and lotteries).
  1. Users shall be provided with ways and means to withdraw their consent to having their personal information collected. If the user refuses or turns off the access for the collection of their personal information, this shall not affect the user’s normal use of business functions not related to the permission, and shall not result in the suspension of other business functions, or reduce the service quality of other business functions.
  1. The personal information processing activities shall be carried out in strict compliance with the disclosed privacy policy and other rules on collection and use of the personal information and be in compliance with the agreement of the user; if the purpose, manner and scope of use of personal information changes, the user’s consent shall be obtained again.

In relation to the g) above, the Provisions on the Scope of Necessary Personal Information for Common Types of Internet Applications, which came into force on May 1, 2021, specifies the essential information for different categories of businesses and requires that Apps shall not deny users access to its basic functional services when they do not agree to provide non-essential personal information. This has become an important basis for the regulatory departments to inspect and supervise all kinds of Apps, specifically those that violate the principle of necessity and collect personal information that is not related to the products or services provided.

Last but not least, from the draft Interim Provisions on the Administration of Personal Information Protection for Apps (for Public Comment), released on April 26, 2021, we can see that the protection of personal information collected through Apps is a systematic objective, as the responsibilities of specific types of entities will be more clearly defined in the regulation, including not only App developers and operators, but also third-party service providers, distribution platforms, intelligent terminal manufacturers and network access service providers.

Concluding Remarks

For evidence retention and compliance requirements, enterprises should ensure they have an effective audit trail of when and how consent was given so that they can demonstrate they are meeting their compliance obligations and provide related evidence if challenged.

We consider that enterprises may need to be more proactive to meet compliance requirements based on their own business type and model. When collecting and using personal information, how consent should be obtained may differ depending on various scenarios, such as the collection and use of personal information through Software Development Kit (SDK), Internet of Things (IoT), personalized recommendations, Internet finance, vehicle mounted, and online shopping, etc. Enterprises are advised to carry out a self-audit based on their own situation.

As China is still in the process of establishing its data compliance and cybersecurity legal framework, the related laws and regulations are quickly updated. Therefore, it is advisable to closely and continuously pay attention to the legislative developments of personal information protection in related industries and areas.

Layoffs in China – What You Should Know

As the economy slowly picks up from the impact of COVID-19, some companies may develop redundancy plans for cost control before the general economic situation fully recovers. The legal procedure governing layoffs may, nevertheless, be complicated for companies to comply with. This article briefly discusses the legal aspects of layoffs in China under the current legislative framework.

Layoffs Versus Normal Termination

Layoffs are governed by Article 41 of China’s Labor Contract Law, and are a way to greatly reduce the workforce at a potentially low cost. The payments to be made under the laws and regulations on layoffs are half of those to be made to employees terminated the normal way without a statutory ground. However, the procedures for layoffs are complicated and may take a comparatively longer period of time to complete. Some employers find the procedures troublesome and inconvenient and may therefore want to avoid the application of laws and regulations on layoffs. On the other hand, a normal termination without legitimate causes can be processed quickly but at higher costs, as discussed below.

Statutory Threshold for Layoffs

The very first thing one should know about layoffs in China is the minimum number of employees to be laid off that enables a company to initiate and qualify for a layoff, and therefore to potentially benefit from the more favorable rules and conditions in terms of severance pay. According to China’s Labor Contract Law, a company can only apply for a layoff if at least 20 employees (or less than 20 employees but accounting for 10% or more of the total number of employees of the company) will be laid off.

Based on this rule, one may think that it is easy to find a way to apply for a layoff.  However, this may not be the case. In addition to the minimum number of employees to be laid off, there are certain statutory grounds (introduced below) which also play a critical role in determining whether an employer can initiate a layoff. An employer can only apply for a layoff if both the number of employees to be laid off and one or more statutory grounds are satisfied. 

