In an order dated 12 August 2024, the General Court of the European Union (‘General Court’) dismissed an application for interim measures brought by two EU subsidiaries of a Hong Kong-based security inspection equipment company in response to a request by the European Commission (‘Commission’) to provide the Commission with data stored in China. Although this is only an interim relief order, it can be deduced from the reasons given by the General Court that it may become much more difficult and risky to rely on national laws to prevent the transfer of data to European authorities in the context of investigations. Thus, it is worth taking a closer look at the decision and its implications for future investigations conducted by EU authorities:
I. Background
The starting point of the legal dispute in this case was Regulation (EU) 2022/2560 on foreign subsidies distorting the internal market which establishes a harmonised framework to address distortions caused by foreign subsidies in order to ensure a level playing field. In this context, pursuant to Art. 14 of Regulation (EU) 2022/2560, the Commission may conduct the necessary inspections of undertakings and their associations. The regulation empowers the Commission to enter premises, access business information, examine books and business records, and question employees.
The Commission initiated such an inspection in April 2024 with regard to the two applicants and carried out an inspection at the applicants’ premises in the Netherlands and Poland. In the course of the inspection, the applicants were requested to hand over the data of several email inboxes of their employees, which was refused, among other things, on the grounds that the data was not stored locally but located on servers of the Chinese parent company. The applicants were then requested to place a legal hold on the data concerned and a deadline was set for the data to be handed over to the Commission.
The applicants refused to comply with the Commission requests under Art. 14 and brought an action for interim measures seeking the annulment of the requests.
II. Legal analysis by General Court
Although the order is based only on an application for interim measures and does not represent a final, binding judgment in the main proceedings, the General Court’s reasoning for rejecting the arguments of the applicants may allow for general conclusions to be drawn and sheds light on investigative data requests in an EU-China context.
The following two points were at the centre of the applicants’ arguments:
- a request by the Commission for data stored in China infringes public international law as the Commission cannot extend its investigative powers to territories or individuals that are not under its EU jurisdiction;
- a Commission’s request concerning data stored in China is unlawful in so far as compliance with this request would compel the applicants and the group to which they belong, under the threat of fines and periodic penalty payments, to infringe Chinese law, including criminal law.
The applicants were unable to prevail on either point before the General Court:
- Public international law: The court reasoned that under public international law, the Commission has jurisdiction and is entitled to conduct investigative inspections if qualified effects of the practice under investigation are established within the EU or if the practice was implemented in the EU. The place of formation of the practice or the place of incorporation of the relevant entity are not decisive; otherwise, companies would have easy ways to evade EU prohibitions. The General Court argues that EU law is applicable if the conduct has foreseeable, immediate and substantial effects in the EU. Consequently, the Commission has investigative powers that extend to data stored on servers located outside the EU (e.g. in China) because possible distortions of the internal market by foreign subsidies have substantial effects. Also, the Commission must be entitled to extend its reach to business operations outside the EU in order to conduct its investigations efficiently and be able to hold non-EU entities liable for unlawfully distorting the internal market.
- Infringement of Chinese law: The General Court also emphasized that companies operating in the EU are generally subject to EU law and measures taken by the Commission must always be assessed in the light of EU law and not, as asserted by the applicants, Chinese law. However, even when examining Chinese law and evaluating whether infringements of Chinese law influence the assessment of possible violations of EU law, the General Court argues that the applicants have failed to explain how Chinese law could prevent the data requests (given that both applicants are entities established in the EU) and how criminal sanctions apply to the requested information. The mere reference to possibly relevant Chinese regulations was not sufficient for the General Court (reference was made to Articles 31 and 36 of the Data Security Law, Article 41 of the Personal Information Protection Law and Article 28 of the Law on Safeguarding State Secrets). Moreover, the General Court explicitly pointed out that all of the provisions of Chinese law cited in the application could only be infringed if the data were disclosed without prior authorisation from the competent Chinese authorities. In this respect, the General Court specifically noted that the applicants had not claimed to have made any attempt to obtain such authorisation.
