In the past decade, legal practices in relation to data security laws in China have witnessed significant growth. Take the United States as an example, as the Sino-US economic relationship becomes more intertwined than ever, more and more Chinese enterprises with operations in the US are faced with the unexpected challenge, that is, “voluntarily” producing a huge number of documents to hostile foreign litigants as mandated by the US discovery procedure under FRCP . For legal practitioners in China, this means a huge amount of data will have to go under review and pass the scrutiny of state secrecy and cybersecurity laws before it is transmitted cross-border to any foreign recipients.
In 2020, T&C Law Firm handled probably one of the largest data security cases in the Chinese legal market in recent years. Based on such practice, we have summarized several layers of the core concerns in data security cases in the analysis below.
I. State Secret
Unauthorized transmission of data containing State secrets is prohibited by the Law of the People's Republic of China on Guarding State Secrets, and under certain circumstances it may even trigger criminal prosecution under the Criminal Law.
Data and information marked with a certain level of classification (such as confidential or top secret) by government authorities are no doubt explicitly protected by relevant laws. However, the Supreme People’s Court of PRC has also clarified that, for data and information related to national security and interests, the absence of a marked classification DOES NOT suggest that it is not protected by relevant laws and regulations on state secrets; transmitting such information abroad without competent approval may also incur corresponding criminal liability.
Enterprises and legal practitioners could first look to general provisions and guidelines issued by the National Administration of State Secrets Protection for more detailed definition and classification of information concerning national security or interests. These are the more serious factors to consider, because they are usually related to military or police force, foreign policies, or sensitive industries, etc.
On the other hand, the relevant regulations in the specific industry of the concerned client should also be taken into consideration, because the regulatory authorities in different industries might have unique rules in regard of the state secrecy issue. For example, for enterprises with a technical nature, the Regulation on the Protection of Scientific and Technological Secrets jointly issued by National Administration for the Protection of State Secrets and the Ministry of Science and Technology in 2015 should also be looked at in addition to the general state secrecy laws.
Enterprises should be diligently aware of any data they plan to transmit outside mainland China, no matter during normal business transactions or litigation-related evidence discovery procedure. And legal professionals need to be engaged in evaluating the potential sensitivity of these documents concerned.
II. Commercial Secret
It is the own discretion of the enterprise to decide whether to disclose its commercial secrets to its business partners during normal business activities. Also, under most circumstances, mandated production of various documents involving such commercially confidential documents during foreign discovery procedure is not explicitly prohibited by the laws of the PRC. This might create numerous concerns for the Chinese litigation party. Thus, counsels should be aware and capable of identifying such commercial secrets for protection (by proactively seeking instructions from their clients) while reviewing the documents for potential data export.
III. Important Data
Article 37 the Cybersecurity Law of the People’s Republic of China provided that: “The operator of a critical information infrastructure shall store within the territory of the People's Republic of China personal information and important data collected and generated during its operation within the territory of the People's Republic of China.” Therefore, such personal information and important data are protected by law and shall not be exported outside mainland China.
Here, the concept of “important data”, according to relevant draft guidelines issued by the Cyberspace Administration of China and the National Information Security Standardization Technical Committee, refers to the data (including raw data and derived data) collected or generated within PRC territory that do not involve state secrets, but are closely related to national security, economic development, and public interests.
Also, despite that the Cybersecurity Law merely made the "critical information infrastructure operator" the subject of data export regulation, recent draft guidelines have expanded the scope to all "network operators". Although these draft guidelines have not yet become effective, they do reflect the tightening regulatory trend in this field in near future.
IV. Personal Information
Personal information collected and generated within PRC are protected by the same article in the Cybersecurity Law of the People’s Republic of China mentioned above.
The PRC Civil Code provided an authoritative definition for personal information, in Article 1034: "The personal information of a natural person shall be protected by the law. Personal information refers to all kinds of information recorded by electronic or otherwise that can be used to independently identify or be combined with other information to identify specific natural persons, including the natural persons' names, dates of birth, ID numbers, biometric information, addresses, telephone numbers, e-mail addresses, health information, whereabouts, etc. For the confidential information included in personal information, the relevant provisions on the right to privacy shall apply; if no provisions are available, the provisions on personal information protection shall apply."
In addition to personal information, the relevant guidelines mentioned above further clarified the concept of “personal sensitive information”, that is, personal information whose leak, disclosure or misuse may endanger personal safety and property security, damage personal reputation as well as physical and mental health, or lead to discriminatory treatment. Usually, personal information such as ID numbers, bank card numbers, health records, biometric data are considered as sensitive personal information.
As shown in the above analysis, there is a great demand in this market for excellent legal services of such multi-layer review before the data export to protect the interests of the State, the concerned enterprise, and normal individuals. This calls for well-trained and experienced professionals who can maintain a perfect balance between the constant urgency of data export and ever-evolving needs of the client. T&C Law Firm has been an excellent, established, and experienced firm in China, especially in Zhejiang province, who is well equipped to handle such multi-layer review prior to data export from China to potential recipients in the world.
T&C Law Firm
Address: A-7F, Dragon Century Plaza, No. 1 Hangda Road, Xihu District, Hangzhou, China 310007
Leon (Linyong) Fu
Leon Fu is a Managing Partner at T&C Law Firm with up to 15 years of practical experience. Leon is also an arbitrator & mediator for SCIA (Shenzhen Court of International Arbitration), an arbitrator for Hangzhou Arbitration Commission, and the director of the International Trade Committee of Hangzhou Bar Association. Leon has successfully represented dozens of cross-border arbitration cases before various international arbitration institutions, including CIETAC, SHIAC, SCIA, HKIAC, SIAC and ICC; and he has handled complex cases involving international trade, international technology license, unfair competition, medical and pharmaceutical industry, brand license and distribution, product quality, private equity investment, M&A, financing, large sales of commodities, infrastructure, and data security laws, etc. Leon is ranked as Asialaw Leading Lawyers in 2021, the Notable Practitioner in Dispute Resolution by Asialaw Profiles in 2020, and Top 15 Rising Lawyers in China by Asian Legal Business of Thomson Reuters in 2018.
Knox (He) Chen
Knox Chen is an associate at T&C Law Firm. Knox graduated from Georgetown University with an L.L.M Degree in International Business and Economic Law, as well as a certificate in International Arbitration and Dispute Resolution. Knox focuses on international arbitration and cross-border litigation, and has practical experience in equity transaction, corporate governance, discovery procedure, data security laws, non-compete investigation, and insolvency/liquidation. Knox has also advised multinational corporations, state-owned enterprises and foreign-invested enterprises in M&A, transaction, and other general corporate matters.