Navigating PRC data laws in cross-border disputes

July 2023  |  SPOTLIGHT | LITIGATION & DISPUTE RESOLUTION

Financier Worldwide Magazine

July 2023 Issue

In today’s international business space, companies are increasingly subject to overlapping and sometimes conflicting legal obligations from different jurisdictions. These challenges are particularly heightened in the area of data privacy.

Nowhere are the stakes of this rapidly changing legal landscape more pronounced than in transnational legal conflicts involving US and other Western companies operating in the People’s Republic of China (PRC). Both are moving to protect their citizens’ and stakeholders’ data. PRC authorities have enacted a series of privacy laws and initiated several enforcement actions on national security grounds. They have raided the offices and interrogated the local staff of international consulting and investigations firms.

Multinational companies that need to access or export data located in China for foreign legal proceedings have to carefully navigate PRC legal requirements or they may find themselves in the same position as the abovementioned firms.

Under what circumstances could these issues arise? Let us say the individual in question is the general counsel of a US company with operations in China. They have been overseeing an ongoing litigation in a US federal court alleging that the company’s Chinese subsidiary misrepresented its financials and business prospects. The company believes and has been telling investors the allegations in the lawsuit are meritless.

Unfortunately, the court denies the company’s motion to dismiss, reasoning that while it is inclined to grant the company’s motion, there are a small number of disputed issues of fact that can only be cleared up by discovery, which the court believes can be targeted. To that end, the court sets an expedited discovery schedule, to which the company’s outside litigation counsel has agreed. The company wants this case to be over with quickly because, confidentially, it is pursuing a corporate transaction where the counterparty has expressed concerns about the overhang of unresolved litigation concerning the China business, which represents a substantial portion of the company’s overall revenue.

The company is therefore stunned when its Chinese colleagues tell it that the lion’s share of relevant documents, including documents helpful to the company’s defence, cannot be sent out of China, much less shared with US plaintiffs and their counsel, due to data restrictions under PRC law.

Violations of such restrictions can have significant consequences. Nonetheless, complying with these data restrictions would mean, not only that the company would miss the court’s expedited discovery deadlines, but also that it might face the prospect of an additional lawsuit challenging the company’s earlier statements about the likelihood of prevailing in this lawsuit, and could jeopardise the corporate transaction when these obstacles come to light.

This article is designed to provide a high-level overview of some of the complications of dealing with these issues, set forth a summary of the key Chinese data privacy and state secrecy laws and regulations governing this area, and provide some practical advice on handling such scenarios. We discuss the management of US courts and recommend considering opening a dialogue with PRC approval authorities early, as well as potentially inviting opposing counsel to China to view the relevant discovery.

Key Chinese data privacy and state secrecy regulations

The PRC’s Data Security Law (DSL), Personal Information Protection Law (PIPL), Cybersecurity Law and State Secrets Laws constitute a new web of legislation that governs how companies must approach Chinese data, as outlined below.

The DSL (effective in November 2021) expands localisation and transfer requirements for certain types of data and handlers. Notably, it prohibits companies from providing data stored in China to a foreign judicial or law enforcement agency without the prior approval of relevant PRC authorities.

The PIPL (effective in November 2021) governs how PRC personal data should be handled. It relies on legal principles of notice, consent, necessity and proportionality and, like the DSL, restricts exporting PRC personal data overseas.

The Cybersecurity Law (effective in June 2017) concerns “network partners” and requires localisation of both personal data and important data concerning critical information infrastructures.

The relevant State Secrets Laws define “state secrets” very broadly and could subject violators to potentially significant penalties.

The consequences of running afoul of this complex minefield of laws can be severe, and can include fines, disgorgements, forced shutdown of a business, revocation of business licences and even short-term detention or imprisonment for individuals.

Practical advice

The PRC’s rigorous data privacy laws also raise challenges in domestic Western courts. When litigating cross-border disputes, it is imperative that board members and executives are careful about perception in the forum court. If the forum court gets the impression that a party is hiding behind the PRC’s privacy laws, it can have negative and potentially disastrous consequences for the party.

For example, US courts can order the production of documents and data, even when doing so would violate foreign law. This Catch-22 can lead to an uncomfortable situation for litigants that are ordered by a US court to make productions they believe expose them to risk in China. This is not just a hypothetical.

