SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS
1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?
PRC legal regime on protection of personal information
On 20 August 2021, the Standing Committee of the National People’s Congress (SCNPC) adopted the Personal Information Protection Law (the PIPL), the long-awaited and first omnibus personal data protection legislation in China. The PIPL took effect on 1 November 2021.
The PIPL, together with the PRC Cybersecurity Law, which took effect on 1 June 2017, and the PRC Data Security Law, which took effect on 1 September 2021, are the three pillars in the PRC data protection regime that provide for a legal framework from, respectively, the PRC personal information protection, cybersecurity and data security perspectives.
Pre-PIPL provisions regulating the collection and processing of personal information are piecemeal and contained in a variety of PRC laws and regulations where there are substantial overlaps and arguable inconsistencies.
The PIPL in essence provides an omnibus rulebook for those who process the personal information of individuals located in China, regardless of whether those processors of personal information are in China themselves or are outside China.
The PIPL establishes a new comprehensive regulatory framework for personal information protection in China, significantly changing China’s current data privacy regulatory landscape. In the meantime, we observe that the Chinese regulators have recently been picking up pace in perfecting the data privacy regime and carrying forward the implementation of a number of provisions under the PIPL by publishing detailed implementation rules. Some of these implementation rules have been put into effect, and some are still in public consultation. We expect that China’s data privacy regime will continue to evolve quickly, a fact local and international business operators are now well aware of.
After the promulgation of the PIPL, other laws and regulations regulating the collection and processing of personal data in China will still be effective unless specifically repealed. However, it is expected that the interpretation and implementation of those laws and regulations will be aligned with that of the PIPL or be amended to be consistent with the latter.
General restrictions on cross-border transfer of personal information
A variety of PRC data protection laws and regulations impose restrictions on cross-border data transfers.
The Cybersecurity Law takes a bifurcated approach to deal with data generated and collected by different types of data processors, one being the data generated and collected by network operators, and the other being data generated and collected by critical information infrastructure operators (CIIOs).
A general restriction on cross-border data transfer originally only concerns the CIIOs under the Cybersecurity Law. It provides that personal information and important data generated and collected within the territory of China by CIIOs during the course of their operations should be stored within China. If such data needs to be transferred overseas due to business necessity, such transfers should be subject to security assessments according to the relevant regulations jointly issued by the cyberspace authority and other relevant authorities.
The concept of “critical information infrastructure” is defined in the Critical Information Infrastructure Security Protection Regulations (the CII Regulations), which took effect on 1 September 2021, as “important network facilities and information systems of key industries and sectors such as public communications and information services, energy, transportation, water conservancy, finance, public services, E-government and defence technology industry, as well as those network facilities and information systems that once damaged, disabled or having suffered a data leakage, may severely threaten national security, the national economy, people’s livelihood or public interest”.
The term “personal information”, as further clarified by the PIPL, is defined as “all kinds of information recorded electronically or through other methods related to identified or identifiable natural persons, not including information after being made anonymous”.
While the concept of “important data” was first mentioned in the PRC Cybersecurity Law in 2017, there has not been a unified definition across various legal documents. The most authoritative and relevant definition to date is in the Measures on Security Assessment for the Cross-border Transfer of Data, where important data is defined as data that “once tampered with, destroyed, leaked, or illegally acquired or used, may endanger national security, economic operations, social stability, public health and safety, etc”. This definition outlines the contours of important data but does not set up a practical guide that data processors can follow to classify and categorise their data. The PRC authorities have released several rounds of consultation drafts for a national standard specifying how to identify important data (the Identification Guide of the Important Data (Draft for Comments)). Based on these drafts, Important Data are mostly related to the following matters:
- economic operations;
- demography and health;
- natural resources and environment;
- science and technology;
- security protection (physical and cyber);
- user data and usage data for certain sensitive application services; and
- activities of governmental authorities.
Based on the latest draft of the guide released on 13 January 2022, specific categories and characteristics of Important Data relevant for particular districts and/or industries will be further elaborated on by the regulators overseeing that district and/or industry.
