Imminent changes to the legal landscape in China likely will further complicate investigations and litigation involving information stored in China.
China recently released second drafts of its Data Security Law (DSL) and its Personal Information Protection Law (PIPL) for public comment (see analysis here). Among other provisions, the two laws would impose a new requirement that, if a judicial or enforcement agency outside of China requests data stored in China — either personal data or non-personal data — companies must first obtain the approval of the Chinese government before transferring the data, or face potential penalties, such as fines.
Once enacted, the DSL and PIPL will add to a patchwork of laws and regulations that affect data transfers out of China, including, for example, the revised State Secrets Law in 2010 and the International Criminal Judicial Assistance Law (ICJAL) in 2018 (which we wrote about for the FCPA Blog here and here). A chart comparing the enforcement-related transfer restrictions in the draft DSL, the draft PIPL, and the ICJAL is available upon request.
Outside of the investigation and litigation context, the DSL and PIPL, together with China’s Cybersecurity Law, will establish a complex data protection and cybersecurity regulatory framework governing cross-border transfers of personal and non-personal data.
The proposed provisions in the DSL and PIPL would supplement existing laws in a number of ways:
(1) the DSL and PIPL together cover a broad scope of data
(2) the DSL and PIPL apply to all requests from judicial and enforcement agencies outside of China, without distinguishing among requests (unlike the ICJAL, which applies only to criminal matters), and
(3) these laws impose penalties for violations (unlike the ICJAL, which has no penalties for non-compliance).
The new provisions do limit the scope of data subject to such restrictions to data “stored in China,” although this term is left undefined in both laws.
Article 35 of the DSL states that if a judicial or enforcement agency outside of China requests data stored within China, such data shall not be provided without the approval of an unspecified “competent government agency” in China (presumably the Ministry of Justice and potentially others), except for data requests that are subject to a separate treaty or agreement, where China, as a party to the treaty or agreement, “may” comply with such requests. The DSL states that it does not apply to state secrets, personal information, or military data, but it applies to all other scenarios in which companies process non-personal data.
Article 46 of the DSL describes the potential penalties for violations, ranging from a warning to a fine between RMB 100,000 and RMB 1 million (about $15,500 to $155,000) for companies and a fine ranging between RMB 20,000 and RMB 200,000 (about $3,100 to $31,000) for responsible employees.
Article 41 of the PIPL includes a nearly identical prohibition on transferring personal information stored in China to a judicial or enforcement agency outside of China without prior approval. The PIPL defines “personal information” as “various types of electronic or otherwise recorded information relating to an identified or identifiable natural person,” which is largely consistent with the definitions used by Europe’s General Data Protection Regulation (GDPR) and China’s Cybersecurity Law.
The PIPL does not include a penalty specific to violating this article, but companies violating the PIPL may be subject to a baseline fine of up to RMB 1 million (about $155,000). If the violation is deemed “serious,” the fine — in addition to the disgorgement of illegal income ─ may be increased to RMB 50 million (about $7.8 million) or five percent of the company’s annual revenue for the prior financial year. The violation may also be included in the company’s record in China’s social credit system.
The draft DSL and PIPL leave unanswered a number of questions, including what non-China agencies may qualify as “judicial and enforcement agencies,” how requests for data stored in Hong Kong and Macau may be impacted, what data might be considered as “stored” in China, and the precise approval process to transfer data outside of China.
Even though uncertainties remain regarding the Chinese government’s plan to implement these provisions, the proposed restrictions in the DSL and PIPL further complicate the dilemma a multinational company may face when confronted with a government request or judicial order to produce data or documents stored in China: comply with the request and face potential penalties and hardship for violating Chinese law, apply for approval from the Chinese government (which may take an extended time or be ultimately unsuccessful, and may even be prohibited by the laws of the requesting country), or refuse to comply with the request and face adverse consequences under the laws of the requesting country. Against this background, companies will need to continue to evaluate a number of factors when faced with a request from a judicial or enforcement agency to produce data stored in China.
These factors could include:
- The circumstances for the data transfer. For instance, is the data for a purely internal review, audit, or investigation? If so, how likely is a subsequent disclosure, whether voluntary or involuntary, to a government agency in the future? Is the company under a court order or subject to other compulsory processes to produce such data? Or, has a non-Chinese enforcement agency like the DOJ or SEC already made a request for the data?
- The extent to which data stored in China is controlled by the entity receiving the request from the judicial or enforcement agency. Under U.S. law, companies are required to produce data and documents within their possession, custody, or control, regardless of where those data and documents are located and regardless of what blocking statutes in other jurisdictions might restrict cross-border transfers. Whether a company has “possession, custody, or control” over foreign-stored evidence is a fact-bound assessment, and can turn on factors such as the practical ability of the company to access the data from outside of China and the contractual and ownership relationships between the relevant corporate affiliates.
- Whether the data or the information contained in the data is available in other locations or through other means. For example, the data might already exist in servers outside of China because it was sent to employees based outside of China in the normal course of business or for other purposes.
- The level of interest by China or the requesting country in the data. As an oversimplified example, a request for employee expense reports stored in a private company’s financial systems in China would presumably be of less interest to the Chinese government than information about the company’s sales to a sensitive entity affiliated with the Chinese government. (Seeking approvals may alert the authorities to situations they may not have been aware of, which would increase the risk of parallel investigations or enforcement actions.)
According to China’s legislative plan, both the DSL and PIPL are likely to be enacted in the next two to three months. Although the timing is less certain, implementing regulations should follow thereafter to provide more regulatory guidance on how these two provisions will be interpreted and implemented.
Helen Hwang and Eric Carlson co-lead Covington & Burling’s Asia compliance and investigations practice. Both are fluent in Mandarin and specialize in investigations and anti-corruption compliance, with a particular focus on China. Yan Luo, a partner in Covington’s Beijing office who handles a range of China-focused regulatory matters in connection with data privacy and cybersecurity, provided valuable input to this post.