On April 26, the second draft of the Data Security Law was submitted to the Standing Committee of the National People’s Congress for deliberation through May 28, 2021.1 Compared to the first draft submitted in July last year,2 the second draft would (i) call for improvements with respect to data classification and important data protection systems; and (ii) tighten restrictions on data export to overseas law enforcement agencies by imposing penalties for violations. This alert will focus on the second modification and its implications for multinational companies (MNC) with operations in China.
In particular, Article 35 of the second draft would provide that “Where a judicial or law enforcement agency outside the People’s Republic of China (PRC) requires access to data stored in the PRC, such data may not be provided without the approval of the competent authority of the PRC; if the PRC has concluded or participated in international treaties or agreements that contain relevant provisions, such provisions can be followed.”
A similar provision had appeared in Article 33 of the first draft. The second draft would tighten this requirement by imposing penalties for violations. In particular, paragraph 2 of Article 46 would provide that the competent regulator shall order any party which provides data to an overseas judicial or law enforcement agency without the approval of competent authorities to rectify its conduct and shall impose penalties ranging from a warning to a fine ranging between RMB 100,000 and RMB 1 Million on the party, and a fine ranging between RMB 20,000 and RMB 200,000 on the person in charge directly responsible and other directly responsible personnel.
In addition and in contrast to prior PRC law, the territory of the PRC is defined without qualification for its two Special Administrative Regions under the One Country Two Systems concept (Article 2). Instead of allowing for non-application or differential application in Hong Kong and Macau, it would apply to data in Hong Kong and Macau as well as Mainland China. Not only would data stored in Mainland China be restricted from transfer to overseas law enforcement agencies without prior approval, but data stored in Hong Kong or Macau would also face the same restrictions. This will further diminish Hong Kong’s separate status already reduced by the Law on Safeguarding National Security in the Hong Kong Special Administrative Region (2020) (HKNS Law).
The second draft if adopted in its current form will amplify China’s protectionist perspective with respect to the regulation of cross-border data transmission. In general, other than state secrets which under no circumstances would be permitted to leave China, the Cybersecurity Law (2017) imposes data localization requirements on certain important data retained by critical information infrastructure providers and personal information to be stored within China, and only when there is an essential business need and after certain compliance steps have been taken, such as security assessments, may such data be transferred across borders.
Data transmission to overseas law enforcement agencies is even more strictly restricted. In particular, China’s International Criminal Judicial Assistance Law (2018) provides that no Chinese company or person may provide evidence to a foreign government for use in a criminal proceeding without the permission of the Chinese government. The HKNS Law prohibits providing certain information harmful to national security to foreign institutions or individuals. Sector-specific regulations such as the Anti-Money Laundering Law and Securities Law with respect to the financial services industries also prevent overseas authorities from directly conducting investigations and collecting evidence in China, and bar Chinese parties from handing over information to foreign authorities absent approval from Chinese authorities or through an official interface.
If the second draft Data Security Law is enacted in its current form, restrictions would apply not only to transmission of information from Mainland China to a foreign law enforcement agency in a criminal proceeding (such as in response to a grand jury subpoena) and for the purpose of a specific investigation conducted by an enforcement agency (such as the SEC or OFAC), there would also be restrictions on Chinese (including Hong Kong) parties when it comes to producing documents overseas in civil and administrative proceedings. This will complicate the ability of MNCs in China, now including Hong Kong and Macau, to comply with foreign legal requirements and to defend themselves in foreign legal proceedings, even in matters bearing no apparent relationship to national security as defined in other countries.
On the one hand, MNCs may be under obligation to produce documents located overseas (such as in China) even when doing so would violate foreign law. For instance, the Clarifying Lawful Overseas Use of Data (CLOUD) Act (2018) gives U.S. law enforcement agencies extraterritorial power to access electronically-stored communications data located outside the U.S. provided that the information sought is relevant and material to an ongoing criminal investigation. Similarly, after conducting a fact-based analysis, a U.S. court may order a U.S. company to produce documents located outside the U.S. in response to a criminal or civil subpoena. Failure to do so may result in negative consequences ranging from fines to adverse judgments. One can readily imagine a scenario in which a U.S. law enforcement agency or court orders a U.S. company to produce materials located in China (including Hong Kong) through its Chinese (including Hong Kong) subsidiaries.
On the other hand, acting as a blocking statute against such extraterritorial reach, the new Data Security Law would effectively block any such data export to foreign judicial and law enforcement agencies not only in criminal, but also in civil and administrative proceedings, without prior Chinese government approval under an uncertain timeline. Thus, Chinese (including Hong Kong) subsidiaries of foreign companies will be restricted from producing information overseas directly in response to a foreign law enforcement activity or a judicial proceeding. This may further weaken the distinctiveness of Hong Kong as a destination for foreign investment.
However, this does not mean that an MNC will always be unable to fulfill an obligation to comply when it comes to document production. For instance, the Chinese subsidiary of a MNC may routinely transfer inter-enterprise data in a manner consistent with applicable Chinese laws and sector-specific regulations with respect to national security, data localization, and privacy protection. This would provide an MNC’s overseas head office with access to at least some of the data to respond to a government investigation or other legal proceeding.
In short, the enactment of the new Data Security Law in its current form would create more challenges for MNCs in China, including Hong Kong and Macau, to comply with increasingly demanding and inherently conflicting rules in different jurisdictions.