China-related Cross-border Investigation under New Data Protection Legislations

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

In summary

This chapter discusses compliance suggestions for multinational corporations and Chinese companies, whether state-owned or private, under new Chinese data protection legislation when dealing in cross-border investigations.

Discussion points

Potential compliance challenges involved in cross-border investigations
Limitations on data transfer in the context of cross-border investigations
Collision between cross-border investigation and Chinese data transfer protection law
Potential risks during the data collection stage of cross-border investigations
Compliance suggestions for companies dealing with cross-border investigations
Suggested regulations to be imposed on data transfers by government
Suggestions on the collision between Chinese data transfer regulations and data transfer requests by foreign law enforcement agencies

Referenced in this article

The Data Security Law
The Personal Information Protection Law
The Criminal Judicial Assistance Law
The Securities Law
The International Criminal Judicial Assistance Law
Measures for Security Assessment of Cross-border Data Transfer
Information Security Technology: Guideline for Identification of Important Data (Draft for Comments)
Regulation on the Standard Contract for the Cross-border Transfer of Personal Information (Draft for Comments)
Guidelines for the Declaration of Security Assessment for Cross-Border Data Transfer

Since the second half of 2021, China has witnessed a rapid evolution of its data protection regime, with strict controls and regulations being imposed on cross-border data flows and personal information protection. Namely, two Chinese data protection legislations have taken effect: the Data Security Law (DSL) on 1 September 2021, and the Personal Information Protection Law (PIPL) on 1 November 2021. Subsequently, supportive implementing regulations and guidance have been released, such as the Measures for Security Assessment of Cross-border Data Transfer (Cross-border Data Transfer Security Assessment Measures),^[1] Regulations for the Administration of Network Data Security (Draft for Comments) (Network Data Security Regulations), Information Security Technology: Guideline for Identification of Important Data (Draft for Comments) (Important Data Guideline) and the Regulation on the Standard Contract for the Cross-border Transfer of Personal Information (Draft for Comment) (Regulation on the Personal Information Standard Contract).

Generally, some provisions of the above-mentioned laws are read as ‘blocking statutes’, particularly in response to the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which gives US enforcement agencies the authority to request companies under their jurisdiction to provide requested data regardless of the territory that the data is stored in. Presumably, these blocking statutes offer companies ways to bypass data requests by foreign law enforcement agencies; however, a few months after the DSL and the PIPL came into effect, in several cases, the judges of US courts opined rejection on the application of the DSL and PIPL in discovery disputes among litigants, barring the production of documents in civil cases. Until now, the question of whether the DSL or PIPL could prohibit the production of documents in criminal proceedings has not been addressed.

Under such circumstances, it could be seen that multinational corporations (MNCs), or Chinese companies – either state-owned or private with businesses or entities in foreign jurisdictions (Companies) – might face a difficult situation between the data provision requested in cross-border government investigation and China’s new data protection legislation, which has created new and challenging compliance obligations for Companies.

Potential compliance challenges involved in cross-border investigations

Different layers of limitations set for data transfers in the context of cross-border investigations

Before the DSL and the PIPL came into effect in 2021, provisions in laws and regulations, including the Civil Procedure Law of the People’s Republic of China (the Civil Procedure Law), the Securities Law of the People’s Republic of China (the Securities Law) and the International Criminal Judicial Assistance Law of the People’s Republic of China (ICJAL), were aimed at protecting Chinese entities and individuals from providing evidence and materials to any foreign judicial or law enforcement body without the approval of the Chinese authorities. However, after being supplemented by the newly promulgated CSL and PIPL, there has been a broadening of regulatory boundaries governing cross-border transfers of data, covering stages including the collecting and processing of data, and the recording of information by electronic or other means.

