Multinational companies doing business in China face difficult and unique challenges in handling corporate data that resides there. Many corporations will be required to engage in data discovery in China as a result of litigation or government investigations originating inside or outside China, proactive audits and risk assessments, and internal investigations stemming from increased regulatory oversight by the Chinese Government or increased attention from global compliance departments.
Stricter regulation and shifting data privacy regimes have increased the need for effective in-country data analysis solutions that meet China legal requirements and address risk appropriately. Corporations must respond to government investigations, perform their own audits and risk assessments and meet litigation demands, while at the same time limit the risks of violating Chinese laws or unnecessarily exposing their data to seizure by third parties.
Corporate entities based outside China commonly address discovery obligations by transferring data out of the country for review and analysis in conjunction with data collected from sources in other countries. Counsel might not be fully aware of the risks inherent in this, partially because Chinese laws surrounding data transfer are nebulous and difficult to interpret, and partially because of the desire to host confidential or case critical data in what are thought to be more secure environments. Counsel might also believe, incorrectly, that a review undertaken in China will be more onerous and incompatible with review technology used in the United States and Europe.
Counsel should, however, be aware that transferring data outside China for review carries a potentially serious risk of running afoul of China’s state secrets protections and creating other privacy concerns, often while dramatically increasing costs and potentially subjecting the company, directors, employees and counsel to administrative and criminal sanctions.
The Challenges of Cross-Border Data Transfers
Unlike in the European Union and various other Asia-Pacific countries, there is no single law in China aimed exclusively at protecting personal data. Instead, provisions of authorities such as the Constitution of the People’s Republic of China, the General Rules of Civil Law and the Tort Liability Law, industry-specific guidelines and local statutes are patched together as a data protection regime.
In addition, in December 2012, the National People’s Congress Standing Committee took steps toward strengthening electronic data protection by issuing its Decision on Strengthening Online Information Protection. The Decision’s goals are to “protect network information security, protect the lawful interests of citizens, legal persons and other organizations, [and] safeguard national security and social order.”
In addition to listing individuals’ rights regarding the use of their personal digital information, the Decision prohibits companies and individuals from improperly obtaining, selling, or providing personal digital information. Moreover, certain types of entities are obligated to collect, use, preserve, manage and otherwise handle personal data in accordance with principles outlined in the Decision. Acts violating the Decision are subject to several types of punishment, including fines, confiscation of unlawfully-obtained income, and criminal and civil liability.
State Secrets
In addition to these traditional privacy concerns, the export of electronic data out of China triggers state secrets concerns. The Law of the People’s Republic of China on Guarding State Secrets, which was formulated “for the purpose of guarding state secrets, safeguarding state security and national interests and ensuring progress of reform, of opening to the outside world, and of socialist construction,” defines state secrets as “matters that have a vital bearing on state security and national interests and, as specified by legal procedure, are entrusted to a limited number of people for a given period of time.” The Law sets out the following seven categories of protected state secrets:
-
Secrets concerning major policy decisions on state affairs
-
Secrets relating to the building of national defence and in the activities of the armed forces
-
Secrets relating to diplomatic activities and activities related to foreign countries as well as secrets to be maintained as commitments to foreign countries
-
Secrets relating to national economic and social development
-
Secrets concerning science and technology
-
Secrets concerning activities for safeguarding state security and the investigation of criminal offences
-
Other matters that are classified as state secrets by the state secret-guarding department.
The seventh category gives Chinese enforcement authorities broad discretion to define what information is a state secret.
The State Security Law of the People’s Republic of China states that “[a]ny organization or individual that has committed any act endangering the State security of the People’s Republic of China shall be prosecuted according to law.” The phrase “[a]ct endangering State security” is defined in the State Security Law to include “stealing, secretly gathering, buying, or unlawfully providing State secrets.”
Institutions, organizations or individuals operating outside China that perform acts endangering State security can be investigated for criminal responsibility under the State Security Law. Both intentional and negligent violations of this law could result in criminal prosecution or other disciplinary sanctions.
Mitigating Risk
China’s esoteric data privacy and state secrets laws, coupled with increased regulatory oversight, have created a growing need for solutions for processing data in China. Fortunately, many of the techniques and technology solutions that have been developed in other countries are becoming increasingly viable in China. A thorough and effective examination of a corporation’s documents within China, in a secure data room, with appropriate protections from digital infiltration, is entirely possible.
By eliminating or significantly reducing the transfer of China-based data outside China, companies reduce the risks they otherwise face when responding to Chinese investigations, performing internal compliance audits and meeting litigation demands. Even where a complete in-country solution is not practical, sensitive data should typically be put through a state secrets review before being transmitted out of the country. Such a review is best performed by PRC qualified lawyers who have a good understanding of the types of information historically defined as state secrets.
By leveraging technically adroit solutions and collaborating with PRC qualified lawyers to analyze data within China, companies can side-step substantial risks and achieve a more secure, and often lower cost solution, without compromising quality.