In terms of the “security assessment”, on 7 July 2022, the Cyberspace Administration of China (CAC) released the Measures on Security Assessment for the Cross-border Transfer of Data (the Security Assessment Measure). The Security Assessment Measure will take effect from 1 September 2022. In short, qualified self-assessment and data transfer legal instruments are the key requirements to pass the formal CAC security assessment.
Additionally and for personal information specifically, as a significant regulatory step ahead of the PRC Cybersecurity Law, the PIPL extends the personal information localisation obligation to cover not only the CIIOs but also personal information processors who process over a certain volume of personal information processed to be further set by the state cyberspace authority (Significant Volume Processors). Significant Volume Processors also need to undergo security assessments prior to their personal information cross-border transfer activities. Under the Security Assessment Measure, the threshold of becoming a Significant Volume Processor is: (i) where a data processor processes personal information of more than one million data subjects; or (ii) where a data processor has already, cumulatively, exported personal information of more than 100,000 data subjects or sensitive personal information of more than 10,000 data subjects since 1 January of the previous year.
The Security Assessment Measure goes a step further and requires security assessment for all exports of important data. Therefore, if the personal information contemplated to be exported constitutes important data, security assessment is necessary.
Under the PIPL and the Security Assessment Measure, the detailed regulatory requirements on cross-border transfers of personal information by all types of personal information processors are summarised in the following table:
Type of processors
CIIOs, Significant Volume Processors, and processors exporting important data
Other personal information processors
Moreover, the PIPL specifically allows cross-border transfers of personal information in accordance with applicable international treaties and agreements China has concluded or participated in.
Specific restriction on data transfers in relation to cross-border investigations
In addition to the restrictions applicable to in general all cross-border data transfer scenarios, there are also restrictions imposed under data protection laws that are specific to data transfers in relation to cross-border investigations.
In particular, article 36 of the Data Security Law provides that:
the competent authorities shall, in accordance with the relevant laws and the international treaties and conventions which China has concluded or participated in, or on the basis of the principle of equality and mutual benefit, deal with data provision requests from foreign judicial or law enforcement agencies. Without the approval of the competent authorities, no organisation or individual within the territory of China shall provide foreign judicial or law enforcement agencies with any data stored within the territory of China.
This provision on its face provides for an omnibus restriction on cross-border transfer of all types of data stored in China to foreign judicial or law enforcement agencies, which effectively impedes the capability of data processors to provide data on a cross-border basis to assist a foreign investigation.
Article 41 of the PIPL provides for a substantively same provision specifically stipulating that the transfer of personal information to foreign judicial or law enforcement agencies should also be approved by competent authorities.
The term “foreign judicial or law enforcement agencies” is not defined by the legislator but the market view is that it should be broadly interpreted to include not only judicial branch but also industrial regulators such as US SEC.
However, two practical questions remain unanswered in terms of the implementation of these provisions. First, though the above articles stipulate the approval requirement, no clarification or guidance has been released as to how such approval may be applied for in practice. Second, it is unclear that if PRC data processors, who are not forced to provide data to foreign judicial or law enforcement agencies, but would like to volunteer such data for bringing a claim or defending their right, are still subject to the restrictions contemplated in these articles.Answer contributed by Jane Jiang, Tiantian Wang and Jason Song
Allen & Overy LLP
2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?
A number of different banking secrecy laws contain obligations regarding the processing and transfer of certain types of data.
Commercial Bank Law
According to the PRC Commercial Bank Law as amended on 29 August 2015 (the Commercial Bank Law), a commercial bank has a general obligation to keep its depositors' information confidential and will be liable for any damages incurred by a depositor if the bank violates its duty of confidentiality. In China, it is typical for people to conduct cross-border money transfer through their deposit account banks. When a bank provides money transfer services to its customer, it is likely that information of the customer may be interpreted as "depositor’s information".
PBOC circular on IFI
The PBOC published the Circular of PBOC on the Protection of Personal Financial Information by Banking Financial Institutions (the IFI Circular) which took effect on 1 May 2011. The PBOC Shanghai branch further issued the Circular on Issues Relating to the Protection of Personal Financial Information by Banking Financial Institutions (the Shanghai Circular) on 12 May 2011. The protections under the IFI Circular and the Shanghai Circular are administrative law in nature and, therefore, cannot be waived by bank clients by consent.