Since the enactment of the PIPL and DSL, US courts have ordered the production of documents on several occasions, even when doing so could arguably violate PRC privacy laws. When adjudicating these discovery disputes, US courts not only consider the applicable law, but also the parties’ good faith. For example, in Owen v. Elastos Foundation (2023), a federal district court in New York ordered the defendants to produce documents even after the defendants asserted that their production was barred by PRC data laws.

The court was unpersuaded of the defendants’ good faith because some of the defendants’ factual allegations were inaccurate, and they did not search all of their employees’ relevant devices and accounts. The court ultimately concluded that production did not violate PRC law, but even if it had, “comity would not prevent [the] Court from ordering defendants to produce all of the otherwise discoverable documents within their possession, custody, and control – both within and without China – whether or not a custodian consents”.

To avoid a conflict between US discovery obligations and Chinese data restrictions, parties might consider taking three practical steps to ensure that they are not perceived as using PRC privacy law as both a sword and shield.

First, companies are advised to distribute hold notices to their employees in China, document attempts to solicit consent to share responsive discovery, consult with qualified experts to determine what discovery cannot leave the PRC, and carefully outline which documents are being withheld and the grounds for doing so. As US courts are increasingly sceptical of refusals to comply with discovery obligations based on PRC privacy law, counsel is advised to set forth a thoughtful interpretation of the relevant Chinese provision, supported by the text of the statute, expert opinion and legal authority.

Second, to demonstrate good faith efforts in fulfilling discovery obligations or other document requests from US courts, companies, with the assistance of PRC counsel, might consider submitting the requested documents to the PRC authorities for review and approval as early as possible. The relevant PRC authorities that may have an interest in approving the data transfer request include the Ministry of Justice, the Cybersecurity Administration of China and relevant industry regulators.

This is a lengthy process and depending on the volume of the documents, it may take months to collect feedback and approval. PRC authorities generally expect an index of documents to be prepared and companies should exercise care in preparing this index to facilitate the PRC authorities’ review. Companies might consider categorising documents and starting with small productions for approval on a rolling basis.

Once a category has been approved, it may become progressively easier to produce similar documents. If some other categories present issues, the company avoids wasting time and resources gathering and reviewing documents that the Chinese authorities are unlikely to authorise the company to export outside of China. Counsel should bear the above in mind in their meet-and-confer sessions and when presenting a document production plan to the court.

If the PRC authorities approve the production, they will inform counsel. But more often, the company will receive requests from the PRC authorities to remove certain documents and to redact portions of other documents before producing them. These requirements can sometimes be onerous. For example, the company might be requested to obtain pre-approval from all the data custodians before transferring the data overseas.

In such circumstances, the company is advised to seek a compromise with opposing counsel and the court. Counsel might consider memorialising relevant discussions with PRC authorities to prove that it has made good faith efforts to comply with its discovery obligations to the extent consistent with Chinese data privacy restrictions. In doing so, the company should bear in mind that PRC counsel’s discussions and correspondence with PRC authorities may be confidential and often cannot be shared with foreign parties, including opposing counsel, absent approval.

Finally, subject to PRC authorities’ approval, the company may also consider inviting opposing counsel to China to examine the relevant documents onsite to avoid the red tape blocking data export. However, foreign parties may be subject to requirements such as a valid PRC passport and restrictions concerning carrying notes across borders. US counsel is thus advised to discuss such a proposal with the company’s PRC counsel and devise a detailed review protocol that sets forth parameters of the review exercises. Ideally, counsel and opposing counsel can agree to this review protocol before they travel to China for the onsite review.

Conclusion

The recent adoption of rigorous Chinese privacy laws has exposed Western businesses operating in the PRC to increased regulatory risk. Western companies cannot avoid doing business with the world’s second largest economy, however. The steps outlined above can help directors, executives and their counsel navigate the obstacles and challenges raised by these new data privacy laws in China.

 

Matt Sloan, Steve Kwok and Emily Reitmeier are partners at Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates. Mr Sloan can be contacted on +1 (213) 687 5276 or by email: matthew.sloan@skadden.com. Mr Kwok can be contacted on +1 (852) 3740 4788 or by email: steve.kwok@skadden.com. Ms Reitmeier can be contacted on +1 (650) 470 4551 or by email: emily.reitmeier@skadden.com. The authors would like to thank Nick Selden and Siyu Zhang, associates at Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates, for their contribution to this article.

© Financier Worldwide

BY

Matt Sloan, Steve Kwok and Emily Reitmeier

Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.