The main relevant provisions of the ICJAL, the Securities Law, the Civil Procedure Law, the DSL and the PIPL are summarised in the table below:

Name of the laws and regulations	Summary of the provisions relating to the cross-border provision of information	No. of the provision	Provision details
ICJAL	The ICJAL restricts entities or individuals in China from providing judicial assistance to foreign prosecutors in support of international criminal proceedings, unless approval from the Chinese government has been obtained in advance.	Article 2	The law applies to criminal judicial proceedings including criminal inquiries, investigations, prosecutions, trials and executions.
ICJAL		Article 4	Foreign institutions, organisations and individuals shall not conduct criminal proceedings under this law and the institutions, organisations and individuals within the territory of China shall not provide evidence materials and assistance provided for in this law to foreign countries without the approval of the competent Chinese authority.
The Securities Law	The Securities Law restricts entities or individuals in China from providing documents or materials to foreign securities regulatory bodies, directly conducting investigations, and evidence collection within the territory of China.	Article 177	Foreign securities regulatory bodies are not allowed to directly conduct investigations and evidence collection within the territory of China. Without the approval of the securities regulatory authorities under the state council and various competent departments of the state council, no entity or individual in China may provide documents or materials related to securities business activities overseas.
The Civil Procedure Law	The Civil Procedure Law restricts foreign bodies or individuals from carrying out the service of documents, and the investigation and collection of evidence, in China without the consent by the relevant Chinese administrative authorities.	Article 284	Request for, and provision of, judicial assistance shall be carried out via the channels stipulated in the international treaty concluded or participated in by China; where there are no treaty relations, requests for and provision of judicial assistance shall be carried out via diplomatic channels. An embassy or consulate of a foreign country based in China may serve documents on a citizen of the foreign country and carry out investigation and collection of evidence but shall not violate the laws of China and shall not adopt mandatory measures. Except for the circumstances stipulated in the preceding paragraph, no foreign agency or individual shall carry out service of documents, investigation and collection of evidence in China without the consent by the relevant administrative authorities of China.
DSL	The DSL forbids entities or individuals in China from providing foreign judicial or law enforcement authorities with data stored within the territory of China without the approval of the competent Chinese authorities.	Article 36	The competent authorities of China shall, in accordance with the relevant laws and the international treaties and agreements concluded or acceded to by China, or on the principle of equality and mutual benefit, handle the requests made by foreign judicial or law enforcement authorities for the provision of data. No organisation or individual within the territory of China may provide foreign judicial or law enforcement authorities with data stored within the territory of the China without the approval of the competent authorities of China.
PIPL	The PIPL forbids entities or individuals in China from providing foreign judicial or law enforcement authorities with personal information stored within the territory of China without the approval of the competent authorities of China.	Article 41	The competent authorities of China shall, in accordance with the relevant laws and the international treaties and agreements concluded or acceded to by China or on the principle of equality and mutual benefit, handle the requests made by foreign judicial or law enforcement authorities for the provision of personal information. No organisation or individual within the territory of China may provide foreign judicial or law enforcement authorities with the personal information stored within the territory of the China without the approval of the competent authorities of China.

In this regard, the limitations are generally set as two layers: the first layer would be necessary approvals from the competent authorities following the provisions of ICJAL, the Securities Law and the Civil Procedure Law for the investigations with specific nature, such as the criminal or administrative investigations by foreign agencies (such as the DOJ for violations of the Foreign Corrupt Practices Act (FCPA), US Securities and Exchange Commission (SEC) for violations of federal securities laws or the UK Serious Fraud Office (SFO) for serious or complex fraud, bribery and corruption); and the second would be general approval required by the DSL and PIPL whenever the data falling under their jurisdiction are to be transferred to the foreign judicial or law enforcement authorities. Thus, when encountering any requirements for data transfer in the cross-border investigations, Companies are supposed to review the cases and evaluate the appropriate path that should be followed with regard to what approval should be acquired from which competent Chinese authorities.

