Ryder Seamons, Author at Harris Sliwoski LLP Tough Markets, Bold Lawyers Thu, 16 Mar 2023 13:12:00 +0000 en-US hourly 1 https://wordpress.org/?v=6.4.3 https://harris-sliwoski.com/wp-content/uploads/cropped-Harris-Sliwoski-Logo-FinalIcon-White-1-32x32.png Ryder Seamons, Author at Harris Sliwoski LLP 32 32 Xinjiang, Sanctions on China, and Your Business https://harris-sliwoski.com/chinalawblog/xinjiang-sanctions-on-china-and-your-business/ Sat, 15 Aug 2020 11:58:04 +0000 http://harris-sliwoski.com/chinalawblog/?p=44319 The U.S. government recently announced additional political sanctions on China concerning human rights violations in Xinjiang. The Chinese government’s treatment of Uyghurs and other ethnic minorities in Xinjiang has attracted the attention of human rights organizations and democratic governments over the last few years. Accusations include arbitrary detention in concentration camps, forced labor, and propagandist

The post Xinjiang, Sanctions on China, and Your Business appeared first on Harris Sliwoski LLP.

]]>
The U.S. government recently announced additional political sanctions on China concerning human rights violations in Xinjiang. The Chinese government’s treatment of Uyghurs and other ethnic minorities in Xinjiang has attracted the attention of human rights organizations and democratic governments over the last few years. Accusations include arbitrary detention in concentration camps, forced labor, and propagandist “re-education,” and the list goes on. The Council on Foreign Relations estimates that between 800,000 to two million Uyghurs and other Muslim minorities have been detained since 2017. If you’re looking for a simple introduction to the issue, look no further: American teenagers are using TikTok, the Chinese social media platform, to film themselves discussing Xinjiang human rights violations, disguising the videos as knitting and make-up tutorials (here and here).

Not only is the Chinese government complicit in these crimes, but many Chinese businesses that supply international brands are exploiting the free labor of Muslims in detention centers, developing consumer goods that often make their way to U.S. retailers. The response to this horrifying violation of human rights has come one small step at a time, but if the claims of forced labor and torture are accurate, the issue has yet to attract the international attention it warrants. Last year, Congress announced the Uyghur Human Rights Policy Act, which requires greater U.S. scrutiny of the injustices in Xinjiang. The Act was signed by President Trump last month. The sanctions against China’s political leaders and major corporations are growing—earlier this year the U.S. Treasury Department imposed sanctions on a number of Chinese officials involved in the human rights abuses in Xinjiang. These sanctions include restrictions on their visas and freezing all their American assets. On July 31, the Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned a Chinese government entity, the Xinjiang Production and Construction Corps (XPCC), and two more government officials. Treasury Secretary Steven T. Mnuchin affirmed “the United States is committed to using the full breadth of its financial powers to hold human rights abusers accountable in Xinjiang and across the world.”

On July 20, the U.S. Department of Commerce (DOC) announced sanctions on 11 Chinese companies, adding them to the Entity List, a tool utilized by DOC’s Bureau of Industry and Security to “restrict the export, reexport, and transfer (in-country) of items subject to the Export Administration Regulations (EAR) to persons (individuals, organizations, companies) reasonably believed to be involved, or to pose significant risk of becoming involved, in activities contrary to the national security or foreign policy interests of the United States.” The last time DOC made additions to the Entity List was May 22, adding several Chinese companies as well as the PRC’s Ministry of Public Security’s Institute of Forensic Science.

How have China’s government and businesses responded to the sanctions? For one, the government’s primary response has been a combination of denial and retaliation. Officially, the Communist Party refers to the camps as “vocational education and training centers,” or “re-education camps.” Beijing claims its efforts in Xinjiang are necessary to ensure national security by eradicating religious extremism and separatism. For those following the news of Beijing’s increasingly tight hold on Hong Kong, the above claim will have a familiar ring to it (see Fred Rocafort’s Requiem for Hong Kong). Wang Wenbin, spokesperson for China’s Ministry of Foreign Affairs, said the recent U.S. action “violates the basic norms of international relations” and “interferes in China’s internal affairs.” To make things worse, the Chinese government has cooked up a fresh batch of retaliatory sanctions on a number of U.S. politicians, including Sens. Marco Rubio and Ted Cruz.

Of the 11 Chinese companies added to the DOC Entity List most recently, only one has published an official response. The day after the sanctions were announced, Chanji Esquel Textile Co. (CJE) published a response on their website, saying they are “deeply offended by the decision” to place their company on the Entity List. “We absolutely have not, do not, and will never use forced labor anywhere in our company.” The response cites an audit from last year that confirmed that CJE does not use forced labor. “We are working with all relevant authorities to resolve the situation, and we remain committed to Xinjiang as we are proud of our contribution in the region over the last 25 years.”

