In the area of data compliance, Ms. Yang has assisted different types of clients to establish, improve, or localize data compliance programs, especially for clients with global business to establish risk prevention and control systems compatible with requirements of various jurisdictions; provided services to improve data compliance, assisted in conducting cybersecurity reviews and responded to the inquiry from Exchange for issuers in the process of listing; represented the investors to conduct data compliance due diligence and provided advice on rectification for IPO and M&A projects; conducted data compliance assessment on the company‘s business operation or product design. Ms. Yang has also represented clients in coping with data protection enforcement activities. As a legal expert, Ms. Yang participated in the discussion and drafting of many national standards, ensuring the consistency of the national standards with the higher legislation, while providing opinions on the feasibility of the national standards in combination with practical experience of the industry.
In the area of anticorruption, Ms. Yang has acted as the core counsel to lead her team to conduct internal investigations in many complex and difficult cases, dealing with legal issues including bribery, financial fraud, data falsification, and has extensive experience in dealing with government regulatory procedures. Ms. Yang conducted anticorruption compliance due diligence on behalf of investors for the target companies, with a cumulative total of over 80 projects, covering the fields of healthcare, financial services, real estate, transportation and logistics, gaming and sports, electronics and communications, technology and software, catering and entertainment, smart manufacturing.
Ms. Yang's representative cases includes:
Data Compliance
Establishment and Implementation of Data Compliance Programs
◆ Assisted a leading domestic financial group with full licenses to conduct data compliance inspection involving complex issues such as financial data aggregation and fusion, cross marketing, and data security governance. Provided the client with solutions for high-risk issues, and comparative study on multiple jurisdictions (e.g., US, Japan, South Korea, Singapore, Hong Kong (China), Taiwan (China).
◆ Continually provided a listed healthcare company with a full range of data compliance services, including identification of data compliance risks, the corresponding rectification and establishment of data compliance system, optimization of such system based on the new laws, and advised on the listing compliance issues caused by data processing, which dived into businesses and internal management and third-party data interaction.
◆ Assisted a leading domestic commercial vehicle financial enterprise to establish data compliance system, conduct risk assessment and implement improvement measures, widely covering data security management and emergency response mechanism, focusing on the internal control, external provision, sharing and other whole-lifecycle risks of processing personal financial data.
◆ Assisted a leading domestic logistics enterprise to conduct data compliance inspection, implement improvement measures, and establish a comprehensive compliance system from data security management to emergency response mechanism, focusing on the internal control, external provision, sharing and other whole-lifecycle risks of processing personal logistics data.
◆ Assisted a renowned international eye-care service company to establish data compliance system, involving data compliance inspection, risk identification and assessment, design and implementation of improvement measures, establishment of a localized data compliance system in China and the convergence with its overseas headquarters’ compliance system. In particular, assisted the company to conduct data classification and grading, and localize the tool for the impact assessment of personal information protection.
◆ Assisted an overseas-listed biotech company to establish a data compliance system, and advised on the legality and optimization for various scenarios, including sensitive issues such as the authorization of patient clinical information, the publicity of patient cases, and the privacy design of data platform.
◆ Provided a leading joint venture securities company with continuous and multi-dimensional data compliance services, involving the bridging between China’s data protection legal system and EU GDPR system, the localization of the group-level data compliance system, the acquisition of individual authorization under the to-B business model and other innovative issues.
◆ Assisted a leading company for world-class resort to establish data compliance system, review the business fallen under the extraterritorial jurisdiction of the PIPL, and revise the bilingual corporate policies, which involve the cross-border transfer of personal information, individuals’ separate consent, and the protection of employees’ personal information, etc.
Data Compliance Due Diligence and Rectification for IPO Projects
◆ Provided an autonomous driving unicorn with continuous, multi-dimensional data compliance services, including the data compliance inspection and gap analysis, the design of rectification plans and the establishment of data compliance system, the responses to data compliance due diligence in multi-round financing, and the application for cyber security review of overseas listing, involving frontier issues such as the compliant utilization of geographic data and vehicle data, the application of cyber security review, etc.
