U.S. Senate Bill to Block American Companies From Storing Data in China: It’s About Time

On September 30, in China’s New Cybersecurity Program: NO Place to Hide, we wrote on how China’s new cybersecurity laws strip foreign companies of any ability to maintain their trade secrets in China:

Under the new Chinese system, trade secrets are not permitted. This means U.S. and EU companies operating in China will now need to assume any “secret” they seek to maintain on a server or network in China will automatically become available to the Chinese government and then to all of their Chinese government controlled competitors in China, including the Chinese military. This includes phone calls, emails, WeChat messages and any other form of electronic communication. Since no company can reasonably assume its trade secrets will remain secret once transmitted into China over a Chinese controlled network, they are at great risk of having their trade secret protections outside China evaporating as well.

The U.S. or EU company may have an enforceable agreement with the Chinese recipient of its confidential information. So trade secrecy is protected with respect to that authorized recipient. But if the secret is easily available to the Chinese government, there is no real trade secret protection.

By giving the Chinese government and its cronies full access to its data, the U.S. or EU company may very well be deemed to have illegally exported technology to China and it could face millions of dollars in fines and even prison sentences for some of its officers and directors. There is an inherent conflict between foreign laws mandating a company not transfer its technology and China’s laws which effectively mandate that transfer.

A week later, in China’s New Cybersecurity System: There is NO Place to Hide we wrote about the Chinese government’s goal of scooping up all data, both foreign and domestic, and of how once the Chinese government gets your data, it can do pretty much whatever it wants with it, including turning it over to your competitors:

When one examines all of these various different programs together, it becomes apparent that the MLPS 2.0 system is the “hardware” component of a comprehensive data gathering, surveillance and control program. China’s plan is to create a system that covers every form of network activity in China: Internet, mobile phone, WeChat type social networks, cloud systems, domestic and international email. China’s goal is not to create a commercial system where individual players can participate and make money. It’s goals are surveillance and control by the PRC government and the CCP.

*     *     *     *

This result then leads to the key issue. Confidential information housed on any server located in China is subject to being viewed and copied by China’s Ministry of Public Security and that information then becomes open to access by the entire PRC government system. But the PRC government is the shareholder of the State Owned Entities (SOEs) which are the key industries in China. The PRC government also essentially controls the key private companies in China such as Huawei and ZTE and more recently Alibaba and Tencent and many others. See China is sending government officials into companies like Alibaba and Geely and China to place government officials inside 100 private companies, including Alibaba. The PRC government also either owns or controls China’s entire arms industry.

Simply put, the data the Ministry of Public Security obtains from foreign companies will be available to the key competitors of foreign businesses, to the Chinese government controlled and private R&D system, and to the Chinese arms industry and military.

In How China’s New CyberSecurity Laws Can (Will?) Destroy Your Business, we set out how damaging it will be for foreign companies that turn over their data to the Chinese government, beyond even that the Chinese government and its state-owned companies and universities can now freely possess it. We wrote how turning over this data will “harm foreign businesses far beyond China because it may violate export control laws and effectively eliminate any trade secret protections that formerly attached to the data”:

The first harm comes from U.S. export control laws that require certain high-tech information not be disclosed to persons who are not U.S. citizens, green card holders or protected individuals without an export license. These export control laws directly conflict with Chinese law  requiring full and total government access to that information in China because putting information regarding a controlled technology on a server or a computer in China will instantly create significant export control problems for itself. Foreign companies typically put their private information in China on a private server in China so as to isolate that information from the Chinese government. China’s new laws make clear that foreign companies must turn over this information to the Chinese government and failing to do so can lead to prison time. This conflict will be an enormous problem for US high tech companies with computer servers in China with high tech information on them because their “willingness” to give this information to the Chinese government (which obviously is not a U.S. citizen or green card holder) will in some instances constitute criminal law violations of U.S. export control laws.

The second way China’s latest data subversions will be disastrous for many foreign companies is by eviscerating their trade secret protections. To prevail on a trade secret claim in most countries you must be able to prove the following three things:

  1. The secret taken qualifies for trade secret protection.
  2. The holder of the secret took reasonable precautions to prevent disclosure of the secret.
  3. The secret was wrongfully taken.

Number 2 above could prove to be the downfall of foreign companies in China and here is an example of how that could happen. Suppose your Australian company (this is not just a United States issue) has a trade secret regarding cost efficiently producing a particular product. Suppose you make your China subsidiary makes your product in China and you provide the production information to your China subsidiary so it can cost efficiently make that product. Now further suppose one of your employees at your Germany subsidiary quits the company and sells your trade secret to your largest competitor, based in the United States. You then sue your ex-employee in Germany and your largest competitor in the United States for trade secret violations. No doubt, both your ex-employee and your largest competitor will argue that the information they bought/sold was not a trade secret because by your having revealed this information to the Chinese Government (and to its SOEs and Universities, etc.) means you did not take reasonable precautions to prevent disclosure of the information and therefore the information lost any standing it might have had as a trade secret and your case should be dismissed.

