On 7th July this year, a rare joint public statement was made by the director of the FBI, Christopher Wray, and Ken McCallum, the director of MI5, alerting western businesses to the new fast growing and “breath-taking” risk of commercial espionage emanating from the People’s Republic of China. McCallum, stated that “the Chinese economic espionage is the biggest long-term threat to our economic and national security”. He also said that the challenge posed by the Chinese Communist Party was “game-changing”, while Wray called it “immense”. In the words of Wray, “the Chinese government is set on stealing your technology”. He further described this risk as “an even more serious threat to western businesses than even many sophisticated businesspeople realised”. He stated that China deployed cyber espionage to “cheat and steal on a massive scale with a hacking programme larger than that of every other major country combined”.
On 11th October, Sir Jeremy Fleming, the head of GCHQ, reinforced this message by stating that China had deliberately and patiently set out to gain strategic advantage by shaping the world’s technology eco systems and that “countries risked mortgaging their futures by buying Chinese technology with hidden costs”. He pointed to the Chinese BeiDou Satellite system (a rival to GPS) that could be used for covert surveillance and strategically manipulated during any future conflict.
This aggressive foreign policy is supported by three new Chinese data laws. By analysing this Chinese legislation, we can start to unravel the nature of the risk and infer the political intent. The Chinese Cybersecurity Law (2017) provides companies operating in China must on demand provide all source code, encryption, and other confidential information to the Chinese government. The Chinese Data Security Law and Chinese Personal Information Protection Law (2021) provide that Chinese owned or registered companies must provide all data to the Chines government to safeguard “national security”, but this requirement is so broadly defined that in effect it means that all personal data (including trade secrets) must be provided to the Chinese authorities.
Of particular concern are the following provisions of the 2021 Chinese Data Security Law which apply to the conduct of any Chinese registered company operating in China or abroad.
Article 35 Where a public security organ or national security organ needs to obtain data for the sake of national security… the relevant organisations and individuals shall cooperate.
Article 48 Whoever in violation of Article 35 of this Law, refuses to cooperate when a public organ or national security organ needs to access the data, shall be ordered by the competent department to make rectifications and be given a warning, and shall be concurrently fined not less than RMB 50,000 yuan but nor more than RMB 500,000 yuan, and the directly liable persons in charge and other directly liable persons may be fined not less than RMB 10,000 yuan but not more than RMB 100,000 yuan.
Therefore, now if any employee of a Chinese registered company operating in any Jurisdiction including the UK is required to provide data to the Chinese “national security organs” he or she must do so without resistance.
The first question to address it the extent to which the Chinese data security laws clash with our equivalent legal regime provided for in GDPR 2018. GDPR Article 5 provides that personal data must be processed lawfully, fairly and in a transparent manner, collected for a specified, legitimate purpose and not further processed in a manner that is incompatible with that purpose. Reading this new Chinese legislation in conjunction with the warnings of the FBI, MI5 and GCHQ begs this question: how can a western company contract with a Chinese company that is processing personal data, knowing that this Chinese company must on demand provide all personal data to the Chinese government and not breach GDPR article 5? This new legislation appears to give rise to a clash of civilisations, a clash of legal systems and consequently perhaps also a shift in the tectonic plates underpinning the global economy.
Is it really correct that any contract between a European business and a Chinese registered company, where personal data is processed, will soon be declared to be unlawful and in breach of GDPR article 5? Will it soon by the case that any western company that allows personal data to be processed on Chinese territory will be liable to legal action by the ICO? Either the GDPR will need to be redrafted to enable these activities to occur lawfully or the ICO will need to make policy announcements providing that any such commercial arrangement is now a breach of GDPR and provide UK companies sufficient time to terminate or amend such contracts. If this does occur a massive commercial unravelling may need to take place as western businesses systematically terminate or amend thousands of contracts with Chinese owned companies and withdraw commercial activities from Chinese soil where processing of personal data takes place.
While we await much needed guidance from the ICO what should inhouse technology lawyers do now to help their client companies protect themselves from these threats so emphatically highlighted by the directors of both MI5 and the FBI on July 22nd?
The first step will be to undertake a thorough audit of all risks that are posed by this heightened and increasing risk of sophisticated commercial espionage and seek to put in place legal mechanisms to mitigate these risks.
The following questions need to be thoroughly investigated:
- Is there a risk that the organisiation’s trade secrets will be leaked either through de-encryption of devices held on Chinese soil or through data being requisitioned by the Chinese authorities?
- Should the organisation develop a new policy in relation to entering new contracts with Chinese companies where personal data or trade secrets are processed?
- Should the organisation continue to contract with a Chinese registered entity or sub-processor where that entity is processing personal data or trade secrets?
- How should the risk of rogue employees be managed?
- Are Chinese registered entities sufficiently insulated from their western affiliates so that personal data and trade secrets cannot inadvertently flow out of control and under the radar?
- Is the organisation prepared for the possibility of dramatic policy shifts being announced by the ICO in relation to the application of GDPR?
Each question, and any other relevant questions that emerge during investigations, should be addressed carefully and wherever possible mitigating steps should urgently be implemented.
In line with the statements of directors of MI5, FBI in July and the statements of the head of GCHQ in October, western businesses should respond to these threats with a clear unified voice. If the Chinese government’s true intent is to steal out technology the consequence will be that Chinese companies will find it increasingly hard to win our business. This aggressive policy of commercial espionage, as detailed during these announcements, will be understood and it will lead to a loss of Chinese company profit not an augmentation of Chinese company profits. If a Chinese company wishes to engage with western business, and win our business, it must do so in a transparent manner respecting our legal rights. The cost arising from the commercial and political stigma of being associated with this type of foreign policy that is unacceptable to western governments and businesses will soon, it is hoped, far outweigh the benefits gained.
Ben Kaplinsky worked as a trial advocate in the higher courts before re-specialising as an in-house technology lawyer.