◆ Represented a leading company in medical big data in analyzing the necessity of applying for cyber security review for listing abroad, assisting the company to prepare application materials, and communicating with the CCRC on the company’s behalf. The review involve frontier issues that require legal insight with innovative solutions.
◆ Assisted a top Internet company in the freight industry to inspect the data compliance status, improve the data compliance system and support its Hong Kong listing, involving the gap analysis and risk assessment of the main businesses, the guidance and implementation of the compliance optimization plan, the issuance of specialized legal opinions on its data compliance status and the application of cyber security review for the listing process, etc.
◆ Represented an international freight forwarder to conduct data compliance inspection, focusing on the potential risk of cyber security review of its overseas listing, and assisted the company to disclose the data-related material risks in its prospectus and other documents.
◆ Assisted a leading company in transportation big data to establish data compliance system as a critical part of its IPO process, involving frontier and complex issues such as the utilization of government data, the distinction and connection between vehicle data and personal information, the data aggregation, fusion, and external provision.
◆ Represented an investment company in its investment in the new energy industry to conduct data compliance due diligence, focusing on the potential risk of cyber security review of overseas listing as it processes massive personal information and important data, and assessed the feasibility of data stripping plans.
◆ Represented an investor in its investment in a well-known domestic automobile lidar manufacturer to assess the potential data compliance risks and the application of cyber security review associated with its overseas listing.
◆ Represented the sponsor in the Hong Kong listing of a well-known domestic clothing retailer to conduct data compliance due diligence and assessment, involving the assessment of the target company’s data compliance status, the necessity and manner of regulatory communication, the application, and countermeasures of cyber security review, etc.
◆ Represented the sponsor in the listing of a well-known domestic Internet decoration platform to conduct data compliance inspection as pre-listing preparation, involving the assessment of the company’s data compliance status, the data breach, the protection of high-value customer information and other issues.
◆ Represented an investment company in its investment in the Internet insurance industry to conduct data compliance due diligence, involving the compliance assessment for data processing activities under the traditional to-A business model and the new to-A-to-C business model, in particular the potential risk of cyber security review of its listing.
Ÿ Assisted a renowned domestic healthcare big data company to conduct data compliance inspection and support the overseas listing process, involving the gap analysis and risk assessment on various business units (such as medical big data, precise healthcare, AI, etc.), the guidance on compliance optimization, and the assessment and suggestions on the application of cyber security review for its U.S./H.K. listing.
◆ Assisted a renowned domestic game operator in cyber security review for overseas listing, involving the design of data stripping plan for users’ personal information and the assessment of the application of cyber security review, etc.
◆ Assisted a well-known domestic retail service provider to comprehensively assess the risks of overseas listing, such as cyber security review, and demonstrate the strategic plan of data stripping to reduce risks.
Data Compliance Due Diligence and Rectification for M&A Projects
◆ Represented an Internet giant to conduct data compliance due diligence and risk assessment for dozens of its investments and M&A projects in healthcare, communications, e-commerce, logistics, Internet, FinTech, AI, smart home and other industries, propose suggestions for improvement, and assist with post-investment data compliance rectification for some projects.
◆ Represented a domestic telecommunications giant in its investment in a domestic industrial Internet platform to conduct data compliance due diligence, including the inspection of industrial Internet business model, the verification of data security safeguards, and the assessment on the company’s data compliance risks and the client’s potential investment risks.
◆ Represented a leading domestic financial service group in its investment in the software industry to conduct data compliance due diligence, involving the risk assessment for the business model that deeply utilizes government financial data, in particular the possibility of individual credit reporting business.
◆ Represented a leading domestic private equity fund in its investment in a well-known ESG company to conduct data compliance due diligence, involving important data, sensitive social issues, negative information of special industries, etc.
◆ Represented an Internet giant in its investment in the medical industry and conducted data compliance due diligence, involving the compliance measurement and risk assessment on collecting, using and sharing personal information in Internet hospitals’ online diagnosis and treatment, genetic testing and diagnosis, and online patient education.