Statutory Grounds for Layoffs

The statutory grounds for an employer to legally justify a layoff are that the company:

  1. restructures pursuant to the Enterprise Bankruptcy Law;
  1. suffers serious difficulties in production or business operations;
  1. changes its production or methods of business operation, or introduces a major technological innovation, and after amending the labor contracts, still needs to lay off the employees; or
  1. can no longer perform the labor contracts due to major changes in the objective economic circumstances based on which the labor contracts have been concluded.

Despite such statutory grounds, the circumstances under items 2) to 4) are quite general and vague, and there are no specific standards for an employer to determine if it falls under any of them. Therefore, whether an employer can successfully apply for a layoff can only be determined on a case by case basis by the relevant supervising administrative bodies.

Procedure for Layoffs

In a layoff, an employer must go through the following major procedures:

Those Exempt from or Prioritized in Layoffs

According to the Labor Contract Law, the following categories of employees are exempt from being laid off:

  • employees who had been engaged in operations that would expose them to occupational disease hazards and have not undergone an occupational health check-up before leaving work, or are suspected of having contracted an occupational disease and are being diagnosed or under medical observation as a result;
  • female employees during their pregnancy, maternity leave or breastfeeding period;
  • employees who have been confirmed as having lost or partially lost their capacity to work due to an occupational disease or a work-related injury while working for the employer;
  • employees during their statutory medical treatment period required as a result of suffering from an illness or a non-work related injury;
  • employees who have worked for the employer for at least 15 consecutive years and are less than 5 years away from the legal retirement age. 

In addition, the following categories of employees have priority in being retained by the employer in a layoff:

  • employees with open-ended term labor contracts without a fixed-term;
  • employees with fixed-term labor contracts valid for a relatively long period; and
  • employees who are the only wage earners in their household and have minor or elderly family members to support.

Statutory Minimum Compensation Payment in Layoffs

The Labor Contract Law stipulates that the statutory minimum compensation payment for each employee involved in a layoff is calculated as one month’s salary per year of service with the employer. Monthly salary means the average monthly salary of the employee during the 12 months prior to being laid off (including all allowances and any bonuses actually paid to the employee during those 12 months). For employees whose monthly salary is higher than three times the average monthly salary at the municipal level, the compensation payment is capped at three times the average monthly salary at the municipal level and subject to a maximum of 12 years’ service. On the other hand, the compensation payment for a normal termination without legitimate causes is twice that of a layoff (i.e., two month’s salary per year of service with the employer).

Consequences for Non-Compliance

If an employer fails to comply with the Labor Contract Law and other relevant laws and regulations on layoffs, the employer could be fined by the labor authority. Furthermore, the employees concerned can claim compensation from the employer for unlawful termination. If an employee wins the case, he/she can either request payment of double the statutory minimum (i.e., two month’s salary per year of service with the employer) or choose to continue to work for the employer under the labor contract, if applicable.

Concluding Remarks

In view of the above, an employer may consider a layoff in order to lower the costs incurred.  In doing so, it is advisable for an employer to:

  1. check if it satisfies any of the statutory grounds for layoffs;
  1. identify those employees who should be exempt from being laid off and those who should be retained, and determine the number of employees to be laid off accordingly; and
  1. carry out the layoff in strict compliance with the statutory procedure and pay the compensation in accordance with the law.

Depending upon the number of employees usually involved in a layoff, a professional advisor should be engaged to ensure compliance with relevant laws and to handle communications with the supervising administrative bodies.

Third Party Funding in China

Third Party Funding, also known as litigation financing, originated from common law countries, and is an arrangement where a company specializing in financing legal fees (typically fees associated with litigation or arbitration) agrees to cover the costs of some or all of such fees in exchange for an agreed return (usually a certain share of the successfully recovered damages or compensation payout). 

Third Party Funding enables a company or an individual to bring a claim without immediately incurring significant legal costs. In litigation and arbitration cases, if the Third Party Funders believe that the applicant’s chance of winning the case and being awarded damages is high, then the Third Party Funders will assist the applicant in legal expense financing. This can be particularly helpful for parties involved international disputes, as the cost of cross-border legal proceedings is usually quite high.

This article aims to answer certain commonly asked questions in relation to Third Party Funding in China.

