June 17, 2021
Click for PDF
The Peopleâs Republic of China is clamping down on the extraction of litigation- and investigation-related corporate and personal data from Chinaâand this may squeeze litigants and investigation subjects in the future.Â Under a new data security law enacted late last week and an impending personal information protection law, China is set to constrict sharing broad swaths of personal and corporate data outside its borders.Â Both statutes would require companies to obtain the approval of a yet-to-be-identified branch of the Chinese government before providing data to non-Chinese judicial or law enforcement entities. Â As detailed below, these laws could have far-reaching implications for companies and individuals seeking to provide data to foreign courts or enforcement agencies in the context of government investigations or litigation, and appear to expand the data transfer restrictions set forth in other recent Chinese laws.
Data Security Law of the Peopleâs Republic of China
On June 10, 2021, the National Peopleâs Congress passed the Data Security Law, which will take effect on SeptemberÂ 1, 2021.Â The legislation contains sweeping requirements and severe penalties for violations.Â It governs not only data processing and management activities within China, but also those outside of China that âdamage national security, public interest, or the legitimate interests of [Chinaâs] citizens and organizations.â
The Data Security Law generally requires entities and individuals operating within China to implement systems designed to protect in-country data.Â For example, entities that handle âimportantâ dataâa term not yet defined by the statuteâmust designate personnel responsible for data security and conduct assessments to monitor potential risks.Â Chinese authorities may issue fines up to 500,000 CNY (approximately $78,000) and mandate remedial actions if an entity does not satisfy these requirements.Â If the entity fails to implement required remedial actions after receiving a warning and/or its failure to implement adequate controls result in a large-scale data breach, the entity may be subject to a fine of up to 2Â million CNY (approximately $313,000).Â Under these circumstances, authorities also may revoke the offending entityâs business licenses and issue fines to responsible individuals.
The Data Security Law also states that a âviolation of the national core data management system or endangering Chinaâs national sovereignty, security, and development interestsâ is punishable by an additional fine up to 10Â million CNY (approximately $1.56Â million), suspension of business, revocation of business licenses, and in severe cases, criminal liability.Â The Data Security Law broadly defines âcore dataâ to include âdata related to national security, national economy, the peopleâs welfare, and major public interests.â
Most notably, Article 36 of the Data Security Law prohibits âprovid[ing] data stored within the Peopleâs Republic of China to foreign judicial or law enforcement bodies without the approval of the competent authority of the Peopleâs Republic of China.âÂ The law does not identify the âcompetent authorityâ or outline the approval process.Â Failure to obtain this prior approval may subject an entity to a fine of up to 1,000,000 CNY (approximately $156,000), as well as additional fines for responsible individuals.Â Although the Data Security Law discusses different categories of covered data elsewhere in the legislative textâreferring to, for example, the âcore dataâ discussed aboveâArticleÂ 36, as written, appears to apply to the transfer of any data, regardless of subject matter and sensitivity, so long as it is stored in China.Â The final legislative text also includes additional, heavier penalties for severe violations that had not been included in prior drafts, including a fine of up to 5Â million CNY (approximately $780,000), suspension of business operations, revocation of business licenses, as well as increased fines for responsible individuals.Â The statute does not, however, define what violations would be considered âsevere.â
While the legal community in and outside of China will certainly seek additional guidance from the Chinese government, it is unclear whether the Chinese government will release implementing regulations or other guidance materials before SeptemberÂ 1, 2021, when the law takes effect.Â As a point of reference, the Chinese government has not issued additional guidance on the International Criminal Judicial Assistance Law, which prohibits, among other things, unauthorized cooperation of a broad nature with foreign criminal authorities, since the law was passed in 2018.Â Nevertheless, given that data security and privacy are one of Beijingâs areas of focus, it is possible that the Chinese government will issue regulations, statutory interpretation, or guidance to clarify certain key requirements in the Data Security Law.
Personal Information Protection Law of the Peopleâs Republic of China
On April 29, 2021, China released the second draft of its Personal Information Protection Law, which seeks to create a legal framework similar to the European Unionâs General Data Protection Regulations (âGDPRâ).Â The draft Personal Information Protection Law, if passed, will apply to âpersonal information processing entities (âPIPEsâ),â defined as âan organization or individual that independently determines the purposes and means for processing of personal information.âÂ The draft Personal Information Protection Law defines processing as âthe collection, storage, use, refining, transmission, provision, or public disclosure of personal information.âÂ The draft Personal Information Protection Law also defines âpersonal informationâ broadly as âvarious types of electronic or otherwise recorded information relating to an identified or identifiable natural person,â but excludes anonymized information.