◆ Represented an Internet giant in its investment in self-driving tour services industry at home and abroad to conduct data compliance due diligence, involving multiple compliance issues of tourism products, such as the map labelling, the overseas business, and the privacy design of online products data.
Ÿ Represented an Internet giant in its investment in a leading domestic intelligent transportation and ticketing agency company to conduct data compliance due diligence, involving the compliant utilization of traffic big data and government data, anti-unfair competition, and other frontier issues.
Ÿ Represented an Internet giant in its investment in a leading domestic cross-border e-commerce supply chain management platform to conduct data compliance due diligence, involving the data access control, the cross-border data transfer, and other important issues.
◆ Represented an Internet giant in its investment in a leading domestic AI speech recognition service provider to conduct data compliance due diligence, involving the recognition of voice print and other frontier issues.
◆ Represented an Internet giant in its investment in a leading domestic parent-child travel service platform to conduct data compliance due diligence, involving the protection of children’s information under the Personal Information Protection Law and other frontier issues.
◆ Advised an overseas sovereign fund on its investment in a leading domestic e-commerce and community platform, including the content compliance of minors’ information and other issues.
Compliance Assessment on Business Models
◆ Provided a state-owned airline with various data compliance services, including the compliance assessment of business models, the overseas data compliance solutions for its EU and U.S. business, the negotiation with its business partners on data cooperation, the establishment of personal information risk assessment system, the management of employees’ health information, and response to data security incidents.
◆ Provided a domestic listed biomedical company with data compliance assessment and consulting services for its business models, involving complex issues such as the Internet of Things (IoT), data crawling and multi-party data interaction, and advised on the selection of partners based on the assessment.
◆ Assisted a listed biotechnology company to evaluate the legality of its business models and advised on other data compliance issues, involving the compliance analysis and recommendation on processing the information of patients, medical professionals and employees in China and the EU.
◆ Advised a multinational pharmaceutical company on personal information protection in multiple business scenarios, involving frontier issues such as the labour cooperation with doctors, the data collection and sharing in clinical trials, the cross-border data transfer and onward transfer.
◆ Assisted a renowned international biopharmaceutical company to evaluate the legality of its business models and advised on other data compliance issues, involving the revision of consent letter of clinical trial subjects and compliance assessment of cross-border data transfer.
◆ Assisted a leading domestic network security software company to assess the data compliance of its business model and improve the privacy design of its products, including the assessment and improvement of high-risk data processing products, the formulation of bilingual templates of privacy policy and user agreement, the guidance for data compliance of network security products under the PRC Personal Information Protection Law and the EU GDPR, etc.
◆ Advised an internationally renowned payment service company on various data compliance issues, conducted compliance inspection and risk assessment on the collection, use, sharing and cross-border transfer of data under multiple business scenarios, and assisted the company to respond to PBOC’s inquires on data processing activities and cyber security review.
◆ Provided a well-known domestic financial service institution with compliance assessment for its credit reporting business, including the requirements for individual/corporate credit reporting business, the impact of “disconnection policy” on the company's business, the compliance analysis of personal information processing scenarios, etc.
◆ Assisted a leading domestic software company to identify the data compliance risks, and analysed the compliance plans and provide specialized trainings accordingly, involving the division of obligations of multi-parties in the Ad-Tech industry chain, the compliant processing of personal information in personalized advertising, and other frontier issues.
Advice and Resolution to Key Compliance Issues
◆ Provided a leading financial service group with perennial data compliance services, and proposed feasible solutions for the aggregation and fusion of personal financial information, the upgrading of APP privacy design under the Personal Information Protection Law, the protection of employees’ personal information, the risk assessment of ESG data processing and other complex issues.
◆ Advised a leading joint venture financial group on various data compliance issues, involving the cross-border transfer of financial data, the technical architecture and security operation and maintenance of data centre, the sharing and isolation of information systems among financial subsidiaries and other frontier issues.