Any American company of any size that buys products from Chinese factories should increase their awareness of forced labor in Xinjiang. U.S. federal law prohibits importing any merchandise or product, wholly or in part, produced by forced or indentured labor. Such merchandise is subject to seizure and will potentially lead to criminal investigation of the importer. Abuses are especially rampant in the fabric/garment industry. According to the Uyghur Human Rights Project, Xinjiang region produces up to 84 percent of China’s cotton output and is the primary supplier of cotton/textile/nas/content/live/harrisbstagingarel products. That means any Chinese factory, not just the ones in Xinjiang, could be using materials produced by forced labor. Costco was involved in a controversy last year when investigations discovered that Hetian Taida, a Chinese company that produces pajamas and blankets sold at Costco, manufactured their product using Uyghur forced labor.

The question to ask now is, how do I ensure my factories in China aren’t complicit in human rights violations in Xinjiang? Should you take them at their word? Should you attempt to trace their factory receipts? At the moment, any potential supply chain links to Xinjiang pose a serious danger and willful ignorance regarding the situation is not likely to hold up in a court of law. Too many companies just assume their situation is unique and their factory owners would never do this . . . “I went to his daughter’s wedding!” We even have one company who told us that they “went to the factories in Xinjiang and nobody was being forced to work!”

As U.S. sanctions on China continue to increase, the urgency for American businesses to cut Xinjiang from their supply chain will correspondingly increase as well. Last month, the U.S. Departments of State, Treasury, Commerce, and Homeland Security issued the Xinjiang Supply Chain Business Advisory, to inform “businesses with potential supply chain exposure to Xinjiang” and help them “consider the reputational, economic, and legal risks of involvement with entities that engage in human rights abuses in Xinjiang”.

Bottom Line: If you want your company to avoid getting hit with a forced labor claim by the U.S. government or see your company’s name in the media linked to concentration camps, now is the time to do whatever you can to prevent this sort of thing from happening to you.

The post Xinjiang, Sanctions on China, and Your Business appeared first on Harris Sliwoski LLP.

]]>
China’s Personal Information Specifications: Revised https://harris-sliwoski.com/chinalawblog/chinas-personal-information-specifications-revised/ Wed, 15 Jul 2020 10:58:14 +0000 http://harris-sliwoski.com/chinalawblog/?p=43004 On March 6th, the Standardization Administration of China (SAC) joined with the State Administration for Market Regulation (SAMR) to issue GB/T 35273-2020 《信息安全技术 个人信息安全规范》 , or “Information Security Technology – Personal Information Security Specification,” which will come into effect on October 1, 2020. This 2020 Specification will replace GB/T 35273-2017, which has been in effect

The post China’s Personal Information Specifications: Revised appeared first on Harris Sliwoski LLP.

]]>
On March 6th, the Standardization Administration of China (SAC) joined with the State Administration for Market Regulation (SAMR) to issue GB/T 35273-2020 《信息安全技术 个人信息安全规范》 , or “Information Security Technology – Personal Information Security Specification,” which will come into effect on October 1, 2020. This 2020 Specification will replace GB/T 35273-2017, which has been in effect since 2017. We wrote about this previous Personal Information Security Specification here.

The 2020 Specification will update and refine the guidelines outlined in the 2017 Personal Information Security Specification. The 2020 Specification is a national standard, referred to as “GB.” Some national standards, like the 2020 Specification, are not mandatory but are recommended guidelines that reinforce the law, and are referred to as GB/T. In this case, the 2020 Specification explains and reinforces China’s 2017 Cybersecurity Law. Though the 2020 Specification is not enforceable by law, the Chinese government uses these standards to evaluate an entity’s compliance with China’s legal guidelines and regulations. The Center for Strategic & International Studies wrote about the previous specification and the ambiguity surrounding how national standards are enforced in China, stating that “the written standard leaves space for interpretation by enforcement authorities whose interests and objectives may not align with the intent of the drafters.” Though the 2020 Specification clarifies issues such as biometric data, multiple business functions, and explicit consent, it is still unclear to what extent the new standard will be enforced in China.

The 2020 Specification outlines that “controllers” are those who collect personal information for providing a product or service. The “subject” is the individual or entity that provides the personal information to the controller. The 2020 Specification seeks to provide the subject with more autonomy in how and when they provide personal information to controllers.

