Apple has asked its largest suppliers to consider the feasibility of shifting 15% to 30% of its output from China to Southeast Asia and asked major suppliers to evaluate the cost of such a migration. Suppliers included iPhone assemblers Foxconn Technology Group, Pegatron and Wistron, MacBook maker Quanta Computer, iPad maker Compal Electronics and AirPods makers Inventec, Luxshare-ICT and GoerTek. Most of iPhones and iPads are made in China and the country is also Apple’s largest international market. If U.S.President Donald Trump goes ahead with new tariffs on about USD300 billion worth of Chinese goods, this would levy a punitive tax on Apple’s most profitable products.

The company, however, has a backup plan if the U.S.-China trade war gets out of hand. Primary manufacturing partner Hon Hai Precision Industry has said it has enough capacity to make all U.S.-bound iPhones outside China if necessary. The Taiwanese contract manufacturer now makes most of the smartphones in the Chinese mainland and is the country’s largest private employer.

“Apple has probably invested more in a China-centric supply chain than any successful company in recorded history. To just presume that they can jettison everything they have achieved with Foxconn and move to an alternative platform and get the same product with the same quality and the same assembly protocols without skipping a beat – I mean, anything is possible, but that to me sounds like a great tale of fiction,” said Stephen Roach, Professor at Yale University and former Chairman of Morgan Stanley in Asia. China accounts for an important, but declining, share of Apple’s revenue: 10.22% in the second quarter this year, according to Statista, down from 13.17% in the previous quarter and its all-time peak of 17.96% in the first quarter of 2018.

“There is no question that if Apple goes, others will follow,” said Alex Capri, a visiting fellow at the National University of Singapore, who has been predicting decoupling for the past two years. “They are a primary link in the chain. There are a lot of links in that chain that are reliant on Apple. When you have something as big as Apple moving, others have to go where their customer needs them,” the South China Morning Post reports.

China has issued new guidelines for artificial intelligence (AI) research and applications, that will serve as a framework for scientists and lawmakers to promote the “safe, controllable and responsible use” of AI for the benefit of mankind. The document was published by the National Governance Committee for New Generation Artificial Intelligence. The Committee consists of AI and public policy experts from different universities and research institutions who examine the effect of AI on laws, ethics and society. The eight general principles in the document say scientists developing AI and its applications should respect and uphold human values and ethics and prevent their work from being misused or abused by malicious actors.

In addition, AI research should be conducted in a fair, inclusive and open manner that protects the interests of all parties involved, from developers to consumers. Also emphasized are privacy protection, international cooperation, responsible use of AI, and creating timely regulations to keep up with AI’s rapid development.
“AI technology is developing very fast and is changing everything in society, including economic structures, governance, national security and even international relations,” said Xue Lan, Dean of Schwarzman College at Tsinghua University and Chairman of the Committee. He added that AI technology has also raised many new and complex issues, including spreading misinformation using “deepfake videos” – AI-manipulated footage that has become increasingly difficult for ordinary viewers to recognize.

Earlier this month, the United States Congress held its first hearing on “deepfake media” and its role in degrading trust in government institutions and news outlets. Legislators warned such technology, if unregulated, could have a disastrous effect on elections. Zeng Yi, Researcher at the Institute of Automation of the Chinese Academy of Sciences (CAS), said that some 40 nations and international organizations have published guidelines on the technology. “It is crucial for China to be a part of the conversation and provide its own knowledge and experience, so everybody can learn best practices from each other and improve,” he said. Li Renhan, Member of the National Governance Committee for New Generation Artificial Intelligence, said China’s rapid AI progress in recent years is mainly due to four reasons: large data resources, wide application scenarios, high AI-related research output, and strong government support, the China Daily reports.

China continues to dominate a list of the world’s fastest supercomputers by the number of systems, according to a semi-annual ranking of the TOP500. China tops the supercomputer list with 219 systems, or 43.8% of the total, followed by the United States with 116, Japan third with 29 systems, followed by France, Britain and Germany. Major Chinese supercomputer vendors all improved their shares from six months ago. Lenovo claims the greatest number of systems on the list with 173, followed by Inspur with 71 and Sugon with 63.

The top of the list remained largely unchanged. Two U.S.-built supercomputers, Summit and Sierra, retain the first two positions, both powered by IBM Power 9 CPUs and NVIDIAV100 GPUs. The Summit delivered a record of 148.6 petaflops on the High Performance Linpack (HPL) test. China’s Sunway TaihuLight supercomputer at the National Supercomputing Center in Wuxi holds the third position with 93.0 petaflops. China’s Tianhe-2A (Milky Way-2A) at the National Supercomputer Center in Guangzhou is No 4 on the list. Frontera, a U.S. system at the Texas Advanced Computing Center of the University of Texas, is the only newcomer in the top 10.

For the first time in the 26-year history of the ranking, all systems that made the list are petaflop systems. Those in the United States are on average more powerful, allowing the country to maintain its lead in overall HPL capacity, with 38.4% of the aggregate list performance. China comes second, with 29.9% of the total, the Shanghai Daily reports.