In addition, it has been noted that, under DSL and PIPL restrictions, the current common practice – Chinese individual witnesses’ or expert witnesses’ testimony^[2] – normally arises through circuitous approaches, for example, presenting testimony in the location outside the territory of China. Although no penalty or investigation by Chinese authorities has been observed in the public channel, we believe such practice could result in compliance risks.

The collision between cross-border investigations and Chinese data transfer protection laws

Unlike the GDPR, which allows for more flexibility in interpreting what constitutes a necessary data transfer in the context of cross-border criminal or administrative investigations by explicitly permitting cross-border data transfers under the circumstance that the transfer is either ‘necessary for important reasons of public interest’ or ‘necessary for the establishment, exercise or defense of legal claims’, neither the DSL or the PIPL provides such flexibility; on the contrary, they both expressly limit the data and personal information transfer in response to the requirement imposed by the foreign judicial or enforcement authorities by requiring additional approvals from the relevant authorities.

However, as indicated by several decisions recently made by US courts in adjudicating the effect of DSL, PIPL and other blocking statues in discovery dispute, it would not be optimistic for Chinese parties to expect shield from discovery by citing PRC blocking statutes. In Philips Medical Systems (Cleveland), Inc v Buan and Valsartan, Losartan, & Irbesartan Products Liability Litigation (D.N.J. 2021), the courts both denied the application of the DSL and likewise reasoned that the DSL only prohibited responsive information from being given to US courts and did not prohibit giving such information to opposing parties. Similarly, in CF 125 Holding LLC v VS 125 LLC, the court also rejected the defendant’s objection to discovery based on the holding that the DSL failed to be proven to prohibit the production. Further, in the Valsartan case, the judge even explicitly expressed that PRC defendants cannot enter the US market expecting a possible shield from unfavourable discovery by PRC blocking statutes. Although these decisions are mainly made against discovery requests and responses traded between parties in civil proceedings, given the congruence of US courts, the trend does not appear optimistic as to whether US courts will grant accommodations to parties citing the blocking statues as an excuse for non-disclosure in investigations.

Potential risks during data collection in cross-border investigations

During an investigation, Companies are generally required to gather data stored in China and provided abroad. Usually, due to the large volumes of data and the various forms by which the data is stored (such as emails and messages), and, most importantly, to earn trust from the authorities initiating the investigation, such as the DOJ, Companies would turn to data collection vendors and attorneys using an authoritative e-discovery platform for the extraction of data from the devices of custodians and the review, analysis, selection, production and submission of electronic evidence or data. Even though the vendors and law firms currently take data protection measures such as using servers based in China and appointing offices based in China to conduct data review and selection to minimise data transfer compliance risks, it is observed that, in light of the perceived tendency towards tightening restrictions regarding data transfers, many vendors and law firms have been concerned about the risks of being penalised by the Chinese government for direct cross-border submissions of evidence or data to foreign authorities.

Compliance suggestions for companies dealing with a cross-border investigation

Regulations imposed on data transfers by the Chinese government

For the data transfer requirement imposed by the foreign judicial or enforcement authorities, Companies should be alerted about the limitation set by the Civil Procedure Law, ICJAL and Securities Law regarding evidence or material transfer.

With regard to the transfer of data in response to requirements imposed by foreign judicial or enforcement authorities (especially those with criminal enforcement powers or with supervisory powers in relation to their enforcement or judicial activities, such as FCPA enforcement by the DOJ), the ICJAL and the Securities Law provide that any data provision shall be subject to ‘government to government’ communications and requests such as criminal judicial assistance. The Civil Procedure Law prohibits the collection of evidence by foreign authorities; therefore, in the context of a party responding to a court-issued subpoena or in cases involving government litigants, approvals should be acquired. However, no express prohibition has been imposed on the entities’ ability to provide evidence in civil cases to foreign courts on their own initiative. Some examples are given below.

