Multinational companies facing investigations and enforcement proceedings in relation to their China-based operations may find themselves compelled to produce documents and information stored in China to foreign authorities. In recent years, China has increasingly imposed restrictions on cross-border transfers of data. China’s new Data Security Law (DSL) and Personal Information Protection Law (PIPL), effective from September 2021 and November 2021 respectively, mark a further tightening of the regulations.
In the past, subject to limited exceptions and ‘state secrets’ screening, companies have generally been able to transfer documents and information stored in China to a foreign jurisdiction without first obtaining approval from Chinese regulators. Under the new laws, this is no longer the case.
Prior approval from Chinese authorities required before submitting any “data” to foreign judicial or enforcement agencies
Article 36 of the DSL provides that:
‘Without approval from competent PRC authorities, any organisations and individuals within the PRC must not provide data stored in the PRC to foreign judicial or enforcement authorities.’
The obligation to seek prior approval seems to apply to a wide range of scenarios because of the extremely broad wording in Article 36.
- The term ‘data’ is defined broadly to include ‘any records of information in electronic or other form.’ While the DSL classifies data based on importance and sensitivity (eg ‘important data’ and ‘national core data’), Article 36, read literally, appears to apply to cross-border transfers of any data regardless of subject matter, volume, or sensitivity.
- The term ‘foreign judicial or enforcement authorities’ is not defined, and can potentially cover all regulators with investigatory powers, including, for example, the US Treasury Department's Office of Foreign Assets Control [SA1] that implements US sanctions.
Failure to comply with Article 36 could result in fines of up to RMB5m (approximately USD800,000) for entities and up to RMB500,000 (approximately USD80,000) for responsible individuals. Other penalties include suspension of business or revocation of business licences.
The DSL does not identify the ‘competent PRC authorities’ able to grant prior approvals, outline the approval process, or specify the criteria that PRC authorities apply to assess applications. In other words, as of now, even if a party wants to seek prior approval before providing China-based data to a foreign authority, it is unclear how this is to be done in practice.
The PIPL has a substantially similar requirement in Article 41, although the scope of application is limited to ‘personal information.’
‘Without approval from competent PRC authorities, personal information processors shall not provide any personal information stored within the PRC to foreign judicial or enforcement authorities.’
Similar to the DSL, it is unclear how this requirement under the PIPL will operate in practice.
Increasing restrictions on data transfer
The DSL and the PIPL are not the first laws in China that regulate the provision of documents or information to foreign authorities. China has passed a number of laws in recent years that have gradually tightened the flow of data from China to other jurisdictions, although previous laws had a more limited scope of application. For example:
- The International Criminal Judicial Assistance Law (effective from 26 October 2018) prohibits the provision of evidence or assistance to foreign criminal enforcement authorities in connection with a criminal matter, unless approved by competent PRC authorities; and
- The Securities Law (effective from 1 March 2020) prohibits Chinese companies from transferring documents related to securities activities outside the PRC unless they obtain prior approval from the China Securities Regulatory Commission.
Challenging times: navigating conflicting legal regimes
Multinational companies with operations in China face increasing challenges brought on by conflicting legal regimes. One well known area is the US sanctions regime, and China’s counter measures, including its recent anti-foreign sanctions law. The restriction on data transfer is yet another area that can potentially create a dilemma for multinational companies. On the one hand, they may need to produce documents or information stored in China to foreign authorities, the failure of which could lead to negative consequences in foreign investigations or proceedings. On the other hand, they are seemingly required to seek prior approval from competent PRC authorities, but do not have full clarity on what procedures to follow and how their applications would be assessed.
We regularly assist our clients in navigating the challenging situations involving the new data transfer restrictions set out in the DSL and the PIPL, and there is no one-size-fits-all solution. Multinational companies facing this issue should act with caution and be on the lookout for any further regulatory guidance provided by the PRC authorities. We will continue to provide updates as further developments emerge.
This is the fourth in our 2022 Global Enforcement Outlook blog series, which looks at key enforcement and investigations trends over the next month. All other blogs in the series will be made available here.