Will your ex-employee and your largest competitor win on this argument? Who knows at this point, but I think they will because companies that go into China do so voluntarily and they know that by doing so they are making their information freely available to others.

And then pretty much every single day (including yesterday) our China lawyers and/or our data privacy lawyers and/or our international trade lawyers would talk among ourselves about how few foreign companies were grasping the dire repercussions of China’s new data laws and of how even the U.S. Government seemed mostly asleep regarding these key issues.

Some tech media were covering China’s new data laws (TechdirtCyberwire, and Boing Boing, for instance) but it was not getting the media attention it deserved. More importantly, we wondered why the United States government had remained mostly silent and we speculated it was because it wanted to lock down Phase One of a trade deal first.

But then, on November 7, at the 2019 Web Summit in Lisbon, Michael Kratsios, the United States’ new Chief Technology Officer, gave a speech indicating he is fully aware of what China has done to secure access to foreign company data:

By implementing a dystopian credit score . . . . [and by] extending its authoritarianism abroad, and in no case, is this more clear than with Huawei Chinese law compels all Chinese companies, including Huawei to cooperate with its Intelligence and Security Services, no matter where the company operates in perhaps the most disturbing account of espionage news outlets have reported after Huawei installed communications technology equipment at the headquarters of the African Union, their computer system was hacked and data was transferred to servers in Shanghai, every single night for five years.

*     *     *     *

[A]nd now they require access to all data, information and secrets contained on any server in China.

I strongly urge everyone to read Kratsios entire speech here.

Then the just released 2019 U.S.-China Economic and Security Review Commission Report to Congress, cites China Law Blog five times for various propositions (See footnotes 30, 44, 172, 176, 177), including the following

While the [new foreign investment] law consolidates previously disparate foreign investment regulations and effectively simplifies China’s foreign investment regime, its purported protections for foreign-invested firms may prove unenforceable or be selectively enforced absent more substantive changes that promote genuine rule of law in China’s legal system.

In other words, foreign companies will not be immune from China’s new laws, including its data security laws.
But U.S. government silence on China’s new data security laws officially ended on November 5 when “FBI Director Christopher Wray and other intelligence officials testified before the Senate Homeland Security Committee at a hearing on security threats facing the U.S.” Go here to see that testimony on C-SPAN.

Then yesterday, Missouri Senator Josh Hawley introduced the “National Security and Personal Data Protection Act of 2019” to “Address National Security Concerns Raised by Big Tech’s Partnerships with Beijing.” The politically savvy lawyers at my firm (of which I most emphatically do not count myself) insist that the timing of this proposed Act is no coincidence. They say the introduction of this new Act had been put on hold to allow the Phase One trade deal to be signed, but with the New York Times’ release of the Xinjiang Papers (a/k/a the “No Mercy” papers) that deal has now been “blown up” anyway.

Hawley has this to say about his proposed Act:

And it’s not just Chinese companies that create this risk. Chinese law allows the Communist Party to seize data from American companies operating in China whenever it wants, for whatever reason it wants. This legislation takes crucial steps to stop Americans’ sensitive data from falling into the hands of hostile foreign governments.

As FBI Director Christopher Wray testified, Chinese law “compels U.S. companies that are operating in China . . .  to provide whatever information the government wants whenever it wants.” This law means that when American companies store encryption keys in China, China can read the messages those keys protect.

  • Senator Hawley’s bill prohibits American companies from transferring user data or encryption keys to China and other countries that similarly threaten America’s national security.
  • Senator Hawley’s bill prohibits American companies from storing data in China and other countries that similarly threaten America’s national security.

Senator Hawley’s bill also will greatly limit what Chinese companies can do in the United States, but we will save the analysis on that portion of it for another day.

What’s most relevant here and now is that it will prohibit American companies from transferring user data or encryption keys to China. But seeing as how when the Chinese police demand such a data transfer from an American company in China, those companies must either comply or go to a Chinese jail for a long time, Hawley’s bill prohibits American companies from storing data in China in the first place.

If this Act becomes U.S. law, it will have earth-shattering ramifications for American companies that do business in China and I predict some form of this Act will become law. But even if it doesn’t, the cat is essentially out of the bag in terms of China’s far-reaching and incredibly intrusive laws to get at foreign company data. This proposed Act will jump-start American (and European companies) learning of how their data is at extreme and essentially unmitigated risk in China and of how they need to act accordingly.  In our next post, we will explain what “act accordingly” should look like.

As we have been saying since October 6 of last year, welcome to the New Normal.