2023 ALB China Top 15 Cybersecurity & Data Protection Lawyers
With the rapid development of science and technology, the complexities surrounding cybersecurity and data protection issues are increasing. In response to this, China has introduced a range of laws, regulations, and regulatory policies in recent years. Consequently, there is a growing demand for legal services specialising in data and cybersecurity. This year, ALB is launching its inaugural list of the top 15 cybersecurity and data protection lawyers to recognise the leading professionals in this field. These lawyers possess extensive legal knowledge, a deep understanding of regulations, and strong business acumen, enabling them to offer high-quality legal support for their clients' various cybersecurity and data protection requirements.
As human society enters the digital and information era, data has emerged as a significant factor of production. Deloitte says, "Data has profoundly transformed our production methods, lifestyles, and social governance models. With the continuous innovation of technologies for data collection, governance, application, and security, coupled with the rapid development of industries, technology has propelled data elements to become intrinsic conditions for the long-term growth of the national economy."
On the one hand, data itself, as a production factor, requires protection, commonly known as "data protection." On the other hand, the online environment in which data operates also demands safeguarding, referred to as "cybersecurity."
Presently, data protection and cybersecurity capabilities have become indispensable components for a company's competitiveness and the foundation upon which companies achieve more efficient business operations. Moreover, the data and Internet-related industries are experiencing significant growth, as projected by the 2022 White Paper on China's Cybersecurity Industry, which predicts robust expansion in China's cybersecurity industry over the next five years.
In this context, laws and regulations have kept pace with these advancements, leading to the emergence of numerous lawyers and firms specialising in these fields in recent years. Consequently, what new skills and capabilities are expected from data protection and cybersecurity lawyers? What are the latest developments and trends regarding services provided to enterprises in these fields? A number of the ranked lawyers share their insights with ALB.
Recently, cybersecurity and data protection have undoubtedly become the focal point of legislation and regulation in China. At the legislative level, three main pieces of legislation—the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law—have come into effect, ushering in a new era of cybersecurity and data protection. Industries are undergoing significant transformations, and enterprises will face increasingly stringent compliance challenges.
Internationally, according to the 2022 Global Cybersecurity Development Trend Research Report, the US, EU, Australia, and India have all recently enacted legislation or directives to promote the establishment of mandatory cybersecurity incident reporting mechanisms, such as the Cyber Incident Reporting for Critical Infrastructure Act and the Information Technology Act. Additionally, the U.S.'s Federal Information Security Modernization Act and the EU's latest Digital Markets Act have laid the foundation for building a more robust cybersecurity compliance management platform. All of these developments present challenges to the overseas operations of Chinese companies.
The frequent introduction of new data and cybersecurity laws and regulations has made understanding the latest regulatory trends, gaining deep insights into regulatory logic, and predicting future regulatory directions a hot topic among lawyers and in-house teams in recent years. Raymond Wang, Partner at Shihui Partners, highlights that amid the rapid development of digitisation and the Internet, lawyers, legislators, and regulators face immense pressure. He notes, "The evolution of cybersecurity and data protection laws and regulations, transitioning from fragmentation to systematisation and from general provisions to detailed rules, follows its inherent logic. I often participate in legislative support work and can sense the tremendous pressure legislators and regulators face when dealing with various risks arising from new technologies, industries, and even paradigms."
Therefore, Wang believes that while practicing in this new and evolving field presents a unique opportunity for lawyers, they must also adopt a fresh mindset. "We should not consider ourselves as merely providing answers to existing rules; instead, we should constantly contemplate the reasons behind rule changes and what remains unchanged. By doing so, we can distinguish stable components within the legal system from dynamic ones and promptly align ourselves with clients."
In other words, lawyers who choose to specialise in this field need to navigate the landscape where technology, regulation, and legal services progress hand in hand. Wang adds, "In a sense, predictable challenges are opportunities, whereas difficulties arise from the unpredictable."
NEW CHALLENGES FOR BUSINESS
As the significance of data continues to grow, an increasing number of companies have prioritised digital transformation as a crucial goal. However, Deloitte's 2021 Future of Cyber Survey highlights that, under pressure from the competition, business leaders often prioritise digital transformation outcomes without fully considering cybersecurity risks. The multifaceted issues and challenges in digital transformation require special attention from legal professionals.
Li Tianhang, Partner at Hui Ye Law Firm, explains to ALB that he has observed two types of enterprises with greater demands for data and Internet-related legal services over the past year. The first type pertains to multinational enterprises seeking assistance with data export, while the second type involves private enterprises seeking compliance with criminal law.