III. Implications for companies operating in the EU and China
1. What can companies expect in the future?
The court order sends a strong signal that the EU is willing to enforce requests for information in a strict fashion, even if there are contrary foreign laws. It should come as no surprise that the Commission expands its reach to territories outside the EU as it does not want to provide companies with easy ways to evade its enforcement authority. Companies refusing to comply with data production requests will have to meet a high standard of proof that it is impossible for them to comply with the Commission’s request.
In the present case, the General Court emphasized that the applicants:
- Did not explain how Chinese law was relevant to them as EU entities;
- Did not sufficiently explain how Chinese law applies to the requested data;
- Never attempted to obtain authorisations from Chinese authorities to comply with the data requests; and
- Did not proactively propose other methods that would allow them to provide the data without infringing Chinese law.
2. How companies can strike a balance between the EU approach and Chinese law
China has enacted a number of laws in recent years that have tightened restrictions on cross-border data transfers, including for example the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. Among others, Article 36 of the Data Security Law contains a broad requirement that data stored in China cannot be provided to foreign courts or law enforcement authorities without the prior approval of the Chinese authorities.
However, Chinese law is not clear as to which Chinese authorities are in charge of granting approval, and no official rules or guidance have been issued on the process for obtaining such approval.
- In practice, some companies have applied for and successfully obtained approvals from Chinese authorities (primarily, the Chinese Ministry of Justice) before disclosing their data stored in China to foreign courts or law enforcement authorities, but there can be delays and confusion in the application process.
- There have also been instances in which the authorities have refused to accept applications to transfer data to foreign courts or law enforcement authorities, leaving the applicants in a difficult position of deciding whether to transfer data in apparent violation of the broad requirement and facing potentially serious consequences under Chinese law.
This case is a telling example of how companies can find themselves caught in the middle of potentially conflicting regimes. It also shows that Chinese laws restricting data transfers are not per se a defence to an EU regulator’s request for documents, as it is not sufficient to simply assert the existence of these transfer restrictions, without explaining and demonstrating how they prevent companies from complying with the regulator’s request.
Companies need to strike a balance between an EU regulator’s request and the Chinese data laws based on the specifics of their cases. Based on our recent experience, some possible risk management measures include:
- Assess the need for cross-border data transfer at the outset of the EU proceedings, understand the applicable rules in light of the evolving and potentially conflicting legal regimes, and plan ahead;
- Try to limit the scope of production in the EU proceedings by relying as much as possible on defences other than Chinese law. In other international cases, courts were open to the proposition that a distinction must be made between documents within the possession, custody or control of the company subject to the proceedings, and those of the parent company or other members of the same group. It remains unclear, however, whether this argument would stand up before an EU court. The General Court focused its reasoning on access to the requested information and did not address the issue of possession, custody or control;
- Seek alternative solutions to satisfy the regulator’s request, such as relying on documents stored or already transferred outside of China;
- If data stored in China must be produced, allow sufficient time to seek approval from the Chinese authorities, and keep adequate records of the steps taken; and
- If it is indeed impossible to produce key evidence due to restrictions on cross-border data transfers, companies should seek to minimize the potential adverse impact by demonstrating their efforts to comply with applicable Chinese law and by exploring alternatives.
IV. Conclusion
All in all, the EU judiciary places an extremely high burden on companies seeking to defend themselves against investigations. This must also be viewed in the context of recent regulatory developments in China, in particular China’s new data transfer laws, which have already added complexity to China-related investigations. Companies need to be aware of the increasing risk of conflicting regimes and proactively manage the process of obtaining the necessary approvals before transferring data across borders or exploring alternative ways to comply with requests by regulators. If companies do not see viable options for complying with a Commission request, they must be prepared to explain in great detail the reasons for their refusal.