Information transferred as evidence in investigation, litigation or any other activities of a criminal nature by a foreign government or foreign body empowered with criminal judicial authority by a foreign government

Without obtaining prior authorisation by a competent Chinese authority, a domestic Chinese entity may be directed by the DOJ to provide it with information or evidence to assist with an ongoing FCPA investigation, or be ordered to provide evidence in response to a US court order or for the preparation for production of documents in criminal cases. According to the ICJAL, in any such circumstance, the request for criminal judicial assistance should be reported to, and approvals obtained from, competent authorities such as the Judicial Assistance Communication Centre of the Ministry of Justice in advance before providing any such information or evidence. In practice, it would normally take a relatively long period to complete the whole application and obtain the final opinion regarding whether the transfer is permitted.

Documents and materials required to be transferred, in relation to securities business activities overseas and requested by a foreign securities regulatory body

For example, in the absence of an authorisation by the Chinese Securities Regulatory Commission (CSRC), due to the investigation into fraudulent action conducted by the US SEC, a Chinese entity is requested by the SEC to provide it with the documents in relation to listing activities in the US. The documents and materials may not be transferred unless prior approvals have been granted by CSRC.

By contrast, if the request for information or evidence is irrelevant to investigations or proceedings by foreign judicial or enforcement authorities, or if the request is initiated by foreign authorities who possess no administrative powers, the application to a Chinese authority for criminal judicial assistance would not be a necessary step. This would be the case, for example, in circumstances where, without an ongoing FCPA investigation or any other similar foreign enforcement procedure, there are internal investigations into employee misconduct that violates the internal employee handbooks or guidelines initiated by the overseas headquarters of a multinational corporation, and the related facts are in relation to the employees working in China.

Although the motivation for most multinational corporations to conduct an internal investigation is the potential legal leniency under the FCPA where they self-report, conducting internal investigations is a regular self-discipline and self-governance approach for enterprises to effectively supervise and improve themselves. As most headquarters of multinational corporations are located overseas and the governance authority for compliance matters is usually centralised in those headquarters, the cross-border transfer of internal investigation findings gathered in the territory of China could thus be categorised as daily internal governance of an enterprise, rather than preparation for the FCPA investigation that should be subject to criminal judicial assistance.

Similarly, a foreign stock exchange, such as the US NASDAQ Stock Exchange, or derivatives marketplace positioned as a self-regulatory organisation, such as the Chicago Mercantile Exchange (CME), may send inquiries to a Chinese entity, who participates in its market, requesting explanation and supporting documents relating to the financial issue of concern.

NASDAQ, for example, finished its corporatisation and privatisation in around 2017 and is now an independent commercial market player, which has handed over its power of investigating and imposing penalties relating to abnormal trades and dealings to the SEC, and only reserves the power of supervising and monitoring traders and dealers. In view of the nature of NASDAQ’s corporatisation, in the case of any abnormal trades or dealings involving financial red flags such as fraud, to improve its efficiency as a competitive stock exchange, it will conduct inquiries into the enterprises concerned and request certain documents as supporting materials attached to the answers. However, such inquires would not necessarily incur enforcement action by the SEC. According to the express language of Article 177 of the Securities Law, the obligation of the entity transferring data and information to report and obtain approval from the responsible Chinese regulator will be triggered when the domestic entity is requested to provide the relevant materials directly by a foreign securities regulatory body for evidence collection. Thus, the document transfer request imposed by NASDAQ or any other similar stock exchange would normally not trigger the obligation of reporting under the Securities Law. Nevertheless, in practice, there are high risks that unauthorised provision of materials in relation to the securities business activities overseas can be characterised as a violation of article 177 of the Securities Law by regulatory authorities. In this regard, for Chinese entities who receive such request, it would be the usual practice to file the request to the CSRC for the record. Recently, CSRC and SEC have been seeking closer securities cooperation.