Li and his team closely monitor data export issues. "In recent years, cybersecurity and data protection laws and regulations have been gradually strengthened. Implementing the Personal Information Protection Law and the Measures for Data Export Security Assessment, in particular, has introduced new compliance requirements for data export. In the past year, enterprises engaging in cross-border data transfer have primarily sought data export compliance legal services. There is an urgent need for professional legal service providers, such as law firms, to assist these enterprises in completing relevant security applications."
With the implementation of the Measures for Standard Contracts on Personal Information Export on June 1, the criteria for identifying important data and the list of important data will soon be announced. Li predicts that the demand for compliance legal services related to data export will remain high and sustained in the future.
"Data export legal services are relatively new, with limited experience to reference. Therefore, while conducting internal research, the entire Hui Ye cybersecurity and data protection team has also enhanced communication with regulators. We strive to work in an in-depth, detailed, and thorough manner, accurately assess internal risks, develop reasonable rectification plans, and endeavour to improve the success rate of applications for our clients," says Li.
Wang Yuwei, Partner at Guantao Law Firm and among the first lawyers in China to specialise in cybersecurity and data protection, has also observed the evolving demands of enterprises for data and cybersecurity services. Accordingly, he has planned the development of himself and his team.
"We are focusing on building a legal team specializing in cybersecurity, data privacy, and protection to support the development and innovation of new enterprises or emerging Internet products across various industries."
Notably, Wang adopts new methods and tools to provide services. "To assist companies in coping with increasingly stringent regulations, we guide and aid clients in gradually adopting automation tools and developing standardised data compliance products for key business scenarios. We collaborate with external legal technology teams to explore the productisation of compliance services and automate data compliance. Additionally, our team closely collaborates with regulators and legislators to promote the development of legislation and judicial practices in the field of data compliance in China, ultimately benefiting our clients."
To excel in the field of cybersecurity and data protection, lawyers have recognised the need for specific qualities and attributes. Wang Yuwei, reflecting on his early entry into the field, shares his insights and experiences of industry development trends. He views specialising in cybersecurity and data protection not only as a "career choice" but also as a "passion and responsibility." Wang's strong belief in the future potential of the internet, big data, AI, and his interest in technological advancements have fueled his commitment to this field. He continues to expand his knowledge by actively engaging with cutting-edge technologies, learning from industry innovators, and participating in top companies' projects.
Wu Weiming, a Partner at AllBright Law Offices, emphasises the importance of possessing comprehensive knowledge in serving the complex field. In addition to a solid foundation in legal theory and practical experience, Wu holds a PhD in e-commerce. He believes that a diversified knowledge background provides the basis for delivering effective legal services. It enables lawyers to understand clients' business processes, data handling aspects, and effectively integrate technology, business, and law to offer grounded and compliant legal solutions.
Wu further identifies three key traits cybersecurity and data protection lawyers should possess. Firstly, they should have a strong grasp of information technology's development and application and understand how different information technology applications impact business processes and data handling. Secondly, lawyers should possess a deep understanding of the essence and system of the digital economy. This knowledge allows them to comprehend how network applications and new technologies reshape business processes, identify crucial data protection and control aspects, and develop effective solutions. Lastly, lawyers need to comprehend the specific characteristics of industries since data protection is closely linked to the data life cycle, specific industries, and business processes.
Furthermore, the field of cybersecurity and data protection, with its constant influx of new technologies, models, and regulations, demands that lawyers adapt to these changes. Wu asserts that the ability to proactively study and research, as well as integrate knowledge effectively, empowers lawyers to navigate the evolving external environment.
Experience in other industries also proves valuable for specialisation in this field. Li Tianhang, drawing on his over 15 years of work in the public security industry, credits his solid foundation to becoming a top cybersecurity and data protection lawyer. He believes that all experiences contribute to personal growth, and his background in public security significantly aids his practice and professional development.
Li outlines three key aspects of the benefits derived from his previous experience. Firstly, it establishes a regulatory perspective and thinking model. Li emphasises that cybersecurity and data protection fundamentally involve legal compliance services, which require not only understanding static rules but also dynamic observance and defence. Approaching compliance from a regulatory perspective allows lawyers to offer more practical solutions.
Secondly, it cultivates keen insight and problem-solving skills. Public security organisations are often at the forefront of dealing with emerging societal issues. They are responsible for identifying problems and determining effective solutions. This experience equips lawyers to address new problems, interpret and enforce laws, and enhance the practicality and feasibility of compliance plans.