1. Is Third Party Funding Permitted in China?

In some countries, prohibitions or restrictions on the certain aspects of Third Party Funding exist in order to prevent Third Party Funders from abusing litigation resources and placing an excessive burden on the judicial system. However, there is no substantive legal prohibition or restriction on Third Party Funding in China, meaning that Third Party Funding is currently legal in China. 

One common financing method traditionally used by lawyers is what is known under Chinese law as “risk representation/contingency fee”, whereby lawyers collect a certain share of amount awarded by the court or the arbitration tribunal.  In recent years, professional Third Party Funders have established themselves in China.

As Third Party Funding industry develops in China, we expect that it will be more regulated in the future.

2. What is the Difference Between Third Party Funding and Legal Aid?

Third Party Funders finance a range of costs associated with legal proceedings, such as upfront attorney fees, travel expenses, litigation or arbitration registration fees, appraisal fees, expert witness fees, costs to keep the applicant’s company running during the trial, appeal costs, costs to enforce a favorable arbitration award/court judgment, and costs to resume the normal operation of the applicant’s company after enforcement. 

Unlike legal aid, Third Party Funders will not examine the financial situation of the applicants, because the intention of Third Party Funding is to make a profit from the ultimate amount awarded to the applicant. 

As a result, if the likelihood of winning the case is high, applicants can try to seek funding from Third Party Funders, without the pressure to commit their own finances to participate in the legal proceedings.

3. Who are Third Party Funders?

In China, large domestic Third Party Funders exist such as “Weian Legal Finance” and “Duomeng Litigation Funding”, as well as other Third Party Funders set up by law firms.  Most Third Party Funders are mainly based in China’s most prominent commercial and financial centers, that is, Beijing, Shanghai, Shenzhen and Guangzhou. The reliability of Third Party Funders can vary, so applicants should do their due diligence before choosing a Third Party Funder.

4. How do Third Party Funders Charge?

Third Party Funders often require applicants to collect and submit evidence and other case materials for case evaluation before deciding whether or not to invest in the case. 

Generally speaking, Third Party Funders prefer commercial cases compared with other types of cases.  If a Third Party Funder decides to accept a case, the next step is for an applicant and the Third Party Funder to identify the specific fees to be covered and to negotiate the return rates paid to the Third Party Funder (normally 30% of the amount awarded). Usually, the higher the costs to be covered by Third Party Funding, the higher the returns that will be paid to the Third-Party Funder upon successfully winning the case. Therefore, the most financially appropriate payment method for an applicant’s case can only be determined on a case-by-case basis. 

5. How do Third Party Funders Handle the Cases?

Most Third Party Funders have their own law firms which they engage to provide litigation and/or arbitration services to applicants. Normally, applicants engage a law firm recommended by the Third Party Funder from whom they are seeking funding. The applicants usually need to provide certain materials required by the Third Party Funder, and then wait for the Third Party Funder to inform them whether the Third Party Funder will provide financial assistance to their cases.

Third Party Funders usually also allow applicants to engage their own law firm.  However, it may mean that relatively higher returns are charged so as to cover the fee gap (if any) between the Third Party Funder’s law firm’s rate and the applicant’s law firm’s rate. Under this kind of arrangement, applicants may be required to pay higher rate, but can enjoy more transparency and maintain better control of the entire legal process.

6. Do You Still Need Your Own Lawyer?

The answer is yes if your finance situation permits. When choosing a Third Party Funder, a good lawyer should be able to assist applicants in assessing the reliability of qualified Third Party Funders, and then help them to select an appropriate one. The lawyer can also assist applicants to estimate the legal costs required and also advise on how to determine the fees in a manner that maximizes the interests of the applicants.

Concluding Remarks

For Third Party Funders, each legal claim is an investment that has the potential to yield returns based on the likelihood of success.  Therefore, Third Party Funding is a serious option for any company or individual facing economic difficulties or looking to reduce the cost of legal proceedings through structured financial arrangements.  It is highly recommended that applicants seeking Third Party Funding engage their own law firm to assist in the entire process so as to better protect their own rights and interests.