Prohibition on cross-border transfer of IFI
The IFI Circular prohibits PRC banks (including PRC subsidiaries and branches of foreign banks) from disclosing IFI to an offshore entity. IFI broadly includes personal information on identity, property, bank account details, credit and financial transactions and so on, obtained by a bank during the course of its business or while accessing the PBOC’s system.
The Shanghai Circular clarifies that IFI also includes any information regarding any individual (such as the legal representative) of a corporate client of the bank.
Certain exceptions to the above prohibitions are available under the Shanghai Circular:
- Disclosure of IFI by a bank to its offshore parent or subsidiary is allowed if (i) such disclosure is necessary for the client or individual to conduct the relevant transactions and (ii) written authorisation is obtained from the individual. The PRC bank making the disclosure must ensure that its offshore parent or subsidiary keeps the IFI received confidential.
- With respect to a branch of a foreign bank using the system of its offshore headquarter or affiliate to store, process or analyse the IFI of the bank's clients outside China, the Shanghai Circular requires the following conditions to be satisfied: (i) written authorisation is obtained from such clients; and (ii) the offshore headquarters or affiliate shall have adopted relevant security measures to safeguard the relevant IFI and the headquarters (in the name of the bank as a legal person entity) shall bear the liabilities.
However, with the promulgation of the PIPL and the Data Security Law, it is unclear if the exceptions under the Shanghai Circular remain valid. From a legal hierarchy perspective, these PBOC rules are department rules so are prevailed by the PIPL and the DSL, both being laws, if there is any conflict between them. However, banking institutions should keep in communication with PBOC and China Banking and Insurance Regulatory Commission (CBIRC) as to the validity of the above exceptions given the potential impact on their business model.
Other than the above, we are not aware of any statutory exemptions that allow PRC banks to transfer IFI offshore (whether such transfer is in response to the request of a foreign authority). In a contentious context, group-wide internal investigations and reviews relating to foreign sanctions may not be considered "necessary for the client/individual to conduct the relevant transaction", meaning that exception (1) above would not apply in this scenario. This view is further supported by the ICJAL discussed below.
A number of different broker secrecy laws contain obligations regarding the processing and transfer of financial-related data by PRC securities companies.
General prohibition on disclosure of investor information
According to the PRC Securities Law as amended on 1 March 2020 (the Securities Law), a securities company has a general obligation to keep the information of securities market investors confidential and will be liable for any damages incurred by an investor if the securities company violates its duty of confidentiality.
By the same token, according to the Measures for the Information Technology Management of Securities and Fund Operating Institutions promulgated by the CSRC on 15 January 2021 (the 2021 CSRC Rule), except as otherwise provided by laws and regulations or ordered by the CSRC, securities service providers (including securities companies) are prohibited from allowing or cooperating with other institutions or individuals to intercept or retain customer information, or providing customer information to other institutions or individuals in any manner.
Specific prohibition on cross-border transfer of securities business-related information to overseas regulators
Article 177 of the Securities Law also specifically provides that no overseas securities regulator is permitted to directly conduct investigations or perform evidence-collection activities within the PRC, and no entity or individual in China is permitted to provide documentation or information relating to securities business activities to an overseas regulator, without the approval from competent PRC authorities.
Prohibition on cross-border transfer of work paper related information pursuant to the Overseas Listing Rule
According to the Provisions of the China Securities Regulatory Commission, the State Secrecy Administration, and the State Archives Administration on Strengthening the Confidentiality and File Management Work Related to the Issuance and Listing of Securities Overseas promulgated in 2009, it is stipulated that in the process of overseas issuance and listing of securities, the domestic work papers and other files formed by securities companies and securities service institutions that provide relevant securities services shall be stored in China.
The working papers mentioned in the preceding paragraph shall not be carried, shipped or transferred to overseas institutions or individuals through any means such as information technology without the approval of the competent authorities.
We are not aware of any cross-border data transfer exceptions specifically applicable to securities companies.
Judicial Assistance on Criminal Matters
On 26 October 2018, the National People’s Congress of the PRC promulgated the International Criminal Judicial Assistance Law (the ICJAL). The ICJAL applies only to criminal matters, not to civil or administrative matters.
