China’s data laws hampering international court proceedings and investigations

News Analysis 13 April

China’s data laws hampering international court proceedings and investigations

  • SINA’s China data approval request for Cayman Section 238 trial lasts 20 months and counting 
  • Simply identifying the relevant Chinese regulator to approach can be problematic
  • Cases involving personal information and CIIOs face additional data-gathering hurdles 
  • US courts’ interpretation of Article 13(3) of the PIPL is “very wrong”, say lawyers

China’s data laws are being used as a shield to protect Chinese companies from disadvantageous discovery in international court proceedings and probes and in some cases are materially impacting case timelines, according to court documents and sources involved in various cases.

The same laws can even be problematic when Chinese companies want to submit supporting evidence or file lawsuits in overseas courts, some say. “It is a double-edged sword,” one data lawyer said. 

The issues stem from concerns raised during the development of China’s data security legislation about the potential for the unauthorized transfer of evidence to overseas courts and government agencies to endanger China’s data sovereignty and national security. Two provisions were introduced to mitigate this: Article 36 of China’s Data Security Law (DSL) and Article 41 of the Personal Information Protection Law (PIPL). 

Also known as the “blocking statutes”, these provisions stipulated that companies and individuals in China need to obtain approval from competent authorities prior to sending locally stored data to an overseas court or enforcer as evidence. The DSL was passed in June 2021, and PIPL in August 2021.

The laws allow enforcers to impose hefty fines on violators – up to CNY 10m under DSL and up to CNY 50m or 5% of annual revenue under PIPL - and to suspend their operations until rectification. 

In practice, the process to obtain relevant approval can last for months, if not far longer, lawyers say. Various court documents show the lengthy process is having an adverse impact on the timetable of ongoing legal actions.

Cayman Grand Court documents relating to the ongoing fair value appraisal action relating to the USD 2.6bn take-private of Cayman Island-incorporated SINA Corp [NASDAQ:SINA] in March 2021 reveal SINA invoked provisions in the DSL and the PIPL during the discovery stage to justify why it could not provide documents instantly.

It has taken at least 20 months for SINA to navigate the approval process – much longer than the original 70 days ordered by the Cayman court. According to court records, SINA, which has a domestic subsidiary in Beijing, launched its discovery exercise in June 2021. On 28 October 2021, it wrote to the Beijing Municipal Cyberspace Administration (Beijing CA) to seek guidance on how to obtain approval for the cross-border transfer of evidence. Beijing CA is a local branch of the country’s internet watchdog – the Cyberspace Administration of China (CAC). 

As of January 2023, SINA had yet to obtain the required approval, resulting in the court granting an extension to the company until 24 February 2023 to obtain the approval. It’s not clear if SINA has since gained clearance from the Chinese authorities.

The prospects for similar delays in future Section 238 cases look high considering almost every one of the tens of Cayman-incorporated Chinese ADR take-privates in recent years have been dissented. 

Litigators' strategic use of ‘blocking statutes’ 

The “blocking statutes” can be used by companies to argue against disadvantageous court discovery and unwanted information requests by enforcers or other litigants – a litigation strategy adopted by some companies, say lawyers. The lack of clarity in the provisions may also be helping the companies buy more time. 

But lawyers also noted companies face genuine and material practical challenges throughout the court-enforced data-gathering process.

A key obstacle is simply identifying the relevant Chinese regulator to approach, one of the lawyers noted. For example, said the lawyer, in 2022 the European Commission (EC) requested a China-based company submit certain supply agreements to facilitate the agency’s ongoing antitrust investigation. During the process, the lawyer, on behalf of the client, approached the CAC, the Ministry of Industry and Information Technology (MIIT), the State-owned Assets Supervision and Administration Commission (SASAC), and the local government for guidance. None of the agencies accepted the request. 

The company notarized its attempts to obtain the approval and demonstrated to EC that it had failed only after exhausting all possible methods. The EC eventually withdrew its request to the company – a result that favored the Chinese company, which is worth noting had initially been unwilling to submit the evidence.

Companies can also cite the data law provisions to reduce the quantity and scope of domestic data requested. 

This, said a second data lawyer, is because when evidence includes important data or sensitive personal information, companies are required by Chinese authorities to conduct a thorough check on the evidence to make sure such data is redacted or erased prior to the transfer.

Companies that are critical information infrastructure operators (CIIOs) are likely subject to an additional layer of regulatory scrutiny. The SINA trial may fall into this category as the Chinese tech company operates Weibo, a mass media application with 511 million monthly active users, the first lawyer analyzed.

Routes to pursue court-related data transfer requests 

But it is not impossible to obtain the approval. Some companies have managed to work through the process, lawyers said. For court proceedings, currently, two methods have proved feasible, the second lawyer elaborated. 

