The New PRC Data Security Law and its Potential Impact on Overseas Data Transfers

On 11 June 2021, the Standing Committee of the National People’s Congress (NPCSC) enacted a significant new law extending and expanding China’s data security regime.  The new Data Security Law of the People’s Republic of China (Data Security Law) was enacted as part of the 13th NPCSC legislative plan, and is set to take effect on 1 September 2021.  The law provides a general framework for data security in the People's Republic of China (PRC), and will run parallel to other legal regimes, such as those relating to cybersecurity, business archives, and state secrecy.  We provide a brief overview of the new law, followed by a more detailed discussion of the provision within it concerning the export of data in the context of overseas proceedings, Article 36.

THE TERM "DATA" BROADLY DEFINED

The term ‘data’ (数据) is defined broadly under the new law to include “any record of information in electronic or other forms”.  As such, data includes both electronic data (data stored electronically), as well as hard copy documents, as well as records stored in other forms.  Likewise, the term “data processing” (数据处理) is defined broadly to include the collection, storage, use, processing, transmission, provision, or disclosure of data.  Data security refers to the implementation of necessary measures to ensure effective protection and lawful utilisation of data, as well as having the capacity to ensure a sustained state of security.

The new law reaffirms that all individuals, companies, and organisations have varying degrees of responsibility for processing data security.  Specific industries will have measures applicable to them as already exists in many sectors.  The new law suggests there will be multiple, competing regulators at both central and local levels of government with, perhaps, overlapping responsibilities for enforcement.  This adds a further layer to the existing CIO, NIO structure established in the PRC Cybersecurity Law.

MECHANISMS FOR PROTECTING DATA

The new Data Security Law provides an extensive protection mechanism for important data (重要数据).  Unlike the Cybersecurity Law, which provides a general requirement that the critical information infrastructure operator localises important data without defining the term “important data”, the Data Security Law: (a) specifically calls for central and local government authorities to promulgate important data catalogues, which should give data processors clearer guidance on the scope of important data for purposes of implementation; (b) extends the responsibility for administration of cross-border transfer security to all processors of important data that is collected or generated in China, and (c) expressly requires all processors of important data to carry out a periodic risk assessment of its data-processing activities and submit a risk assessment report to the competent authorities.  As such, we anticipate more detailed catalogues and implementing rules in the near future.  Those companies that engage in a substantial amount of data-export activity (such as MNCs with Chinese subsidiaries, online companies, and hi-tech companies) may be faced with having to quickly adjust their data-compliance policies and the underlying IT infrastructure. 

One additional feature of this law is the substantially increased penalties for non-compliance, compared to prior legislation.  For instance, the administrative fine for failure of notification to the competent authorities in the event of a data breach may now reach RMB2,000,000, ten times that set out under the Cybersecurity Law; or up to RMB10,000,000 for the illegal export of important data, twenty times higher than the maximum penalty under the Cybersecurity Law.  This could foreshadow far more significant law enforcement activity in this area in the future.

ARTICLE 36 AND CROSS-BORDER DATA TRANSFER IN CONNECTION WITH OVERSEAS PROCEEDINGS

One aspect of the new law that is getting a fair amount of initial attention from legal commentators is Article 36 and its corresponding penalty provisions (set out in Article 48).  Article 36 requires a company or individual in China to seek permission from “competent organs of the PRC” before data can be transferred outside of China when certain circumstances apply, as discussed below.  Article 36 provides in translation:

The competent organs of the People’s Republic of China will, in accordance with relevant laws and international conventions or agreements to which the PRC has acceded, or in accordance with the principles of equality and reciprocity, handle the requests from foreign judicial or enforcement organs which concern the provision of data.  Without the approval of the competent organs of the People’s Republic of China, organisations or individuals within the territory [of the PRC] must not provide data stored within the territory of the PRC to foreign judicial or enforcement organs.

The precise meaning of the prohibitions contained in Article 36 is unclear and may be developed over time by implementing regulations or judicial interpretations.  Moreover, whether Article 36 applies to a particular situation will likely depend on the specific facts and will require careful analysis. 

From the language used in the provision, together with an examination of related provisions in Chinese law, Article 36 certainly appears to cover formal requests from a foreign court or enforcement agency, such as a subpoena directed to a company in China by a U.S. court or regulator in connection with a criminal probe in the United States.  In this respect, Article 36 largely tracks the approach outlined in Article 4 of the PRC International Criminal Judicial Assistance Law and Article 177 of the PRC Securities Law, as opposed to the provisions contained in Article 277 of the PRC Civil Law.  As the issue of cross-border data exchange is a hot topic these days, a discussion of each of these provisions helps to contextualise Article 36 within the new Data Security Law.

