Jet Deng, Ken Dai1
In recent years, with the increase of cross-border eDiscovery practices in government investigations and litigation by jurisdictions, such as the EU and the U.S., it has become quite common for enterprises in China to be directly and compulsorily required by foreign law enforcement and judicial authorities to provide local data abroad.
To counteract such "long-arm jurisdiction" and safeguard data sovereignty, China has issued "blocking statutes", such as Data Security Law ("DSL"), which requires enterprises to obtain approval from competent authorities of China before providing such data, while failure to comply may result in legal responsibilities, such as fines, both for the responsible companies and individuals.
I. Why did the blocking statutes come into being?
Blocking statutes aim to address the issue of long-arm jurisdiction. Long-arm jurisdiction refers to a court's power to exercise jurisdiction over individuals or entities located outside the court's territory but have some connection or "minimum contacts" with that territory.
In recent years, the U.S., the EU, and other major economies have seen an increase in their comprehensive strength, leading to an expansion of the scope of long-arm jurisdiction. As a result, many countries and regions, such as France, China, have implemented blocking statutes to counteract this trend and protect their national sovereignty.
II. What is the content of China's blocking statutes?
In both scenarios including making requests to obtain data from abroad and dealing with local data submission requests raised by foreign authorities, China holds the same position that law enforcement and judicial activities should be carried out through equal and reciprocal cooperations among sovereign countries, rather than directly to enterprises or individuals.
The provisions that restrict Chinese companies to submit local data to foreign authorities as required in investigations and litigations are mainly outlined in three laws:
- The International Criminal Judicial Assistance Law ("ICJAL"), which came into effect on October 26, 2018, states that institutions, organizations and individuals within the territory are not allowed to provide evidence materials and assistance to foreign countries in criminal prosecution activities without the consent of the competent Chinese authorities.2
- The Data Security Law ("DSL"), which came into effect on September 1, 2021, expands the scope from the criminal justice field to all the cross-border eDiscovery by foreign enforcement or judicial authorities. It provides that organizations and individuals within China shall not provide data stored in China to foreign enforcement or judicial authorities without the approval of the Chinese competent authorities. Otherwise, both responsible companies and individuals may face legal responsibilities such as fines.3
- The Personal Information Protection Law ("PIPL"), which came into effect on November 1, 2021, emphasizes that organizations and individuals within the territory shall not provide personal information stored in China without permission.4
- Do the China's blocking statutes restrict the enterprises from voluntarily providing local data to foreign authorities?
The Chinese Ministry of Justice hasn't clearly answered this question, and the practice remains uncertain, although from the wording perspective, these blocking statues may not necessarily prohibit individuals or organizations within China from voluntarily providing local data to foreign enforcement and judicial authorities.
III. Have China's blocking statutes been successfully invoked in practice?
Yes. Recently, a Chinese company, with the assistance of expert lawyers, convinced the European Commission ("EC") to withdraw its eDiscovery request on the data stored within China by invoking the DSL. In detail, the EC had requested the company to provide supply agreements with a US-based company under antitrust investigation. With the help of both domestic and EU lawyers, the company explained to the EC that it had exhausted all avenues to identify the competent authority responsible for approving such data submission under the DSL but failed, so it was unable to provide the data without violating Chinese law. Ultimately, the EC adopted this explanation and stopped asking for data.
IV. Are there differences in the attitude of various jurisdiction towards blocking statutes?
Yes, there may be differences in how different jurisdictions deal with blocking statutes. For example, in the U.S., courts have generally taken a more stringent approach when dealing with other jurisdictions' blocking statutes that are designed to counteract its long-arm jurisdiction. Prior to the DSL, there were a series of cases5 where Chinese banks attempted to invoke the ICJAL and banking regulations to refuse cross-border eDiscovery requests but denied by U.S. courts. Since there are no publicly available cases of companies successfully invoking the DSL to against such eDiscovery requests, it remains to be seen how U.S. authorities will deal with such defenses.
V. Are there any other compliance requirements for submitting local data to foreign authorities under cross-border eDiscovery requests?