Multiple Business Functions

Article 5.3 of the 2020 Specification states that the controller providing a product or service that requires personal information cannot bundle a subject’s personal information into multiple business functions. If the subject does not specifically authorize the consent to use personal information for a specific business function, the controller may not incentivize the subject by guaranteeing better quality service or increased security in return for authorized consent. If the subject ceases to use a specific business function, the controller cannot continue to use the personal information previously collected.

Explicit Consent

Article 5.4 states that controllers of personal information are required to inform subjects about the scope and purpose of their data collection. When gathering sensitive data (defined as any information that, if leaked or misused, may harm one’s physical or economic security, affect one’s reputation or mental health, or cause deferential treatment), controllers must obtain “explicit consent.” Explicit consent means the subject must provide an authorized statement on either paper or an electronic format affirming the collector the right to process their personal information. A new addition to the 2020 Specification is regulations on the collection and retention of biometric data. In addition to securing the subject’s explicit consent, controllers of biometric data must inform subjects on their intended purposes, method of collection, scope, and storage time. Biometric data includes genetic information, fingerprints, voiceprints, palmprints, auricle scans, iris scans, face scans, etc. When a collector receives biometric data indirectly, they must confirm that the third-party from whom they obtained the data has already received explicit consent from the subjects.

Storage of Personal Information

Article 6 concerns storage periods, anonymization, and de-identification of personal information. Controllers are asked to minimize the storage period of personal information necessary to accomplish their purposes, after which personal information must be anonymized. De-identification must be done as quickly as possible and precautionary measures must be taken to ensure that personal information data will not be re-identified with its subject. When the controller ceases to use the product or service that collected personal information, they must anonymize the data and send a notice to all subjects informing them that their information is no longer being used.

Rights of Personal Information Subjects

The 2020 Specification theoretically guarantees more autonomy for personal information subjects than the previous specification. Article 8 states that controllers shall provide the subject with a method to query a) the type of personal information the controller holds about the subject, b) the purpose of obtaining the personal information, and c) the identity of any third-parties who may be involved with the collection of the subject’s data. If the controller violates any law or any agreement held with a subject, the controller is required to immediately delete all personal information. Controllers must also provide a method for subjects to revoke their authorized consent to access their personal information.

Sharing and Transferring Personal Information

To share and transfer personal information, controllers must a) conduct security impact assessments in advance, b) inform the subject about the purpose of sharing and transferring their personal information, and c) receive the subject’s explicit consent. The 2020 Specification states that, in general, personal information should not be publicly disclosed, unless the controller has conducted necessary security impact assessments in advance, informed the subjects of their intent, received the subjects’ explicit consent, and keeps a detailed record of the public disclosure. However, there are no exceptions to publicly disclosing biometric data, or the analysis results of personal sensitive data, such as race, ethnicity, political views, and religious beliefs.

Cross-Border Transfer of Personal Information

Article 9.8 states that personal information collected and generated in China can be transferred overseas, but the controller must comply with all relevant national regulations and standards.

Personal Information Security Incidents

Controllers must develop a specific and detailed protocol for handling and reporting any personal information security incidents, including regular trainings for any workers who handle personal information. Subjects must be notified immediately if their personal information has been leaked or breached. Controllers should develop security impact assessments, which evaluates what impact the controller’s standards of personal information security have on the legal rights and interests of the subjects.

Though this national standard is “advisory” and does not carry the force of law, foreign companies operating in China should strive to comply fully with this Specification as a “best practices” measure. There have been many questions in the past concerning data transfer overseas and to what extent the Chinese government would allow the sharing of data accrued in China with foreign entities and governments. The Cybersecurity Law, in effect since 2017, states that all information collected in China should remain in China and can only be transferred outside China if absolutely necessary for the needs of the business, according to Article 37. China discourages transferring data out of the country by creating required conditions, also found in Article 37 of the Cybersecurity Law, which requires an entity to conduct security assessments and obtain approval from local cybersecurity authorities before it can transfer data out of the country. The language of the article lacks any detail as to what might qualify as a “necessity” for a foreign entity to transfer data outside in China. One bonus of the 2020 Specification is that it provides a little clarity concerning data localization: Article 9.8 states that personal information collected in China may be transferred overseas, so long as the collector operates in compliance with all relevant national standards. It is important to note that this standard concerns only personal information, and not generalized data.

Though the 2020 Specification clarifies much of what is left unspecified in the Cybersecurity Law, there is still ambiguity surrounding specific procedures such as storage, anonymization, third-party sharing/transferring, etc. For this reason, our China cybersecurity/data privacy lawyers will continue working with Chinese local governmental authorities to confirm that our clients’ business operations are compliant with this new standard.

The post China’s Personal Information Specifications: Revised appeared first on Harris Sliwoski LLP.

]]>