Similarly, CME, as a self-regulatory organisation without possessing administrative powers, creates internal committees with responsibility for the investigation, hearing and imposition of penalties for violations of its exchange rules without involving securities regulatory bodies. In light of such nature, it is believed that the data transfer in response to CME’s investigation normally requires no approval from the CSRC. However, a close eye should be kept on the updates by CSRC in case any upgrades of its regulatory enforcement.

In international arbitration, a Chinese entity as one party to the arbitration is required to submit evidence to the tribunal located overseas.

Arbitration, unlike litigation before the court, is an alternative method of dispute resolution, chosen by the parties, rather than a typical judicial act conducted by a foreign enforcement authority or authorities with judicial powers. However, in certain circumstance, such as where the witness testimony is ordered by an arbitrator with authority in parallel with a cross-border civil court, there are risks that the cooperative provision of information and evidence without resorting to judicial assistance is a violation of the Civil Procedure Law.

In practice, since arbitration involves less sovereignty, evidence transfer under the arbitration, especially voluntarily provision of evidence by the parties on their own initiative, would not trigger the need for judicial assistance. Nevertheless, as the obligations as to provision of sensitive information and data remains an area of potential liability for the transferrer, such as the deletion or redaction of personal information or important data, this article will elaborate upon the obligations associated with the provision of sensitive information protection in the below.

In addition to the investigation that triggers the obligation set by the Civil Procedure Law, ICJAL and Securities Law, obligations set by article 36 of the DSL and article 42 of the PIPL cover almost every investigation initiated by foreign agencies with administrative powers, such as export control investigations, sanctions investigations, anti-dumping countervailing duty investigations and customs investigations. Further, during the approval process, attention should be drawn by Companies that many levels of oversight could be involved; for example, a Company engaged in the telecommunications industry may require approval from both the industry-specific department and the national cyberspace authority before engaging in cross-border data transfer. It worth noting that the preparation for performing the obligations set by the multiple layers of regulations, such as submitting the application for approval to both the DOJ and the national cyberspace authority, are recommended to be commenced simultaneously.

After it has been decided that there is no need for approvals or, if needed, the necessary approvals from related competent authorities have been obtained, the next step would be classifying the composition of the requested information and complying with the obligations of cross-border data transfer security assessment. The below table illustrates different obligations triggered by characteristics of data composition.

Laws	Trigger of Obligations	Obligations
Important Data
Article 31 of the CSL, Article 31 of the DSL	Where providing abroad the important data collected and produced by critical information infrastructure operators	The transfer shall apply for cross-border data transfer security assessment^[3] with the state cybersecurity and information department through their local provincial-level cybersecurity and information department.
Article 4 of the Cross-border Data Transfer Security Assessment Measures	Where the data transferred abroad contains important data
Personal Information
Article 38 of the PIPL	Where transferring the personal information outside the territory of China due to business or other needs	The transfer shall meet any of the following conditions: pass the security assessment organised by the Cyberspace Administration of China (CAC) in accordance with the provisions of this law; have been certified by a specialised agency for protection of personal information in accordance with the provisions of the CAC; enter into a contract with the overseas recipient under the standard contract formulated by the CAC, specifying the rights and obligations of both parties; and meet other conditions prescribed by laws, administrative regulations or the CAC. According to the Article 4 of the Regulation on the Personal Information Standard Contract, any personal information processor meeting all of the following circumstances may provide personal information abroad by concluding a standard contract: where it is not a critical information infrastructure operator; where it processes not more than 1 million persons’ personal information; where it has provided the personal information of not more than 100,000 persons in accumulation overseas since 1 January of the previous year; and where it has provided sensitive personal information of not more than 10,000 persons in accumulation overseas since 1 January of the previous year. The personal information processor shall inform the individual of such matters as the name of the overseas recipient, contact information, purpose and method of processing, type of personal information and the method and procedure for the individual to exercise his rights against the overseas recipient, and shall obtain the individual’s separate consent.
Article 4 of the Cross-border Data Transfer Security Assessment Measures	Where a personal information processor processing the personal information of over 1 million people providing personal information abroad	Additionally, the personal information processor shall apply for cross-border data transfer security assessment with the state cybersecurity and information department through their local provincial-level cybersecurity and information department.
	Where cumulatively providing abroad the personal information of more than 100,000 people or the sensitive personal information of more than 10,000 people
	Where providing abroad the personal information collected and produced by critical information infrastructure operators