◆ Advised a well-known domestic life insurance company on data compliance issues, involving the mapping and analysis of personal information processing scenarios, the improvement of privacy policies of multiple products, the improvement of data processing terms with third parties, etc.
◆ Provided an artificial intelligence unicorn with data compliance consulting and training services, involving the risk identification and compliance assessment of its financial big data business, and proposed optimization schemes accordingly.
◆ Represented a well-known international investment institution to deeply analyse the data crawling issues of the target company, including the assessment of legality and legal liability for its data crawling scenarios and methods.
◆ Provided a state-owned enterprise in railway transportation with a full range of data compliance services, such as App governance, data sharing and collaboration, and data compliance assessment for new business.
◆ Advised a leading U.S. GNSS high-precision positioning service company on data protection and mapping for its product collaboration in China, involving frontier issues such as the cross-border transfer of data, the licensing of mapping business, etc., and assisted the client to revise the terms of business collaboration.
◆ Assisted an internationally renowned cosmetics group to revise the position paper on cross-border data transfer and the privacy policies in multiple scenarios, such as individual consumers, business clients, employees, and internal R&D, focusing on the bridging between the global data compliance system and the localized version in China.
◆ Provided a renowned multinational environmental protection company with data compliance consulting and training services, involving frontier issues such as whether the data collected and processed during public services constitutes important data.
◆ Advised a multinational hotel group on data protection issues, , focusing on the cross-border transfer of personal information, the privacy policy, the acquisition of individuals’ separate consent, the protection of employees’ personal information, etc.
◆ Advised a well-known domestic retail service provider on data compliance issues, involving the assessment of data collection by CCTV cameras in order for site selection, the assessment of data escrow, etc.
◆ Advised a European pioneer in digital management of industrial assets and automation of transportation on data compliance issues, involving the legal obligations of industrial data processors, the classified and graded management of industrial data, the cross-border transfer of data, so as to improve its data compliance and security status in China.
◆ Advised a U.S. data analytics company on cross-border contract disputes arising from data, involving multiple data compliance issues such as cross-border data transfer and big data-driven precision marketing, and cross-border litigation issues such as the jurisdiction and enforcement of contracts involving foreign interests.
◆ Advised a well-known domestic life insurance company on data compliance issues, involving the improvement of privacy policies of multiple to-customer products, and the training about the Personal Information Protection Law, etc.
◆ Advised a well-known domestic commercial bank on business compliance under the Personal Information Protection Law, involving the automated decision-making, the sharing of personal financial information and other frontier issues.
◆ Assisted a listed data centre to respond to the data compliance inquiries from regulatory authorities, including the mapping of data processing activities, the identification of data security risks, the analysis on the impact of overseas listing on national security, and the estimation on whether it constitutes critical information infrastructure, etc.
◆ Advised a leading domestic financial group on whether the ESG scores and the underlying data constitute important data, and based on such assessment, formulated compliance plans for the external provision, cross-border transfer, aggregation, and fusion of such data.
◆ Assisted a renowned domestic electronic equipment manufacturer to evaluate whether the health data from wearable devices constitutes important data, and analysed the compliance of cross-border transfer of health data and propose compliance plans accordingly.
◆ Assisted a renowned foreign company to identify and assess the data compliance risks in the remote operation and maintenance of its medical devices, and design the corresponding compliance plan.
Data Compliance Services for Chinese Companies Expanding Overseas
◆ Provided a state-owned airline with various data compliance services, including the compliance assessment of business models, the overseas data compliance solutions for its EU and U.S. business, the negotiation with its business partners on data cooperation, the establishment of personal information risk assessment system, the management of employees’ health information, and response to data security incidents.
◆ Assisted a leading domestic game company to revise the data compliance policies for overseas product launch, involving the data compliance requirements in multiple jurisdictions, the different desensitization methods for game-related data and other frontier issues.
◆ Provided a leading joint venture securities company with continuous and multi-dimensional data compliance services, involving the bridging between the China’s data protection legal system and the EU GDPR system, the localization of the group-level data compliance system, the acquisition of individual authorization under the to-B business model and other innovative issues.