Lastly, Li highlights the advantage of improving understanding of the internet industry and new technologies. His seamless transition from police to a cybersecurity and data protection lawyer stems from his previous experience in public security law enforcement related to cybersecurity. By staying connected with the internet industry and keeping abreast of new technologies, Li has continuously examined the field's development from both law enforcement and legal service perspectives.
LAW MEETS TECHNOLOGY
In the field of cybersecurity and data protection, having a solid understanding of both law and technology has become increasingly crucial for lawyers. Raymond Wang acknowledges that lawyers are often considered "laymen" compared to their clients. However, he emphasises that lawyers can learn from technical experts in large companies who excel at explaining technical principles and development journeys to non-experts. By taking the initiative to learn, asking pertinent questions, and conducting thorough verification, lawyers can grasp many fundamental technical issues and reduce communication costs without compromising their legal judgment.
Wang believes that lawyers should not limit themselves due to their professional capacity, and the pursuit of knowledge should be driven by curiosity. However, it is essential for lawyers to refrain from pretending to understand when they don't. Admitting a lack of understanding and seeking clarification is crucial. Wang warns against complacency merely because a lawyer has acquired some technical jargon. Failing to genuinely comprehend a matter while giving the impression of understanding can lead to significant mistakes.
Li Tianhang shares this perspective, emphasising the importance of data protection and cybersecurity lawyers having a comprehensive understanding of cutting-edge technologies, their commercial applications, and industry issues. This knowledge forms a strong foundation for smooth communication with industry practitioners and enables lawyers to provide effective legal services. Lawyers must be able to comprehend the companies they serve and industry practitioners, translate complex technological concepts into legal language, identify and extract legal issues, and propose suitable solutions.
However, Li also highlights the challenges of combining law and technology. Cutting-edge technologies often lead to innovation that may conflict with existing laws and regulations. The administrative legal risks in this process are relatively identifiable and manageable, but criminal legal risks can be more difficult to detect. Once criminal legal risks materialise, they become an "unbearable burden" for enterprises and practitioners.
Li has been contemplating how to make criminal legal risks related to data protection and cybersecurity "identifiable and preventable." He believes that criminal justice experience plays a vital role in improving the identification, depth, breadth, and implementation of rules and systems, enhancing risk assessment capabilities, and devising practical strategies to mitigate criminal legal risks.
In the digital era, the rapid development of the economy through new business formats presents both opportunities and challenges. Forward-thinking lawyers are continually contemplating their career aspirations and planning for the future of business and team management.
Raymond Wang believes that while many legal service providers can offer solutions to single problems, only a few can effectively address complex issues. Lawyers must enhance their ability to handle intricate legal challenges to thrive in the emerging data protection and cybersecurity market in the long run. Data compliance naturally intersects with multiple practice areas, such as capital markets, cross-border M&A, export control, antitrust, dispute resolution, labour, and HR. Wang aspires to upgrade his team's capability to handle complex issues continuously, fostering more cooperation with colleagues and peers.
Wang also envisions that the legal profession will increasingly demand strong communication skills in line with the growing complexity of business. In the future, lawyers will need to communicate not only with humans but also with machines. This aspect of law firm and team management will be a significant focus for him.
Wang Yuwei plans to develop his own brand and unique service features. His team aims to enhance automation and response speed by attracting professionals from various industries and disciplines and collaborating with third-party technical agencies. This strategy aims to create distinct brand characteristics and provide clients with more efficient and intelligent legal services and products. Over the next few years, Wang and his team will concentrate on key industries such as V2X, fintech, life health, and smart manufacturing. They will focus on data compliance and adjacent compliance services in data security ecological channels, data element transaction exchange, and enterprise digital transformation to scale up their operations and explore more business opportunities.
Li Tianhang envisions leading a group of like-minded legal professionals to become qualified compliance lawyers and deliver cost-effective, high-quality legal services to clients. He aims to support enterprises in avoiding legal risks and strike a balance between compliance and business model development. Li hopes that his legal services will enable enterprises to navigate legal challenges successfully and foster better development.
Wu Weiming anticipates that the scope of services for lawyers in related fields will further expand in the future. He emphasises the need for lawyers to equip themselves to adapt to evolving business dynamics continuously. Wu's goal is to serve digital development by focusing on data protection and resolving legal issues arising from the application of modern information technology. He aims to prevent and control legal risks associated with digital transformation.
2023 ALB China Top 15 Cybersecurity & Data Protection Lawyers
Sun Chuan 孙川