04 September 2017

What Should Lawyers Redact in Corporate Internal Investigations under the Cyber Security Law?

This article was written by LIU Haitao (Harry), LI Ronghui (Sam), YU Linda and XIA Ying.

One day before noon, a colleague came up and asked: “What’s that English term in corporate investigations, the one for obscuring sensitive information in documents?” And suddenly she got it: “Ah, I remember, it’s ‘Redaction’.” Then, she went back to her drafting… Redaction, a document editing method frequently used by legal counsel in compliance and dispute resolution matters, refers to a process of obscuring or removing sensitive information that is not allowed to be disclosed to the other party. 

In an extreme case, American Civil Liberties Union v. Ashcroft[1]  in 2004, the U.S. government had prohibited the plaintiff from disclosing government secrets. Let’s look at one page of the complaint which was finally released to the public following the “desensitization” process. 

where-redaction-should-apply-on-lawyers-internal-investigation

Although the irony of this complaint – blacked out except for paragraph numbers - is self-evident, it raises the issue of redacting sensitive information. It is relevant to investigated companies, law practitioners and other interested parties during investigations for self-protection and other compliance requirements. 

In recent years, cross-border corporate investigations have been on the rise. Foreign law enforcement authorities and lawyers have become increasingly familiar with the Chinese legal environment. Corporate investigations in China in terms of targets, approaches and scales are no longer lost missions.  Cross-border corporate investigations require cooperation of multiple parties at home and abroad. The amount of investigative information is enormous for all parties to share.

Therefore, the PRC legal counsels who jointly participate in the investigations, have the highly important task of screening out information which potentially involves “State Secrets”. Without approval from relevant authorities, such information or materials are not allowed to be shared with foreign individuals or entities, and are prohibited to be transferred abroad as well.[2]To be as rigorous and cautious as possible in this regard, any sensitive information containing potential state secrets should be kept within the country. If documents containing sensitive information have to be shared, we always “black out” sensitive information before transferring the documents to foreign parties. 

The new Cyber Security Law has raised the requirements of desensitization to a new height. More is required than simply removing state secrets to meet legal requirements. The tightening of the law poses new challenges for cross-border corporate investigation. This article focuses on the identification of important data and personal information in corporate investigations. The next article will expand on “critical information infrastructure operators”. 

I. What is “important data”?

The Cyber Security Law’s provisions on “important data” are simple: 

“Critical information infrastructure operators shall store Personal Information and Important Data gathered and generated during operations in the PRC within the territory of the PRC. Where it is indeed necessary to provide such information and data abroad due to business requirements, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration authority in concert with the relevant departments under the State Council.” [3]

“Important Data” is not defined in the annex of the Cyber Security Law. The only guidelines are that it is “stored within the territory” and “may be transferred abroad upon security assessment”. This lack of clarity has created great uncertainty in the new era of Cyber Security Law.

The Cyberspace Administration of China (“CAC”) enacted the Assessment Measures on Security of Cross-border Transfer of Personal Information and Important Data[4] (“Assessment Measures”), pursuant to which CAC replaced “critical information infrastructure operators” with the broader term “network operators”.[5] Once the Assessment Measures come into effect, an investigated company that has any connection to the word “network” will be statutorily required to differentiate important data.  

Thankfully, the Assessment Measures has defined “important data”: 

“Important Data, refers to the data closely related to national security, economic development and public interests, the specific scope shall be referred to the relevant national standards and identification guidelines of the important data..” [6]

But what exactly is “data closely related to national security, economic development and public interests”? And what is the difference between “important data” and “state secrets” ?[7]

We instinctively visualized “important data” and “state secrets” as having some overlap. 

where-redaction-should-apply-on-lawyers-internal-investigation 

However, the National Information Security Standardization Technical Committee has drafted a new national standard, the “Information Security Technology - Guidelines for Cross-Border Data Transfer Security Assessment[8] (“Guidelines”). The Guidelines define “Important Data” in Appendix A as follows:

“Important Data refers to data collected and generated by the government, enterprises or individuals within the country, though with no State Secrets involved, closely related to the national security, economic development and public interests (including original data and any derivative data) and once it is disclosed, lost, misused, falsified or destroyed, or otherwise compiled, intergrated or analyzed without authorization, it may lead to the following consequences:

1. Jeopardizing the national security, defense interests, disrupting international relations;

2. Damaging national property, social public interests and individual lawful interests;

3. Affecting national measures of preventing and cracking down on economic and military espionage, political penetration and organized crimes;

4. Affecting investigations into and handling of illegal acts or power misuses or allegedly illegal acts or power misuses by administrative organs;

5. Interfering with supervision, management, checks, audits and other administrative activities taken by government agencies, impeding them from fulfilling their duties;  

6. Endangering the  information securities of national critical infrastructures, critical information infrastructures,  governmental systems;

7. Affecting or endangering national economic orders and financial security;

8. State Secrets or sensitive information may be reached from analysis;

9. Affecting or endangering national politics, homeland, military, economy, culture, society, science and technology, ecology, resources, nuclear facilities and other security matters.”

Although it seems that the concepts have some overlap, there are also important differences between the two terms. According to the Guidelines, “important data” refers to important information collected or generated within the territory, excluding state secrets.

where-redaction-should-apply-on-lawyers-internal-investigation 

The Guidelines list 27 categories of Important Data and their respective authorities, including: oil and gas, coal, petrochemicals;, electrical power, telecommunication, electronic information, steel, non-ferrous metals, equipment manufacturing, chemical industry, national defense industry, other industries, geographic data, civil nuclear facilities, transportation, postal and courier service, water conservancy, population and health, finance, credit checking, food and medicine, statistics, meteorology, environmental protection, radio and television, marine environment , e-commerce and an omnibus description “others”.

For instance, previously, we have had to review a huge amount of technical material from civil nuclear facilities in an investigation. These materials definitely contained important data, and possibly “secret matters related to national economy and social development” and “scientific and technological secrets”. These materials should therefore be withheld and assessed for state secrets.

Now, we would take a different approach to the same material. Firstly, no document potentially containing state secrets can be transferred abroad – regardless of whether or not it is related to an investigation. Secondly, if a document is related to an investigation and does not contain state secrets, then can we easily hand it over? According to both the Assessment Measures and the Guidelines, important data collected and generated within the territory must pass a security assessment before cross-border data transfer can occur. Self-assessment is adequate if the relevant data and its subject are not complicated. Otherwise, statutory assessment must be conducted by industrial or regulatory authorities. We still need to redact such information, in case it fails the security assessment and is unable to be transferred abroad.

II. What is true “personal information”?

Next, let us imagine a scenario which is highly likely to occur in a cross-border investigation: On 1 June 2017, country (X)’s law enforcement agency (Y) required lawyer (Z) in China to provide phone numbers and e-mail addresses of employees of a company under investigation. Lawyer Z is smart enough to know that although this was not an issue yesterday, it is today.

“Citizens’ personal information” refers to various information recorded electronically or by other means which may, separately or combined with other information, identify a specific natural person or reflect activities of a specific natural person, including name, ID number, correspondence and communication contact, address, account password, property information, personal track and trace, etc. . Whoever provides any citizen’s personal information lawfully collected to any other person without the consent of the individual shall fall within the scope of “providing citizens' personal information” as prescribed in Article 253.1 of the Criminal Law[9]

The Cyber Security Law provides that various information recorded electronically or by other means which may, separately or combined with other information, identify a natural person, (including but not limited to a natural person’s name, date of birth, ID number, information of biological identification, address, phone number) is prohibited from being transferred without the individual’s consent. 

“Aren’t the phone numbers and email addresses of employees high on this list?” Lawyer Z thinks to himself. His first instinct is to ask for the employees for their consent to transfer their information to the law enforcement agency. But what if they refuse to give consent? What will become of our internal investigation? The aim of conducting a corporate internal investigation is to know “who, what, why, when, where and how”. But if consent is refused, is this how our cross-border report will have to look?

From March 2010 to May 2013,        from the sales department, as a key position personnel of           together with            and          of the company, bribed           of         , a SOE, to secure business opportunities in order to improve the company’s performance and increase its market share. During the three years, the company obtained certain revenues of...

According to the Chinese laws and regulations related to personal information security, the names of employees         ,            and            are not allowed to be disclosed without their consent.