The draft Personal Information Protection Law requires PIPEs that process certain volumes of personal data to adopt protective measures, such as designating a personal information protection officer responsible for supervising the processing of applicable data.Â PIPEs also would be required to carry out risk assessments prior to certain personal information processing and conduct regular audits.
Under Article 38 of the draft Personal Information Protection Law, the Cyberspace Administration of China (âCACâ) will provide a standard contract for PIPEs to reference when entering into contracts with data recipients outside of China.Â The draft Personal Information Protection Law provides that PIPEs may only transfer personal information overseas if the PIPE: (1)Â passes a security assessment administered by the CAC; (2) obtains certification from professional institutions in accordance with the rules of the CAC; (3)Â enters into a transfer agreement with the transferee using the standard contract published by the CAC; or (4)Â adheres to other conditions set forth by law, administrative regulations, or the CAC.Â Like the Data Security Law, the draft Personal Information Protection Law does not elaborate on this requirement, including what types of certifications would satisfy the requirement under ArticleÂ 38 or what âother conditions set forth by law, administrative regulations, or the CACâ entail.
Similar to Article 36 of the Data Security Law, ArticleÂ 41 of the draft Personal Information Protection Law prohibits providing personal data to judicial or law enforcement bodies outside of China without prior approval of competent Chinese authorities.Â As with the Data Security Law, neither the âcompetent Chinese authorityâ nor the approval process is further defined, however.
The draft Personal Information Protection Law does not include penalties specifically tied to ArticleÂ 41, but does set forth general penalty provisions in ArticleÂ 65, which include confiscation of illegal gains, and a basic fine of up to 1 million CNY (approximately $156,000) for companies and between 10,000 CNY and 100,000 CNY (approximately $15,600 to $156,000) for responsible persons.Â âSevere violations,â which the statute does not define, may be punishable by a fine up to 50Â million CNY (approximately $7.8Â million ) or up to five percent of the companyâs annual revenue for the prior financial year, as well as fines between 100,000 CNY to 1Â million CNY (approximately $156,000 to $1.56Â million) for responsible persons.Â Additionally, companies found to have violated the Personal Information Protection Law may be subject to revocation of business permits or suspension of business activities entirely.
The Data Security Law and Personal Information Protection Law in ContextÂ
The Data Security Law and, if enacted, the Personal Information Protection Law add to a growing list of Chinese laws that restrict the provision of data to foreign governments.Â For example:
- The International Criminal Judicial Assistance Law bars entities and individuals in China from providing foreign enforcement authorities with evidence, materials, or assistance in connection with criminal cases without the consent of the Chinese government.
- Article 177 of the China Securities Law (2019 Revision), prohibits âforeign regulators from directly conducting investigations and collecting evidenceâ in China and restricts Chinese companies from transferring documents related to their securities activities outside of China unless they obtain prior approval from the China Securities Regulatory Commission.
- The newly released draft amendment to Chinaâs Anti-Money Laundering Law contains disclosure and pre-approval requirements for Chinese companies responding to data requests by foreign regulators.
- As Gibson Dunn has previously covered, the Rules on Counteracting Unjustified Extraterritorial Application of Foreign Legislation and Other Measures, issued by the Ministry of Commerce of the PRC in January 2021, established a mechanism for the government to designate specific foreign laws as âunjustified extraterritorial applications,â and subsequently issue prohibitions against compliance with these foreign laws.
The Data Security Law and draft Personal Information Protection Law, however, appear to surpass these prior prohibitions in several key respects.Â In contrast to the International Criminal Judicial Assistance Law, for example, the Data Security Law and draft Personal Information Protection Law do not require the data to be provided in the context of a criminal investigation for the transfer prohibitions to apply.Â The new restrictions ostensibly apply to data transfers in connection with a civil enforcement action or investigation, such as those conducted by the U.S. Securities and Exchange Commission.Â (They might also create yet another impediment to the provision of audit work papers by China-based accounting firms to the SEC and the Public Company Accounting Oversight Board.)Â As written, the Data Security Law and draft Personal Information Protection Law prohibitions also would also apply to Chinese parties in civil litigation before foreign courts that may need to submit evidence in connection with ongoing cases.Â In fact, the current language could be read to prohibit non-Chinese citizens residing in China from providing information about themselves to their own government regulators, so long as the data is âstored in China.âÂ The Data Security Law does not explain when data is âstored in China,â or how to address potential scenarios in which entities or individuals may have a legal obligation to submit information to foreign judicial or law enforcement authorities.