However, given that the Cross-border Data Transfer Security Assessment Measures came into effect on 1 September 2022, the Guidelines for Declaration of Security Assessment for Cross-border Data Transfer was also promulgated on 31 August 2022, the details of submission to security assessment for cross-border data transfer are still waiting to be explored; practically, it is suggested that when facing data transfer request from foreign authorities, Companies could consult Chinese lawyers with experience for further advice in solutions on case-based evaluation, comprehensively considering elements such as the background of the request, the data characteristics, etc.

On the collision between Chinese data transfer regulation and data transfer requests by foreign law enforcement agencies

Considering the long period of Chinese approval-seeking procedures with uncertain results, as well as the compelling force of document production by the foreign law enforcement agencies, concurrent endeavours are still necessary to be undertaken in approaching bilateral competent government authorities to achieve the potential conciliation: data transfer with information necessitated by Chinese blocking statues. To facilitate such conciliation, the approach with the Chinese authority could be focused on the legality, justice and necessity for the data transfer and specific scope of the data to be caught by the DSL and the PIPL. Concurrently, for the foreign law enforcement agencies, emphasis could be laid around the relationship between the responsive documents and the enforcement of the DSL and the PIPL, and the factors the agencies are concerned with when determining whether a foreign data protection statute can excuse a party from document production (if factors have been established in such jurisdiction). For example, Aerospatiale-Wultz factors established by the US Supreme Court included (1) the importance to the case of the information requested; (2) the degree of specificity of the request; (3) whether the information originated in the United States; (4) availability of alternative means of securing the information; and (5) the relative interests of the United States and the foreign nation.^[4]

Nevertheless, there could still be underlying risks in extreme cases. Companies might have no option but to face the either-or choice between a penalty imposed by the Chinese government or a sanction or other adverse result in a foreign jurisdiction.

Footnotes

^[1] The Cross-border Data Transfer Security Assessment Measures was published on 7 July 2022, and took effect on 1 September 2022.

^[2] The presentation of witness testimony here referred does not fall under the parameters of the ICJAL, Securities Law or Civil Procedure Law.

^[3] According to article 8 of the Cross-border Data Transfer Security Assessment Measures, Cross-border data transfer security assessment focuses on assessing the risks that cross-border data transfer activities may bring to national security, the public interest, and the lawful rights and interests of individuals and organisations, and mainly includes the following matters: (1) the legality, propriety, and necessity of the purpose, scope, method, etc, of cross-border data transfers; (2) the effects on the security of the data transferred abroad of the data security protection policies, laws and regulations, and the cybersecurity environment of the country or region where the foreign receiving party resides; (3) whether the foreign receiving party’s data protection level reach the requirements of the laws, administrative regulations, and mandatory national standards of China; (4) the quantity, scope, categories and degree of sensitivity of the data transferred abroad; and the risk of leaks, distortion, loss, destruction, transfer, illegal acquisition, illegal use, etc, during or after cross-border transfer; (5) whether data security and personal information rights and interests are fully and effectively ensured; (6) whether the contract concluded between the data handler and the foreign receiving party fully stipulates data security protection responsibilities and duties; (7) the degree of compliance with Chinese laws, administrative regulations and departmental rules; and (8) other matters that the state cybersecurity and information department determines should be assessed.

^[4] See Société Nationale Industrielle Aérospatiale v U.S. Dist. Court for Southern Dist. of Iowa, 482 U.S. 522, 96 L.Ed.2d 461 (1987)