The Editor in Chief of the LLM Law Review, Jonathan Rossi, was in Shanghai visiting with Jared T. Nelson, a lawyer at MWE China Law Offices, a Chinese law firm in a strategic alliance with global law firm McDermott Will & Emery. As part of our Conversation with Thought Leaders & Trendsetters series, Jared provides some insight about China’s hottest practice area right now – data protection. This interview highlights some common questions that his team has been seeing from companies in China that are struggling to catch up with the new rules.
As part of our coverage on China, the LLM Law Review will feature experts and thought leaders who are shaping the global conversation on topics relevant to today’s leading issues. This week we feature Jared T. Nelson. Jared has been with MWE China for six years in Shanghai and is the head of its unique MWE China Data Center, which combines law and technology for new approaches to client services and products.
Jared, welcome. Glad to see you again. Before we start, can you briefly give us some background as to MWE and the China Data Center you manage.
We opened the MWE China Data Center with a lot of media coverage and market attention in 2014. Our goal was to create an internal technology platform designed by lawyers for lawyers that could be a driver for innovation. The team works on a variety of projects, and has seen the most growth come from providing technical evidence analysis for litigation and investigation matters. From the beginning, we also set ourselves up to be prepared to help clients for a wave of new data protection requirements, which has finally arrived over the past two years. Guiding clients through these new legal obligations in China requires lawyers who have a deep understanding of IT systems and data flows, which our team has significant experience due to our years of working with companies’ IT teams for the technical evidence analysis.
What are the most common misconceptions that you hear about China’s data protection framework?
Misconception 1: All data is required to be stored in China
The number one driver for new clients coming to us and asking questions about data protection in China is poorly-researched media reports and inaccurate articles that claim China’s rules require all data coming from China to be stored in China. Almost every week over the past year, we have had a multinational company come to us and say their IT, legal, or compliance department read somewhere that they need to store all of their data in China, but that would be a huge and very costly infrastructure adjustment, so they want some clear advice about this issue. The real answer is that the local storage requirements only currently apply to a small percentage of companies here, and for the majority of companies, the matter is still unsettled and we are all waiting for the final versions of the rules from the government.
Misconception 2: Data protection is only a problem for big tech companies
It is a problem for big tech companies, but it is also a problem for a lot of traditional companies, especially traditional manufacturing or service companies with a consumer focus. For example, the overwhelming majority of B2C companies would not consider themselves to be IT companies, but nearly all of these have implemented customer loyalty programs over the past few years. You can’t eat at a restaurant, buy a handbag, or go the movies anymore without being asked to sign up for a membership card, and every one of these programs collect the type of personal information that is directly targeted by China’s personal information protection rules. Those types of companies have quietly emerged as one of the largest risk areas, and this is often a troubling surprise for their legal and compliance teams.
Misconception 3: The regulations mostly focus on personal information, and our company doesn’t have that, so we don’t have any risks
Even if you are a B2B company that has no personal information of consumers or end users of your industries’ products, you almost certainly collect, use, store, and share personal information because, unless your company is staffed entirely by robots, you have employees and there is a significant amount of personal information about them. China is notorious for its employee-friendly (many would say employer-hostile) policies, largely due to its historical background and unique labor and employment goals. This is also a frequent blind spot for companies, which are usually fairly cavalier about collecting a lot of detailed and often unnecessary personal information about their employees and then transferring that data to various jurisdictions through a variety of platforms with little or no knowledge or consent of the employees.
Let’s back up a little bit Jared. Can you provide a general background on the data protection framework in China?
The current stage is the “end of the beginning”. The legislation has mostly shifted focus from a patchwork approach, with rules targeting specific high-risk industries, to a more comprehensive approach that targets all industries in a general framework. The key points of the framework are already set, and many of the details have been emerging to fill in the remaining gaps. This change is relatively new, happening over the past two to three years, and has resulted in China quietly becoming one of the strictest data protection environments in the world. The change has also coincided with a lot of major developments around the world in this area, which we now seem to see in the headlines every day.
What skills or background do you need to work on data matters as a lawyer in China?
Deep technical background and competency
When you are dealing with data matters as a lawyer, you inevitably end up in detailed conversations with the company’s IT team, whether that is internal IT or customer-facing product teams. If you can’t speak their language and immediately understand all of the technical terms they throw at you, then you will quickly lose their trust and doom the project because their default will always be that they are too busy to explain their work to lawyers – who they will see as someone trying to kill their features or add more work for them. To avoid this problem, you need to have a strong understanding of their world, and for this field that especially means to have a deep understanding of network architecture and relational database structures.
Solution-oriented problem solving
For every company in China this is a new problem, and it is also a new problem for every lawyer because the rules are in their infancy and still largely untested in real cases or enforcement actions. As a result, you have to be very creative and solution oriented. We have picked up a number of projects from clients after their previous lawyers gave some vague advice about significant risks and unclear rules. Companies don’t want to hear that type of answer, and if you have the right competencies and experience in this area you will be able to move past the unclear rules and still provide practical advice and real solutions for their challenges.
What are the best opportunities for lawyers and other professionals in this area?
Deep knowledge in a specific domain
As an example, if you could become an expert in cross-border data transfers for European luxury brands’ e-commerce platforms, then you would do very well in China and have an immediate base of willing clients. Data protection is still very new here and there are not even very many generalists in this area who are competent and experienced enough to handle clients’ questions. Experts in a specific area are rare and your expertise will be highly valued in the future.
Innovation and productization of services
Even though data protection is very young in China, it is already ripe for disruption. Lawyers and other professionals that can provide real products, or at least standardized services, to clients – instead of a long memo written through hourly-rate efforts – will be much more attractive and scalable in the market. This is a general truism for our industry and, because many of the data protection issues are perceived as “IT law”, there is a higher expectation from clients that data protection lawyers are at the cutting-edge of innovation in our offerings.
Would you say that the degree of concern as it relates to data protection is different from a Chinese company versus an American company?
The focus is often a lot different. For Chinese clients, they usually want to talk with us about US and EU data protection rules, and they often have the perception that they have a higher risk in the US and EU because they are being unfairly targeted in those jurisdictions. The American companies are the opposite. They want to talk with us about the Chinese rules because they have the perception they are being unfairly targeted in China. For all of them, the level of general concern is quite high, especially for data security matters, and we have been receiving a lot of urgent calls from clients as they race to catch up with all of the new rules.
Do you have any final thoughts or recommendations for readers, especially law students?
For students, you need to deeply understand tech, but you also need to supplement that with the experience of older attorneys who understand the more practical approaches for client needs. Find a good mentor who can teach you the practice and business side of the profession. For older lawyers, you need to embrace tech and instead of worrying about understanding or being replaced by it, you need to know that your experience is the more valuable missing piece of the puzzle, and the innovators need you more than you need them – but the combination of experience and tech is the unavoidable future and it will bring you far more success than traditional approaches.
Thank you Jared for joining us. We look forward to hearing more about this timely topic
Thank you for having me.