The ICJAL sets out the relevant requirements on the processes of obtaining assistance and evidence in criminal matters on a cross-border basis. More specifically, the ICJAL applies in the case where entities and individuals outside of China seek assistance from those in China, or China-based entities and individuals seek assistance from those in other countries, including service of documents, evidence collection, witness testimony, freezing, seizure and confiscation of assets, and transfer of convicted persons.
The ICJAL requires that all such assistance in criminal proceedings be routed through a “competent authority” of the assisting state pursuant to the provisions of the ICJAL, or, if there is already in place a judicial assistance treaty on criminal proceedings between China and the relevant state (eg, the China-US Agreement on Mutual Assistance in Criminal Matters signed between China and the United States in 2000), pursuant to the requirements under such treaty.
Five authorities are designated as the “competent authorities” according to article 6 of the ICJAL, namely the National Supervisory Commission, the Supreme People's Court, the Supreme People's Procuratorate, the Ministry of Public Security and the Ministry of State Security.
The purpose of the ICJAL is partially to serve as a gap-filler for countries that China does not have a judicial assistance treaty with on criminal proceedings. In addition, according to the official report of the drafting commission of ICJAL and the press conference at which the ICJAL was made public, one of the main purposes of the ICJAL is to “effectively restrict foreign countries from exercising ‘long-arm jurisdiction’, particularly where foreign criminal enforcement authorities request information directly from China-based organisations and institutions”.
The ICJAL applies to individuals and entities located in China, and activities of evidence production taking place in China.
Article 4 of the ICJAL provides, among other things, that unless approved by relevant competent authorities, no foreign entities, organisations or individual may carry out any activities for the purpose of foreign criminal proceedings within the territory of China, and no entities, organisations or individuals located in China may provide evidential materials or assistance to any person in foreign countries. This seems to suggest that a Chinese entity is prohibited from providing evidence, testimony or other forms of assistance in criminal proceedings initiated outside China without approval of Chinese competent authorities. The wording is sufficiently broad to include the situation where a China-based subsidiary of a multinational company provides any of such assistance to its offshore parent, including but not limited to an internal investigation scenario, if such assistance is related to any foreign criminal proceedings.
The ICJAL does not contain penalties for violations. However, in practice, it is possible that the PRC regulators may frame the violation under the existing regimes including those relating to data privacy or state secrecy and therefore impose the relevant penalties thereunder.
As the ICJAL is still at an infant stage, there is no precedent yet to provide more insight on how the PRC regulators will enforce against any violation. It is also not clear for example whether the ICJAL may imply a duty to inquire if a China-based entity or individual provides assistance to a foreign investigation without knowing that the investigation involves or may involve a criminal aspect.
The restrictions contained in the PRC laws and regulations on state secrecy would be triggered to the extent that the relevant personal information constitutes state secrets.
Under the PRC Law on Protection of State Secrets (the State Secrets Law) as amended on 29 April 2010, the term "state secret" is broadly defined to mean matters that are related to national security and interest, determined in accordance with legal procedures, and may only be disclosed to limited persons within a certain period of time.
The State Secrets Law provides a list of matters and information that can be classified as state secrets. Such matters and information, if disclosed, may impact China’s security and interest in key areas such as politics, economy, defence and foreign affairs.
The National Administration for the Protection of State Secrets (the NAPSS) and the relevant government agencies have the power to determine and classify state secrets related to specific areas. NAPSS and the relevant governmental agencies may authorise non-governmental agencies such as state-owned enterprises (SOEs) to determine and classify state secrets generated from, received or possessed by such enterprises.
State secrets, if so determined, can be classified as "top secret", "secret" or “confidential”.
According to article 16 of the State Secrets Law, no state secrets should be disclosed to any person unless the disclosure is necessary for carrying out the relevant activity and has been approved by the Relevant Authority in charge (ie, the NAPSS or the relevant governmental agencies) (the Relevant Authorities).
According to article 30 of the State Secrets Law, if an entity needs to disclose state secrets in its communication or cooperation with foreign entities, or any foreigners engaged by the entity who needs to know state secrets, such entity shall apply to the Relevant Authority for approval of the proposed disclosure, and sign confidentiality agreements with the recipient of the information.
