(By You Yunting) China and the US recently signed the Audit Supervision Cooperation Agreement, allowing supervisors and inspectors of the Public Company Accounting Oversight Board (PCAOB) to review audit materials of Chinese companies listed in the US in Hong Kong, including complete audit papers containing all information. According to media reports, Alibaba, JD and Yum China are the first businesses to be audited. Audit papers contain large amounts of data and personal information of domestic users (collectively “data”). I would like to discuss whether the audit paper review by the US parties is outbound data transfer and what procedures should be followed to transfer the data abroad according to Chinese laws.
There are provisions related to outbound data transfer in the Chinese Cybersecurity Law, Data Security Law, Personal Information Protection Law and Outbound Data Transfer Security Evaluation Rules. The latest provisions are the Outbound Data Transfer Security Evaluation Application and Reporting Guide (First Edition), setting out specific requirements of application and reporting methods, processes, materials, etc. for outbound data transfer.
I. Do audit papers involve data that needs to be regulated for outbound transfer?
Audit papers refer to all work records and materials that auditors make and obtain in the course of audit work, including but not limited to accounting papers and financial and business data. A few Chinese businesses listed in the US are well-known internet businesses in technology, media, communication, education, automotive, lifestyle and other industries with large amounts of personal information, sensitive personal information and important data relating to technology, communication and other key industries, all of which could be included in audit papers.
Audit papers of audited businesses involving critical information infrastructure operators or collecting and generating personal information, important data, etc. within China may include personal information or important data. Subject to the Outbound Data Transfer Security Evaluation Rules, to transfer important data abroad, data processors should file outbound data transfer application with Chinese government.
II. Does audit paper review mean outbound data transfer?
According to the Outbound Data Transfer Security Evaluation Rules, acts of outbound data transfer include sending or storing abroad data collected or generated in China by data processors or overseas institutions, organizations or individuals consulting, assessing, downloading or exporting data collected, generated and stored in China by data processors.
Therefore, review of audit papers involving personal information or important data by PCAOB is a type of outbound data transfer. Domestic auditors who are responsible for such acts should go through outbound data transfer security evaluation, cyber security review and other necessary processes according to relevant Chinese laws.
III. Outbound data transfer procedures that may be included in the Audit Cooperation Supervision Agreement
The contents of the Sino-US Audit Supervision Cooperation Agreement has not been published yet. The head of the China Securities Regulatory Commission answered the journalists’ questions about outbound data transfer, mentioning that the Cooperation Agreement included explicit provisions of handling and using sensitive information in connection with the cooperation in audit supervision, established specific procedures of handling particular data such as personal information and gave practical approaches to information security protection in the performance of the parties’ legal regulatory duties.
Considering that eligible outbound personal information transfer is bound by the Outbound Data Transfer Security Evaluation Rules, the above specific data handling procedures are very likely to include provisions thereof, under which audit papers should pass the Chinese government’s outbound data transfer security evaluation before being sent abroad. To pass the evaluation, it is most important for domestic auditors that file the evaluation application to first conduct self-evaluation of outbound data transfer risks and evaluate key issues as required by law.
The first thing to do for the self-evaluation is to check and decide whether the data in the audit papers are important data by considering how the national authority defines “important data” and the authority over the industry decides “ important data in the industry”. For outbound transfer of eligible personal information and sensitive personal information that is not important data, whether it is related to clients or other people when doing business, it is crucial to attach importance to and check the size, scope, type and sensitivity of the data to be transferred outbound and the risks the outbound data transfer may cause to national security, public interests or individual’s or organization’s legitimate rights.
The Outbound Data Transfer Security Evaluation Application and Reporting Guide (First Edition) explicitly requires that data processors disclose information specifically set out in the table, including the “proposed outbound data” section, in which the size (MB/GB/TB), sensitivity (applicable to personal information), the number of natural people involved and important data, etc. should be specified. If personal information is involved, the data processors should also comply with the Personal Information Protection Law and relevant legal requirements, such as, outbound personal information transfer with prior consent of the subject person.
IV. Restrictions on PCAOB
Under the Outbound Data Transfer Security Evaluation Rules, to pass the outbound data transfer evaluation, domestic auditors must conclude legal documents including specific provisions below with overseas recipients, explicitly stipulating data security obligations. This means PCAOB and its designated auditors responsible for reviewing audit papers are bound by these legal documents which include the provisions below.
(I) Purpose, method and scope of outbound data transfer, purpose and method of overseas recipients handling such data, etc.;
(II) Place and duration of storing data abroad and measures to handle data transferred abroad after the period of time of storage is expired, the agreed purpose is met or the legal document is terminated;
(III) Restrictions on overseas recipients re-transferring outbound data to other organizations or individuals;
(IV) Security measures overseas recipients will take in case of a material change in actual control or business scope, a change in data security policies or laws or cyber environment of the country or area where they are based or the occurrence of other force majeure incidents causing difficulties in protecting data security;
(V) Remedies, responsibilities for breach and approaches to resolution of disputes arising from violation of data security obligations under the legal documents;
(VI) Appropriate emergency measures and personal information protection approaches and methods when outbound data is altered without permission, damaged, divulged, lost, transferred, illegally obtained or used or exposed to other risks.
The above items (I) purpose, (III) re-transfer and (VI) emergency measures are important. First, audit papers must be used for agreed purpose only. Personal information should be stored for the shortest period of time needed to meet the agreed purpose. Upon expiration of the above period of time, such personal information should be removed or anonymised. Second, it must be agreed that outbound data cannot be re-transferred to other organizations or individuals or if it can be re-transferred, applicable procedures should be legally followed, including separate personal permission, execution of written agreement with the third party, etc. Finally, effective technical and management measures must be taken and regular inspection is required to ensure that these measures continue to maintain an appropriate safe level. If any data is divulged, appropriate remedies should be sought in a prompt manner and the duty of notification to personal information processors and Chinese regulatory authorities, etc. should be fulfilled.
In addition, US laws should also be considered. Under the Clarifying Lawful Overseas Use of Data Act of the US (CLOUD Act), currently the jurisdiction over data is decided subject to the data controller, permitting the US federal government to obtain data from US businesses by force, whether stored in the US or not. In case that US government is to get access to corresponding data, a prompt notice should be sent to domestic auditors and Chinese regulatory authority and all possible legal remedies are required. The Sino-US Audit Supervision Cooperation Agreement might deal with this issue.
Finally, competition between China and the US is very complicated. Even if the Audit Supervision Cooperation Agreement was signed, it is uncertain on the market whether it will be implemented. For instance, in July 2022 before the signing of the Agreement, Alibaba submitted to the US Securities Regulatory Commission the annual financial report of the year 2022, mentioning that “although CSRC published the Regulations on Strengthening the Confidentiality and Archival Management Work Relating to Domestic Businesses Issuing Securities and Going Public Abroad (Exposure Version) to assist the US PCAOB in the examination of Chinese accounting firms, we wonder if we or our accounting firms can meet the US regulatory requirements.”
I am optimistic about it. Information contained in audit papers can be found in day-to-day economic activities and reports. What may be needed is no more than confirmation of statements. The signing of the Sino-US agreement is a breakthrough in many areas where the two sides used to disagree. For both sides, benefits from the agreement are bound to be greater than risks it may bring. There is no cause for alarm.