◆ Assisted a leading domestic network security software company to assess the data compliance of its business model and improve the privacy design of its products, including the assessment and improvement of high-risk data processing products, the formulation of bilingual templates of privacy policy and user agreement, the guidance for data compliance of network security products under the PRC PIPL and the EU GDPR, etc.
◆ Represented an Internet giant in its investment in self-driving tour services industry at home and abroad to conduct data compliance due diligence, involving the map labelling, the overseas business, and the privacy design of online products data.
Response to Data/Cybersecurity Incidents and Administrative Investigations
◆ Represented financial, e-commerce and aviation companies in responding to data security incidents; advised on communicating with regulatory agencies, notifying personal information subjects and handling complaints from them, managing media disclosure and tracking public opinion; after the security incidents, assisted in conducting internal vulnerability review and improving crisis prevention and handling capabilities.
◆ Represented a leading e-commerce platform in response to an administrative investigation initiated by the public security authorities regarding its alleged breach of the Cybersecurity Law; discussed with the authorities about the implementation of information security level protection system and the company’s data security management system, and the effectiveness of the emergency response mechanism; the discussion yielded positive results.
◆ Assisted a cloud computing company to draft a cybersecurity incident response manual, develop response strategies for security incidents of different risk levels, set up response teams, and conduct simulation exercises to ensure that the response mechanism was reasonable and effective.
◆ Represented a U.S. advertising company in review and self-assessment of potential state secrets and personal information before the cross-border data transfer to U.S. regulators. The data was sensitive since the case was related to 3 criminal investigations.
Anti-Corruption Compliance
Anti-Corruption Compliance Due Diligence
◆ Represented an Internet giant in its asset acquisition of a state-controlled company to conduct anti-corruption compliance due diligence. The target company has a long history and numerous subsidiaries across many industries such as chip, semiconductor, storage, cloud service, etc. The due diligence assessed the anti-corruption risk of each subsidiary, identified the government background of key management, and developed a forward-looking and implementable rectification plan.
◆ Represented a domestic Internet giant in its investment in local services industry to conduct anti-corruption compliance due diligence. The due diligence involved complex and concealed issues, and we adopted various investigation measures to track the capital flow and conduct background check for the investor to make informed investment decision.
◆ Represented a U.S. listed investor in its investment in the real estate industry to conduct anti-corruption compliance due diligence, involving the analysis and advice on the key person’s anti-money laundering risks.
◆ Represented a domestic Internet giant in its investment in the chip industry to conduct anti-corruption compliance due diligence, involving the compliance assessment of business models and the evaluation of compliance management system.
◆ Represented an Internet giant in its investment in a leading online healthcare company to conduct anti-corruption compliance due diligence, which involved the compliance assessment of business models and incentive system, and the suggestions for improvement thereof.
◆ Represented a leading domestic financial service group in its investment in the e-government information system industry (the agricultural and rural segment) to conduct anti-corruption compliance due diligence. Coordinated the background check firm to conduct in-depth investigations on the corruption risk of the target company’s business development model and the founder’s government background. The due diligence result played an important role in the investment decision.
◆ Represented a leading domestic financial service group in its investment in a tax reporting company to conduct anti-corruption compliance due diligence. Coordinated the background check firm to conduct in-depth investigations on the company’s interaction with government, and assessed the compliance risk based on the investigation results.
Internal Investigations and Dispute Resolutions
◆ Represented a multinational communications equipment company in handling internal investigations relating to potential violations of the FCPA, and assisted U.S. lawyers in disclosure to Department of Justice. Two years later, the U.S. Department of Justice (DOJ) declined the prosecution. Meanwhile, conducted the assessment and review of national secrets and personal information before the relevant documents are transferred abroad.
◆ Represented a large pharmaceutical company in a number of internal investigations related to potential violations of FCPA, PRC anticorruption laws, and anti-fraud regulations, involving hundreds of employees in more than a dozen cities, various types of transactions related to the pharmaceutical industry, and meanwhile, participated in the investigation and the corresponding risk assessment in labour law.