The U.S. Commerce Department said it was adding five Chinese companies and a government-owned institute involved in supercomputing with military applications to its national security “entity list,” which bars them from buying U.S. parts and components without government approval. The department said it was adding Sugon, the Wuxi Jiangnan Institute of Computing Technology, Higon, Chengdu Haiguang Integrated Circuit, and Chengdu Haiguang Microelectronics Technology to the list over concerns about the military applications of the supercomputers they are developing.

The Commerce Department said the companies “pose a significant risk of being or becoming involved in activities contrary to the national security and foreign policy interests of the United States.”The Wuxi Jiangnan Institute of Computing Technology is owned by the 56th Research Institute of the General Staff of China’s People’s Liberation Army (PLA), the Commerce Department said, adding “its mission is to support China’s military modernization”, the China Economic Review reports.

The 2019 Sino Benelux Business Survey is organized by the Benelux Chamber of Commerce in Beijing, Shanghai and Guangzhou, supported by the official trade-and diplomatic representations of Belgium, The Netherlands and Luxembourg in China and in partnership with MSAdvisory. The organizers have investigated how the Benelux business community in China has performed in 2018, their experiences in the market and what their expectations are for 2019.

Similar to previous years, this survey was conducted so that the Benelux business community and other important stakeholders can better understand the Chinese business climate and how they may improve within its challenging business environment.

This year 139 companies have participated in the Sino-Benelux Business Survey. Most of the respondents come from Industrial Goods and Services (41%). The Industry with the second highest participation is Consumer Goods and Services (27%). On average, the respondents have operated in China for 12.1 years. More than 50% of the respondents are SMEs with revenue from RMB 1 million to RMB 100 million.

The performance of Benelux businesses in China remained fairly positive, with 86% of respondents reporting revenue growth and 85% reporting profits. SMEs (companies with 0-49 employees or up to RMB 10 million in revenue) represent the group with the highest percentage of revenue growth > 20%. The percentage of companies reporting no revenue growth or growth >20% increased for the first time since 2015; we observe a more volatile market with more winners and losers. Companies in the Consumer Goods sector reported the highest revenue growth; 45% of the respondents reported revenue growth over 20%.

Increased Turnover and Economies of Scale (28%) are the most significant positive drivers for Benelux business in China. This year, fewer companies perceive the Chinese Market to be favorable (58%) compared to last year (66%). Only 18% of the respondents came across BRI partnership and business opportunities, of which the majority are SMEs. Salary costs (24%) is the most significant negative driver in 2018, following a similar trend from previous years. The percentage of companies which perceive that the “Level Playing Field” and “Regulatory environment” has become more restrictive has increased. 37% of the respondents said they were affected by the China-U.S. Trade War.

Most participants have good expectations on their revenue and profit growth for 2019, with 89% expecting revenue growth and 93% expecting profits. Both Dutch and Belgian companies are much more optimistic about their profit expectations, with respectively 92% and 96% expect to make profit in 2019. All startups are expecting revenue growth, as well as over 80% of respondents from the Consumers Services industry. The majority of Benelux companies attributed the fact that they were making profits to revenue growth (49%), whereas a further 38% attributed this to both revenue growth and cost savings.

In their conclusion the organizers made following remarks:
• Despite recent reforms, we observe a continuous more negative perception of the Chinese business environment as compared to previous years.
• Salary Costs and Administration Costs are again a major concern for businesses in China.
• Companies from the Benelux actually felt the impact of the China-U.S. Trade War.
• In 2018, again business has been profitable for Benelux companies in China.
• In addition, the respondents have positive expectations for the growth in 2019, which is mostly driven by continuous Use of Technology and Increased Turnover which arises due to a very receptive market.
• More volatile market conditions which result in winners and losers.
• Negative perception but good results!

The past month has witnessed a flurry of activity from Chinese regulators that has resulted not only the publication of multiple standards and draft regulations in the areas of cybersecurity and data protection, but also two related enforcement initiatives with the potential to tangibly impact companies in China. Below we provide a brief summary of each of these important developments.

Legislative Developments

Measures related to the Cross-border Transfer of Personal Information. On June 13, 2019, the Cyberspace Administration of China (“CAC”) issued the draft Measures on Security Assessment of the Cross-border Transfer of Personal Information, intending to create a cross-border data transfer mechanism to govern all transfers of personal information by network operators (e.g., companies). (See our blog post here.) These draft measures introduce a broad jurisdictional scope for regulating cross-border transfers of personal information, and require all network operators to undergo a security assessment before transferring any personal information collected in China to recipients outside of China. Furthermore, network operators must implement contracts with personal information recipients outside of China, requiring them to fulfill certain data protection obligations and including a third-party beneficiary clause that would provide individuals with a legal means to enforce their rights and seek compensation for abuses of personal information, among other requirements.