According to articles 21 and 25 of the State Secrets Law, the preparation, receipt, delivery, use and reproduction of state secrecy carriers (eg, paper, optical and magnetic media) should comply with the relevant regulations on the protection of state secrets. No persons may carry or transmit any state secret carriers out of China without the approval of the Relevant Authority.
Under the Implementation Provisions of PRC Law on Protection of State Secrets issued by the State Council on 14 January 2014, an entity procuring services involving state secrets must determine the class of the confidential information in accordance with PRC laws, regulations and standards, and request the service provider to keep state secrets confidential and sign a confidentiality agreement with the service provider.
Under normal circumstances, however, state secrets are highly unlikely to be involved during the course of ordinary business. Though, the risk may increase where the data subject is a Chinese government agency or SOE, especially in certain industries sensitive to Chinese national security or national interests. Such sensitive industries may include infrastructure, energy and resources (including nuclear power), transportation, iron and steel, banking, export credit, technology and major equipment manufacturing.
The restrictions under the State Secrets Law cannot be waived by consent other than the approvals of the relevant authorities described above.
According to the Interim Administrative Measures on Seizures over Assets relating to Terrorism Activities issued jointly by the PBOC, the Ministry of Public Security, and the Ministry of State Security on 10 January 2014, where a foreign authority intends to request client identity data or transaction data from certain financial institutions or designated non-financial institutions in the PRC, for reasons of anti-terrorism investigation, the relevant institutions must advise the foreign authority to make the request through diplomatic or judicial assistance channels. The institutions concerned must not provide the data to the foreign authority unless this requirement is complied with.Answer contributed by Jane Jiang, Tiantian Wang and Jason Song
Allen & Overy LLP
3. What constitutes personal data for the purposes of data protection laws?
The term “personal information” is defined in the PIPL as “all kinds of information recorded electronically or through other methods related to identified or identifiable natural persons, not including information after being made anonymous”. Other data protection laws may have definitions different from the one under the PIPL but we except that they should be interpreted in accordance with the PIPL to be consistent with the upper-level law.Answer contributed by Jane Jiang, Tiantian Wang and Jason Song
Allen & Overy LLP
4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?
As a significant difference between the PRC’s Cybersecurity Law and the recently adopted Data Security Law, the PIPL expressly provides for exterritorial jurisdiction on data processing activities outside the territory of China (excluding natural persons processing personal information for personal or household affairs), if such activities are:
- for the purpose of providing products or services to natural persons in the territory of China;
- for analysing or evaluating the behaviour of natural persons in the territory of China; or
- other circumstances stipulated by laws and administrative regulations.
As a result, these activities as well as persons carrying out these activities will be subject to the PIPL, even if they are outside China.Answer contributed by Jane Jiang, Tiantian Wang and Jason Song
Allen & Overy LLP
5. What are the principal requirements under data protection laws that are relevant in the context of investigations?
Please refer to sections 1(a) and (b) above for detailed discussions. In a nutshell, data transfer in the context of assisting a foreign investigation is not a general ground for exemption of any general data protection requirements. In fact, depending on the specific circumstances, it may entail further scrutiny from data protection and regulatory supervision perspective.Answer contributed by Jane Jiang, Tiantian Wang and Jason Song
Allen & Overy LLP
6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.
The discussions in questions 1, 2 and 3 equally apply here. In a nutshell, data transfer in the context of assisting a foreign investigation is not a general ground for exemption of any general data protection requirements. In fact, depending on the specific circumstances, it may entail further scrutiny from data protection and regulatory supervision perspective.
With the data protection rules and the various blocking statutes mentioned in the above sections, it is unclear and yet to be tested about whether a cross-border transfer of information for internal investigation purposes may be captured by the restrictions (eg, necessary for a clearance by the competent authorities). This may very well depend on whether there is reasonable foreseeability, at the time of the transfer, that the internal investigation may be escalated so the relevant information may be subject to the jurisdiction of any foreign judicial or law enforcement agencies that is specifically contemplated and restricted by the PRC legislator.
Such a principle equally applies to a transfer of such data to a foreign party assisting with an investigation.Answer contributed by Jane Jiang, Tiantian Wang and Jason Song
Allen & Overy LLP