The Data Security Law, draft Personal Information Protection Law and earlier laws restricting data transfers create a great deal of uncertainty for companies operating in China.Â Because these laws do not specify the process for obtaining government approvals, the criteria for approval, or the responsible government agency, it has become increasingly difficult for companies to determine how to respond to foreign regulatorsâ demands to produce data that may be stored in China, conduct internal investigations in China in the context of an ongoing enforcement action or foreign government investigation, or comply with disclosure and cooperation obligations under various forms of settlement agreements with foreign authorities such as deferred prosecution agreements.Â Companies considering self-reporting potential legal violations in China to their foreign regulators, as well as cooperating in ensuingÂ investigations conducted by those regulators, also will need to consider whether any of the relevant data was previously âstored in China,â and if so, whether they are permitted to submit such data to foreign authorities without approval by Chinese authorities.Â The new statutes also raise concerns for professional services organizations, such as law firms, accounting and forensic firms, litigation experts, and others whose work product may reflect data that was âstored in China.â Â The new laws do not make clear how they might apply to work product that is simply based on, reflects or incorporates data stored in China, and whether professional services firms are required to seek approval from relevant Chinese authorities before sharing such work product in foreign judicial proceedings or with enforcement authorities.
Gibson Dunn will continue to closely monitor these developments, as should companies operating in China, in order to minimize the risks associated with being caught in the vice of inconsistent legal obligations.
Â Â Â Â Please note that the discussions of Chinese law in this publication are advisory only.
The following Gibson Dunn lawyers assisted in preparing this client update: Patrick F. Stokes, Oliver Welch, Nicole Lee, Ning Ning, Kelly S. Austin, Judith Alison Lee, Adam M. Smith, John D.W. Partridge, F. Joseph Warin, Joel M. Cohen, Ryan T. Bergsieker, Stephanie Brooker, John W.F. Chesley, Connell OâNeill, Richard Roeder, Michael Scanlon, Benno Schwarz, Alexander H. Southwell, and Michael Walther.
Gibson Dunnâs lawyers are available to assist in addressing any questions you may have regarding the above developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firmâs Anti-Corruption and FCPA, White Collar Defense and Investigations,Â International Trade, and Privacy, Cybersecurity and Data Innovation practice groups:
Kelly AustinÂ â Hong Kong (+852 2214 3788,Â [email protected])
Connell OâNeillÂ â Hong Kong (+852 2214 3812,Â [email protected])
Oliver D. WelchÂ â Hong Kong (+852 2214 3716,Â [email protected])
Benno SchwarzÂ â Munich (+49 89 189 33 110,Â [email protected])
Michael WaltherÂ â Munich (+49 89 189 33-180,Â [email protected])
Richard W. RoederÂ â Munich (+49 89 189 33-160,Â [email protected])
Judith Alison LeeÂ â Washington, D.C. (+1 202-887-3591,Â [email protected])
Ryan T. BergsiekerÂ â Denver (+1 303-298-5774,Â [email protected])
Stephanie BrookerÂ â Washington, D.C. (+1 202-887-3502,Â [email protected])
John W.F. ChesleyÂ â Washington, D.C. (+1 202-887-3788,Â [email protected])
Joel M. CohenÂ â New York (+1 212-351-2664,Â [email protected])
John D.W. PartridgeÂ â Denver (+1 303-298-5931,Â [email protected])
Michael J. ScanlonÂ â Washington, D.C. (+1 202-887-3668,Â [email protected])
Adam M. SmithÂ â Washington, D.C. (+1 202-887-3547,Â [email protected])
Alexander H. SouthwellÂ â New York (+1 212-351-3981,Â [email protected])
Patrick F. StokesÂ â Washington, D.C. (+1 202-955-8504,Â [email protected])
F. Joseph WarinÂ â Washington, D.C. (+1 202-887-3609,Â [email protected])
Â© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising:Â The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.