Cross-border transfer of evidence in litigation or arbitration proceedings is no longer innocuous in today’s world, with countries frequently at odds with each other over data security regulations. This was unexpected a decade ago.

Mainland China was relatively slow to enter the race, but has since quickly gained momentum. At the level of laws, it successively introduced the Cybersecurity Law in 2017, followed by the Data Security Law (DSL) and Personal Information Protection Law (PIPL) in 2021. At the level of administrative regulations and departmental rules, there are the Measures for the Security Assessment of Outbound Data Transfer (Assessment Measures), introduced by the Cyberspace Administration of China (CAC) in September 2022; the Measures on the Standard Contract for Cross-border Transfers of Personal Information; as well as multiple consultation drafts – such as the Network Data Security Management Regulations (Draft on Network Data) and latest Provisions on Regulating and Promoting Cross-border Data Transfers (Draft on Easing Data Transfer). The consultation drafts – though not yet in effect – serve as benchmark reference for Chinese regulators in scrutinising cross-border data transfer activities. Alongside prevailing laws, regulations and departmental rules, they form the legal framework for cross-border data security in Mainland China.

In litigation or arbitration, evidence is often viewed as “data” – and consequently wrapped up in this tug-of-war. This Legal Update reviews cross-border commercial dispute resolution scenarios, delving into compliance obligations, practice developments and compliance insights regarding the transfer of evidence from Mainland China.

Compliance Obligations

Mainland China’s data-related laws define “data” expansively to include any record of information in electronic or other forms¹. Similarly, personal information refers to all kinds of information related to identified or identifiable natural persons recorded electronically or by other means, but excluding those after being made anonymous².

Regarding overseas judicial activities, Article 36 of the DSL and Article 41 of the PIPL generally stipulate that data or personal information stored within the territory of Mainland China shall not be made available to foreign judicial or law enforcement agencies without approval from the competent authorities.

The Assessment Measures, however, provided a clearer pathway for the outbound transfer of data by outlining in Article 4 the following circumstances where a security assessment and approval are required:-

1. where data processor provides Important Data (see discussions below) abroad;
2. where operator of the critical information infrastructure or the data processor who has processed personal information of over one million people provides personal information abroad;
3. where data processor who has provided abroad the personal information of over 100,000 people or the sensitive personal information of over 10,000 people cumulatively since January 1 of the previous year provides personal information abroad; and
4. any other circumstance determined by the CAC.

Put simply, for overseas judicial or law enforcement activities, certain data or personal information stored in Mainland China can only be transferred overseas after undergoing a data security assessment and obtaining approval from competent authorities.

It is worth noting that, in the field of judicial assistance, the Ministry of Justice of Mainland China (MOJ) has reiterated that foreign judicial organs or individuals seeking access to evidentiary materials located in Mainland China – or for questioning of witnesses – should apply to the MOJ or the Ministry of Foreign Affairs through the channels specified in international treaties. Unauthorised organisations or individuals are prohibited from taking evidence in Mainland China³. As this is explicitly stated, it will not be expanded upon in this article. The focus will be on commercial dispute resolution mechanisms not involving judicial assistance.

Practice Developments

Practical aspects of three key factors:-

• data types requiring approval for outbound transfer from Mainland China,
• scope of “foreign judicial or law enforcement agencies”, and
• competent authority, process, and timeframe for the approval.

What Types of Data Require Prior Approval before Outbound Transfer?

Article 36 of the DSL and Article 41 of the PIPL do not set any qualifications on the types of “data” or “personal information” that require approval for outbound transfer. This has led to the interpretation by some practitioners that all data and personal information stored in Mainland China, regardless of its nature and quantity, must not be provided for judicial activities overseas without prior approval, even information as simple as an email or a photograph. If this interpretation is correct, the restriction is all-encompassing.

Meanwhile, it was reported that the MOJ previously indicated when responding to enquiries that, in principle, evidence not involving “Important Data” – and not falling under circumstances set out in the above-mentioned subparagraphs (2) to (3) of Article 4 of the Assessment Measures – could be transferred overseas directly without review and approval. However, the absence of legal documents confirming this exemption creates compliance risk. This becomes more concerning when the Draft on Easing Data Transfer proposes to exempt certain cross-border data transfer activities from security assessment, but there is no mention of overseas judicial activities in the enumerated activities⁴.

The approval requirement is clear for the outbound transfer of Important Data and personal information caught by subparagraphs (2) to (3) of Article 4 of the Assessment Measures. However, defining “Important Data” poses difficulties due to the breadth of its definition⁵ and lack of unequivocal identification standards. Article 2 of the Draft on Easing Data Transfer now provides that data that has not been notified or published as important data by the competent authorities does not require security assessment, suggesting that applicants can presume that they do not process Important Data unless notified otherwise.

In addition, restrictions have been imposed on the export of certain specific types of data, mainly relating to state secrets, healthcare data, surveying and mapping results, and information on human genetic resources⁶. These would require special approval from the relevant competent authorities before they can be transferred overseas⁷.