Protection of Children’s Personal Information Online. On May 31, 2019, the CAC released the draft Regulation on the Protection of Children’s Personal Information Online, which sets out heightened requirements for network operators when collecting, storing, using, transferring or disclosing the personal information of minors, defined as under 14 years old. (See our blog post here.) Notable requirements include: providing notice to and obtaining consent from guardians acting on behalf of minors; appointing an internal person responsible for overseeing the protection of children’s personal information; implementing internal access controls; conducting data security assessments for certain data-sharing activities; implementing measures to facilitate the exercise of individuals’ rights; and implementing an incident response plan. CAC may enforce these provisions in a variety of ways, including fines of up to RMB 1 million (~$145,000), closing down a website, revoking a business license, or even criminal prosecution.

Data Security Management. On May 28, 2019, the CAC released the draft Measures for Data Security Management, which incorporate some previously issued requirements for personal information protection while also introducing several new rules for the protection of “important data.” (See our blog post here.) Requirements to protect personal information address issues such as notice and consent, data subjects’ rights, targeted advertising, data sharing, data retention, and incident response. Requirements to protect “important data” (i.e., “data that, if leaked, may directly affect China’s national security, economic security, social stability, or public health and security”) include, for example, notifying the local CAC if a business collects important data or sensitive personal data for “operational purposes,” and conducting a security assessment for cross-border transfers. The draft measures provide the CAC with a variety of means by which to enforce these provisions and punish violations – not only through fines and penalties, but also with the possibility of criminal prosecution.

Cybersecurity Review when Procuring Network Products and Services by CII. On May 24, 2019, the CAC released the draft Measures on Cybersecurity Review, which have the objective of safeguarding the procurement of network products and services by Critical Information Infrastructure (“CII”) operators that may impact the national security of China. (See our blog post here.) The cybersecurity review process laid out in these measures includes a self-assessment of risks associated with the procurement of network products and services. If the self-assessment flags specific risks, then the CII operator must undergo a review by an inter-agency body comprised of members from eleven different government agencies. In some ways similar to the CFIUS review process in the United States, members of the CAC review body will assess the national security risks associated with the procurement, considering factors such as: supply chain transparency and security; influence on technologies and industries relating to national defense, the military and CII; and whether the provider receives funds from or is controlled by a foreign government.

MLPS 2.0 Standards. On May 13, 2019, China’s State Administration for Market Regulation released three standards related to the country’s Cybersecurity Multi-level Protection Scheme (“MLPS”), describing technical and organizational controls that companies must implement to comply with MLPS-related obligations. (See our blog post here.) These standards (commonly referred to as “MLPS 2.0”) include provisions to: (i) significantly expand the applicability of the MLPS by broadening the definition of “information systems”; (ii) establish common controls for all types of systems; and (iii) establish extended controls for certain types of systems. The MLPS 2.0 standards introduce different technical and organizational controls for companies at different security classification levels and provide important technical guidance for companies that are making efforts to comply. Certain extended controls – such as localized infrastructure, storage, and maintenance for cloud computing systems – could, if they become mandatory, potentially raise significant compliance issues for global cloud service providers and their customers.

Enforcement Initiatives

MLPS Systems Audit. In early June, we understand from some of our multinational clients that the Public Security Bureaus (“PSBs”) of both Beijing and Shanghai are requiring companies to submit information regarding “important systems” which must be certified under MLPS. This self-reporting can take the form of submitting spreadsheets to PSBs, identifying systems potentially in scope, and providing proof of MLPS certification. We further understand that after the completion of the PSB’s collection of information from company systems, the next step in the process is for the PSB to conduct on-site inspection of company systems. Apparently, these inspections will be done at random, although it is believed that the PSB will focus on systems classified as Level 3 or higher. The on-site inspection may also involve the use of scanning tools to examine company systems, although it is unclear at this time exactly what tools the PSB may use.

Mobile Application Privacy Check. We have also received reports from multinational clients that regulators at both the central and the local levels (including but not limited to local PSBs) are currently carrying out a campaign to audit the collection and use of personal information via mobile applications. Specifically, some clients have received an audit report from PSB which identifies gaps in two main aspects of mobile application privacy compliance: collection of user data through API or SDK and privacy policy. Our clients were told that they must remediate these gaps in one month to avoid further regulatory action. Many of the requirements for compliance are quite prescriptive, as outlined in the CAC’s “Guidelines for Self-Assessment on Illegal Collection and Use of Personal Information” and the “Identification Methods for Illegal Collection and Use of Personal Information by Apps.” These rules focus particularly on the privacy notice (e.g., its presentation, readability and consistency), and the means by which consent is obtained (i.e. whether an application obtain user data through API or SDK without obtaining explicit permission from users).

If you have any questions concerning the material discussed in this client alert, please contact the following members of our
Data Privacy and Cybersecurity practice:
Tim Stratford +86 10 5910 0508 tstratford@cov.com
Yan Luo +86 10 5910 0516 yluo@cov.com

This information is not intended as legal advice. Readers should seek specific legal advice before acting with regard to the subjects mentioned herein. Covington & Burling LLP, an international law firm, provides corporate, litigation and regulatory expertise to enable clients to achieve their goals. This communication is intended to bring relevant developments to our clients and other interested colleagues.