The conviction of six Nestlé employees and three employees of state-run Chinese hospitals for crimes relating to the illegal distribution of personal information highlights the complicated nature of data privacy risk in China. The Nestlé employees were found guilty of illicitly obtaining personal information by providing bribes to foreign officials and members of the hospital staff were found guilty of providing that information. Notably, the charges were brought under laws relating to the distribution of breast milk substitutes, not anti-bribery, data privacy or cybersecurity laws. The Cybersecurity Law Report’s sister publication, PaRR, discussed the case with local experts who explained the intersecting risks, and how Nestlé escaped corporate liability. See our two-part series on data security in China: “Understanding Data Privacy and Cybersecurity in China (Part One of Two)” (Sep. 7, 2016); Part Two (Sep. 21, 2016).