In addition to China's blocking statutes, in cross-border eDiscovery, the following 3-level general requirements for outbound data transfer in China also need to be complied with:
- State secrets or data that may affect national security shall not be contained in the outbound data.
- The requirements of the Cybersecurity law, the DSL, the PIPL and other supporting regulations shall be complied with. For example, critical information infrastructure operator needs to notify the security assessment for cross-border data transfer to the Cyberspace Administration of China beforehand.
- The restrictive requirements for transferring data in special industry (such as personal financial information, health care data, etc.) abroad shall be complied with.
- Practical tips for dealing with conflicts between foreign long-arm jurisdiction and China's blocking statutes
Based on our experiences, the principles below shall be followed:
- Complying with 3-level general requirements for out-bound data transfer in China, and trying to explain practical difficulties to both domestic and foreign authorities with the help of expert lawyers.
- Predicting the potential attitudes of the competent foreign authorities involved towards blocking statutes based on materials such as precedents.
- Identifying the role of the requested party (e.g., primary investigation target/secondary affiliate), and adopting corresponding measures.
1. Jet Deng is senior partner based in Dentons Beijing and Ken Dai is partner based in Dentons Shanghai, they can be reached at firstname.lastname@example.org and email@example.com respectively.
2. Under Article 4 of the ICJAL, "The People's Republic of China and foreign countries carry out international criminal judicial assistance in accordance with the principle of equality and reciprocity. The international criminal judicial assistance shall not damage the sovereignty, security and social public interests of the People's Republic of China, and shall not violate the basic principles of the laws of the People's Republic of China. Foreign institutions, organisations and individuals may not conduct criminal proceedings under this Law, and the institutions, organisations and individuals within the territory of the People's Republic of China shall not provide evidence materials and assistance provided in this Law to foreign countries, without the consent of the competent authority of the People's Republic of China."
3. Under Article 36 of the DSL, "The competent authorities of the People's Republic of China shall, in accordance with the relevant laws and the international treaties and agreements concluded or acceded to by the People's Republic of China or on the principle of equality and mutual benefit, handle the requests made by foreign judicial or law enforcement authorities for the provision of data. No organization or individual within the territory of the People's Republic of China may provide foreign judicial or law enforcement authorities with the data stored within the territory of the People's Republic of China without the approval of the competent authorities of the People's Republic of China."
Under Article 48, "Whoever, in violation of Article 35 hereof, refuses to cooperate in the data collection will be ordered by the relevant competent authority to make rectifications and given a warning, and may be concurrently fined not less than 50,000 yuan but not more than 500,000 yuan, and the person directly in charge and other directly liable persons will be fined not less than 10,000 yuan but not more than 100,000 yuan. Whoever, in violation of Article 36 hereof, provides data to a foreign judicial or law enforcement agency without the approval of the competent authority will be given a warning by the relevant competent authority, and may be concurrently fined not less than 100,000 yuan but not more than 1 million yuan, and the person directly in charge and other directly liable persons may be fined not less than 10,000 yuan but not more than 100,000 yuan; if serious consequences are caused, a fine of not less than 1 million yuan but not more than 5 million yuan will be imposed, and the organization may be ordered to suspend the relevant business, suspend the operation for rectification, or its relevant business permit or business license will be revoked, and the person directly in charge and other directly liable persons will be fined not less than 50,000 yuan but not more than 500,000 yuan."
4. Under Article 41 of the PIPL, "The competent authorities of the People's Republic of China shall, in accordance with the relevant laws and the international treaties and agreements concluded or acceded to by the People's Republic of China or under the principles of equality and mutual benefit, handle the requests made by foreign judicial or law enforcement authorities for providing the personal information stored within the territory of China. Without the approval of the competent authorities of the People's Republic of China, no personal information handler may provide the personal information stored within the territory of the People's Republic of China to foreign judicial or law enforcement authorities."
5. e.g., In re Grand Jury Investigation of Possible Violations Of 18 U.S.C. § 1956 And 50 U.S.C. § 1705 (March 18, 2019),https://www.dcd.uscourts.gov/unsealed-orders-opinions-documents/Grand%20Jury/2019?order=field_case_number&sort=asc?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.