One route has seen the foreign court directly raise a request with China’s Supreme People’s Court (SPC) via a diplomatic procedure citing the Convention de La Haya. Another has seen the Chinese company proactively submit a request to the Ministry of Justice (MOJ). The MOJ will then seek opinions from the Ministry of Public Security (MPS), CAC, and SPC before issuing a final decision.

When it comes to submitting evidence to an overseas enforcer, things are more complicated. 

If the respective Chinese sector regulator has signed a memorandum of understanding (MoU) in mutual facilitation of government enforcement with the specific country, the company should contact that regulator for approval. For example, China’s securities regulator (CSRC) and insurance regulator (the newly formed State Administration of Financial Supervision) have signed an enforcement MoU with a few countries. For sectors without an MoU, companies need to file a request with the CAC.

Most of the time, when companies in China raise the issue, overseas courts, and enforcers show respect to domestic Chinese laws and regulations, lawyers said. This is as long as the company demonstrates its good faith rather than simply “let the can be kicked down the road”, as the judge in SINA trial put it.

The SINA trial provides an example of a demonstration of good faith. While seeking approval, SINA prepared a so-called parallel data room located in China and uploaded all relevant documents and materials to it. SINA promised to grant the dissenters’ access to the data room immediately after it obtained regulatory approval. SINA also updated the court from time to time on any material developments with the regulatory approval process, court documents showed.

It takes skill to balance the adoption of the provisions as a litigation strategy and managing the court and the enforcer’s expectations, the first lawyer said.

US court interpretations raise controversy

In addition to Article 36 of the DSL and Article 41 of the PIPL, some companies have also attempted to cite Article 39 of the PIPL as a blocking statute in overseas court proceedings. Such attempts have so far been unsuccessful in US courts.

In Cadence Design Systems vs Syntronic AB at the Federal District Court for the Northern District of California in the United States, the defendant Syntronic, a design company founded in Sweden with operations in China, allegedly used the plaintiff’s software without a license. The plaintiff requested in the discovery that the defendant’s China-based computers be sent to the US for inspection.  

The defendant invoked Article 39 of the PIPL, which states that the cross-border transfer of personal information of an individual shall obtain a “separate consent” from the individual. The defendant told the judge it failed to obtain the “separate consent” from the owners of the computers and therefore was not allowed to hand over the computers.

In a ruling dated June 2022, the judge cited Article 13 (3) of the PIPL to reject the defendant’s motion. Article 13(3) of the PIPL states statutory obligations provide a legal grounding for companies to process personal information, and individual consent under this scenario is not required. 

The judge argued fulfilling the discovery obligations in a US court can be seen as a statutory obligation stipulated under Article 13(3) of the PIPL, and the obligation under Article 39 of the PIPL should be waived as a result.

Similarly, in Mark Owen and James Wangdling vs Elastos Foundation in the Federal District Court for the Southern District of New York, a ruling dated January 2023 adopted the same reasoning.

In the case, the plaintiffs brought a class action against Elastos Foundation and its founders, alleging that Elastos’s ELA Tokens, a cryptocurrency, were securities that Elastos sold to U.S. investors without registering them with the Securities Exchange Commission (SEC). The foundation is registered in Singapore, with its principal offices in Beijing and Shanghai. The plaintiffs requested Elastos to submit some emails, texts, and social media communications on both business and personal devices, some of which were located inside China.

Elastos cited Article 39 of the PIPL to argue against the discovery request. But the judge cited Article 13(3) to waive Article 39 of the PIPL.

Data lawyers have criticized the US courts’ interpretation of Article 13(3) of the PIPL as “very wrong” and a distortion of what the law says.

The statutory obligations in Article 13(3) are limited to domestic laws and regulations, the lawyers say. They do not extend to cover foreign laws and obligations in overseas court proceedings. This interpretation is likely to be challenged in future cases, they added.

Upcoming challenges and additional hurdles

The above list of “blocking statutes” in China’s data laws is not exhaustive, lawyers said. Article 38 of the PIPL and Article 24 of the DSL are two additional provisions that can present hurdles in the evidence discovery process in overseas court proceedings and probes.

Article 38 of the PIPL states that companies need to fulfill certain compliance requirements before carrying out a cross-border transfer of personal information. This means that prior to the transfer of evidence involving personal information companies need to choose from one of the following: a filing for a data exit security assessment by CAC, completing a technical verification by China’s Cybersecurity Review Technology and Certification Center (CCRC), or signing a standard contract with the overseas court or enforcer.

“None of the above are easy in practice,” the data lawyer said, adding that some of his cases have already encountered this dilemma.

Article 24 of the DSL is even more restrictive. The provision states the government will launch a data security review when certain data processing activities can hamper national security. 

In cases involving a large volume of data in a sensitive sector, e.g., the financial services sector, it is possible that the transfer of evidence will need to go through this extra procedure.

In summation, the lawyers believed China’s data laws will continue to present a substantial hurdle to Chinese companies that seek permission – whether willingly or reluctantly – to transfer data abroad as part of a legal process with an overseas court or enforcer, lawyers said.