◆ Represented a global technology company in a number of internal investigations for anti-corruption compliance issues arising from internal audits and anonymous whistle-blowing, involving making detailed investigation plans, carrying out comprehensive investigation and verification, identifying violation scenarios, and providing recommendations on how to deal with relevant employees and enhance compliance program.
◆ Assisted an internationally renowned theme park in conducting an internal investigation of potential fraud and conflict of interests against its senior executive and vendors, advised on how to deal with relevant employees and vendors, and represented the client in civil litigations arising therefrom.
◆ Conducted an internal investigation as an independent third party on the misconduct of senior executives of a state-owned airline in China, and provided legal advices on the disclosure obligations of stock exchanges in China and Hong Kong (China) on related issues.
◆ Provided a renowned joint venture payment service company with internal whistleblowing support services, including design of the questionnaire and procedure to handle whistleblowing complaints, propose factors to consider for escalation of the complaint, and the daily consultation surrounding maintenance of the hotline.
◆ Assisted a renowned Hong Kong listed Internet medical company to follow up with a criminal investigation and an associated civil litigation that involved the founder of the target company, analysed and evaluated risks of the founder’s possible criminal liability and the potential impacts on the investment.
◆ Assisted a U.S. listed online education group in an internal investigation of securities fraud according to the U.S. law.
Government Enforcement Response
◆ Represented a multinational pharmaceutical company in cooperation with market regulatory authorities in commercial bribery investigation, involving turnover of hundreds of millions. The company was ultimately not punished.
◆ Represented a multinational precise instrument company in cooperation with the tax authorities in the investigation of the false issuing of invoices. Because of the complexity and sensitivity of this case, the U.S. headquarter attached great importance to the matter.
◆ Assisted a well-known banker as a witness to accept the inquiries from the police and assisted in provision of documents and other later communication. The alleged case involved illegal fund-raising of hundreds of billions of RMB yuan.
◆ Represented a global leading foodstuffs company to conduct administrative review about an administrative penalty decision from the Food and Drug Supervision and Management Authority, and the administrative penalty decision was ultimately revoked.
◆ Represented a well-known luxury brand in handling consumer complaints about product quality, and to communicate and coordinate legal issues with law enforcement agencies.
◆ Represented a well-known pharmaceutical company to conduct comprehensive compliance review for its joint venture in China and provided advices for improvement.
Compliance Assessment on Business Models
◆ Assisted a subsidiary of a state-owned enterprise to evaluate key compliance areas, and according to the assessment, assisted the client to improve its overseas compliance system construction and reduce the law enforcement risks in overseas business, which involved the drafting of compliance manuals for anti-corruption in several jurisdictions (U.S. FCPA, United Kingdom, France, etc.) and the World Bank sanction.
◆ Represented a state-owned enterprise to carry out compliance system construction, identified compliance risks in domestic and overseas business and provided compliance training on key issues including anti-corruption and data protection.
◆ Assisted a secondary subsidiary of a state-owned enterprise to carry out compliance system construction, focusing on production safety management that may be involved in its domestic operations, as well as anti-corruption and export control compliance risks that may be involved in its overseas operations.
◆ Provided perennial legal advisory service for a large asset management company with state-owned background, including compliance scanning of economic sanction lists and trade control lists for business partners designated by the client, involving the economic sanction lists and trade control lists of major countries or international organizations, such as the United States, the United Nations, the European Union, and World Bank.
◆ Assisted a renowned Internet medical company to conduct anti-corruption compliance examination, involving the compliance assessment of business models, the analysis of the latest regulatory trends in the pharmaceutical industry, and the optimization of doctor’s remuneration system.
◆ Assisted an internationally renowned theme park to assess the anti-corruption risk of compliance management issues in its business, and customize a compliance operational plan.
◆ Assisted a renowned, Hong Kong listed Internet medical company to assess the compliance risk of contemplated incentive program and conduct industry research.