Back to our initial question, is Lawyer Z allowed to hand over the phone numbers and email addresses of the employees? Lawyer Z cannot hand over personal information without consent, but he may be able to hand over employees’ office phone number extensions and company email addresses. Here’s why:

  1. Employees’ contact information exists for work purposes, not for private or personal use.
  2. Generally, companies assign contact details to employees when they come on board. When an employee’s contract is terminated, it is highly unlikely that they would retain their work contact details. The company, therefore, is the owner and administrator of the contact details, not the employee.
  3. Companies usually make employees’ work contact details available without their consent. It is farfetched that the disclosure of such publicly available information was intended to fall within the judicial interpretation of “personal information”.

When deciding whether to disclose third party personal information within the territory of PRC, we suggest the following:

  1. Check whether any law or regulation prohibits disclosure 
  2. Determine the true owner of the information
  3. Obtain express consent of the owner to transfer the information
  4. If consent is not obtained, balance the need for facts in the investigation with the importance of personal information security. 

Companies should obtain an employee’s express consent at the start of employment to disclose their name, position, office number, work email and other information related to the company when necessary. But the company should assure employees of their personal information security. For example, that the company will keep all personal sensitive information confidential. 


[1] American Civil Liberties Union v. Ashcroft (filed April 9, 2004 in the United States).

[2] The Law of the PRC on Protecting State Secrets (2010 Revision)

Article 25 Organs, units shall strengthen the management of items bearing State Secrets,  any organization and individual is  prohibited from conducting the following acts:

(iv) mail, consign for shipment abroad items bearing State Secrets; 

(v) carry, transmit item bearing State Secrets abroad without approval from the relevant authorities.

Article 26 Prohibit unlawfully copying, recording, storing state secrets..

Prohibit transmitting state secrets on internet and other public information network or via wired and wireless communications without security measures.

Prohibit personal interactions and correspondences from involving state secrets.

Article 48 In the case of any of the following acts in violation of the provisions of this Law, disciplinary measures shall be imposed in accordance with the law; if the act constitutes a criminal offense, criminal liability shall be imposed in accordance with the law:

(iv) mail or consign for shipment abroad items bearing State Secrets, or carry or transmit items bearing State Secrets out of the territory of the PRC without the approval from relevant authorities.

[3] Article 37 of the Cyber Security Law. 

[4] Draft for Comments before May 11, 2017

[5] Article 2 of the Assessment Measures.

[6] Article 17 of the Assessment Measures.

[7] Article 9 of the Law of the PRC on Protecting State Secrets (2010 Revision) 

The following matters involving state security and national interests shall be specified as State Secrets if the leakage of such matters is likely to prejudice the security and interests in the field of politics, economy, national defense and foreign affairs, etc.:

(i) secrets concerning major decision-makings in state affairs;

(ii) secrets concerning the construction of national defense and activities of the armed forces; 

(iii) secrets concerning diplomatic activities and foreign affairs as well as secrets to be maintained as commitments to foreign countries;

(iv) secrets concerning national economic and social development;

(v) secrets concerning science and technology;

(vi) secrets concerning activities for safeguarding state security and the investigation of criminal offences;

(vii) other matters that are categorized as State Secrets by the state secret-protection administrative department.

Secrets of political parties that conform to the provisions of the preceding paragraphs shall be deemed State Secrets.

[8] Draft for Comments before June 27, 2017

[9] Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues Concerning the Application of Law in the Handling of Criminal Cases of Infringing on Citizens' Personal Information

Key contacts

Belt and Road Practical Guide: How to get your money back? Asset preservation in Hong Kong.

Find out how to protect your legal interests in Hong Kong.

belt and road

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter Share on Google+
    You might also be interested in

    Corporate executives may bear personal liability for absence of a compliance program.

    24 November 2017

    Organized into 19 stand-alone law topics, this article presents perspectives and on-the-ground experience from an experienced legal counsel in China.

    15 November 2017

    CIETAC's new rules intend to support the independent and impartial resolution of international investment disputes between investors and host countries.

    15 November 2017

    This is the first case to reveal the Chinese court's attitude towards the anti-suit injunctions of "foreign" courts.

    23 October 2017