PRC Civil Procedure Law, Article 277

Article 277 of the PRC Civil Procedure Law concerns requests for judicial assistance where there is a need to “investigate and collect evidence” (调查取证) from another party, often in the context of requesting help from a Chinese court to investigate and collect that evidence.  This provision has remained unchanged since it first became effective in 1991.  Article 277 provides in translation:

Requests for and provision of judicial assistance shall be carried out via the channels stipulated in international treaties concluded or participated in by the People’s Republic of China; where there are no treaty relations, requests for and provision of judicial assistance shall be carried out via diplomatic channels.

An embassy or consulate of a foreign country based in the People’s Republic of China may serve documents on a citizen of the foreign country, or carry out investigation or collection of evidence, but shall not violate the laws of the People’s Republic of China and shall not take compulsory measures.

Except for the circumstances stipulated in the preceding paragraph, no foreign agency or individual shall carry out service of documents, investigation, or collection of evidence in the People’s Republic of China without the consent of the competent authorities of the People’s Republic of China.

In short, where there is a need to “investigate and collect evidence”, the provision requires parties to follow the relevant treaty or international convention, unless special circumstances apply.  Article 277 is not typically thought to prohibit parties to a U.S. lawsuit from responding to ordinary discovery requests in U.S. civil litigation.

International Criminal Judicial Assistance Law, Article 4

Article 4 of the International Criminal Judicial Assistance provides that, without approval from PRC competent authorities, companies and individuals are prohibited from disclosing evidence in the PRC to criminal enforcement authorities outside the PRC in connection with a criminal matter.  Article 4 provides, in translation:

The PRC and foreign countries shall provide international criminal judicial assistance in accordance with principals of equality and reciprocity.

International criminal judicial assistance must not harm the sovereignty, security or societal and public interests of the PRC.  International criminal judicial assistance must not violate basic principles of Chinese law.

Without the consent of competent authorities of the PRC, foreign institutions, organisations, and individuals must not carry out criminal litigation activities provided for in this law within the territory of the PRC.  Institutions, organisations, and individuals within the territory of the PRC must not provide evidentiary materials (证据材料) or the assistance provided for in this law to foreign countries.

Notably, few instances of efforts to implement Article 4 are public, nor is there a penalty proscribed for violation of Article 4. 

PRC Securities Law, Article 177

Under Article 177 of the PRC Securities Law, no overseas securities regulator is permitted to directly conduct investigations or perform evidence-collection activities within the PRC, and no entity or individual in China is permitted to provide documentation or information relating to securities business activities to an overseas regulator, without the approval from competent PRC authorities.  Article 177 provides in translation:

The securities regulatory authority under the State Council of the PRC may establish a cooperative mechanism for supervision and administration with the securities regulatory authorities of other countries or regions and implement cross-border supervision and administration.

Overseas securities regulatory authorities shall not carry out activities of direct investigations, evidence collection, etc. in the PRC.  No organisation or individual shall arbitrarily provide documents and materials relating to securities business activities to overseas parties without obtaining the consent of the securities regulatory authority of the State Council and the relevant State Council department(s) of the PRC.

How Does Article 36 Fit In?

Unlike Article 4 of the Criminal Judicial Assistance Law, which concerns criminal matters, and Article 177 of the Securities Law which targets overseas securities investigations, Article 36 is broader and expressly prohibits companies in the PRC from providing data directly to foreign courts or enforcement organs without requisite approval.  Moreover, the PRC Data Security Law goes a significant step further on the issue of penalties.  Violating Article 36 may lead to serious consequences, including fines of up to RMB5,000,000 (approximately US$750,000), orders to stop relevant operations or suspend operations for rectification, and revocation of relevant operational permits or business licences.  But how these penalties will be implemented in practice also raises significant questions.  Are fines to be viewed per occurrence, or more generally based on an overall event of non-compliance?  It is also unclear which organ(s) of the PRC will be responsible for processing requests for clearing data transmissions to foreign courts or law enforcement, but we expect this will be developed in time and may depend on the type of case in which requests are made.

How broadly Article 36 of the PRC Data Security Law will be interpreted remains to be seen.  For instance, purely internal investigations do not appear initially to fall within Article 36’s scope, but what about investigations conducted where a party is co-operating with a foreign regulator?  How will party-compelled discovery requests in U.S. civil lawsuits be evaluated under the statute?  How will Chinese regulators respond if the Chinese party objects, or is a state-owned enterprise?  These are important questions that may put MNCs in a bind as they navigate competing legal regimes.

Jurisdictions