Last, there are discussions as to whether different approaches should be adopted for voluntary provision of evidence as compared to provision at the request of judicial bodies overseas. The MOJ clarified in its Answers to Frequently Asked Questions on International Judicial Assistance in Civil and Commercial Matters (FAQ) dated June 2022 that regardless of voluntary provision or provision at request, pre-transfer procedures for outbound data transfer must be fulfilled in accordance with the law⁸. Interestingly, the FAQ has since been removed from the official website of the MOJ. This raises uncertainty about the official policy, but the risk in “voluntarily” submitting evidence overseas without fulfilling compliance obligations remains.

Scope of “Foreign Judicial or Law Enforcement Agencies”

Courts, law enforcement agencies (e.g., the Hong Kong Police Force) and securities authorities (e.g., the U.S. Securities and Exchange Commission) outside Mainland China are generally considered as falling within the scope of “foreign judicial authorities or law enforcement agencies”. Opinions differ in practice on whether international arbitration institutions and arbitral tribunals are included.

Some argue that arbitral institutions, such as the HKIAC, SIAC and LCIA, are all independent and non-administrative. They are established as limited liability companies under the laws of their respective jurisdictions, confirming their private and independent nature. Therefore, arbitral tribunals are not subject to Article 36 of the DSL and Article 41 of the PIPL. 

However, there are conflicting views among relevant governmental departments and sometimes even within oneself on this issue. In a recent arbitration case we handled, the MOJ considered the arbitral tribunal a “foreign judicial body” – and therefore required approval for the disclosure of Important Data to it.

Quite separately, from a jurisdictional perspective, Hong Kong SAR, Macao SAR and Taiwan Region are considered “foreign” elements. This is evidenced in Mainland China’s Exit and Entry Administration Law⁹ and the Draft on Network Data¹⁰, and is also in line with long-standing judicial practice in Mainland China’s civil litigations, whereby these three are treated in the same way as foreign jurisdictions¹¹.

Competent Authority, Process and Timeframe for Approval

The competent authorities to process the approval application for cross- border data transfer relating to overseas judicial activities are not specified in the DSL and PIPL, while Articles 5 and 6 of the DSL suggest multiple competing responsibilities of governments at central and local levels, authorities of various industries, public security and national security organs, and cyberspace administrations over data security supervisions. This inevitably presents challenges for applicants.

The lack of established protocols, inconsistent instructions and the passing of responsibilities between relevant authorities create further confusion and delays in the application process.

Reviewing one of our recent cases, the application process can be briefly divided into the following steps¹²:-

1. First, the applicant submits a written application to the MOJ with supporting materials.
2. Subsequently, the MOJ, in conjunction with the Supreme People's Court and the competent cyberspace administration, will review the evidentiary materials to be transferred. There is no definite timeline for the review, but this may take months depending on the significance and complexity of the case.
3. Upon approval, the MOJ will issue a letter of approval to the applicant.
4. The applicant can then transfer the evidence across the border in accordance with the letter of approval.

Supporting materials for the application, according to Article 6 of the Assessment Measures, may include (1) an application form, (2) a self-assessment report on the risk of the outbound data transfer and (3) legal documents drawn up between the applicant and the overseas recipient. It is common to also submit a list of evidence and a legal assessment report prepared by a law firm in Mainland China.

Compliance Insights

Early Assessment and Planning

In the initial stages of the proceedings, Chinese parties should start to determine the scope and nature of their evidence, and understand the applicable laws and regulations, the competent authorities, application procedures and timeframes. This enables evaluating compliance risk associated with the outbound data transfer – and adopting appropriate compliance strategies to avoid data risks that may arise from the resolution of cross-border disputes.

For parties outside of Mainland China, if it appears that data transfer from Mainland China is necessary for the case, they should remain vigilant at all times and plan in advance by seeking legal advice and deploying countermeasures, taking into account the overall strategy of the case.

Effective Communication to Enhance Procedure Predictability

As mentioned above, if parties are unsure whether approval is required for outbound data transfer, the nature of the data involved (e.g., whether it is “Important Data”), or the nature of the arbitral tribunal, they should actively communicate with the MOJ and the competent authorities of their industries for guidance. They should promptly relay the same to their lawyers, judicial and law enforcement agencies and counterparties.

For international arbitrations, given the principle of party autonomy, parties can negotiate on necessary alternative measures for the discovery stage. The arbitral tribunal can also adjust the provisional timetable with reference to the procedures and timeframe required for the cross-border evidence transfer, to allow sufficient time and enhance procedure predictability.

Avoiding Extremes

Chinese parties should not disregard compliance obligations on outbound data transfer and directly submit evidence to foreign judicial bodies or law enforcement agencies. If the evidence involves Important Data or a large amount of personal information, violation can have serious consequences¹³.

On the other hand, before consulting the MOJ and relevant authorities – or submitting an application – it is essential to first narrow down the scope of the evidence. Submitting all evidentiary materials without careful consideration can result in ineffective communication, application refusal, and delays in review process. A well-established document management system is crucial for pre-approval document collation. Therefore, it may be wise to involve legal advisors at an early stage to conduct initial assessment of the documents. This will also facilitate preparation of the legal assessment report required for the application.

Proper Management of Potential Adverse Effects from Inability to Provide Evidence

If it is indeed impossible to submit important evidence due to compliance obligations on cross-border data transfer, parties and their legal teams should proactively take measures to properly manage the potential resulting adverse impact. This may include always adhering to good faith principles, demonstrating due diligence, and actively discussing and proposing alternative measures to minimise the adverse impact.

[View source.]