New Chinese Data Privacy Laws Further Complicates SEC Investigations
Posted on Nov 28, 2021Yi Bao
In 2021, the Chinese government launched a major overhaul of its personal information protection regime by passing the Data Security Law (the “DSL”) and the Personal Information Protection Law (the “PIPL”).[1]Meanwhile, recent events exposed the intricate corporate structure of Chinese companies that went public in the U.S., triggering intensified scrutiny from the U.S. Securities and Exchange Commission (the “SEC”). The SEC will need to gather corporate data to further its investigations, but the new data privacy laws might slow down and even freeze such data collection. Going forward, companies might face constant collisions of SEC’s investigative interests and China’s new data privacy statutes.
I. Overview of the New Legislation
The DSL and the PIPL together constitute China’s first comprehensive efforts in personal information protection.[2] The laws are characterized by their exterritorial reach, their regulation of cross-border data transfer, and the protection of a wide range of personal information rights.[3] First, similar to the General Data Protection Regulation (the “GDPR”), the DSL and the PIPL not only have jurisdiction over activities within China but also have extraterritorial reach over certain data processing activities outside China, especially when they have an influence on individuals located in China.[4] [5]
Second, the DSL and the PIPL both strengthened the regulations of cross-border data transfer. The DSL forbids the transfer of data stored within mainland China “to the justice or law enforcement institutions of foreign countries.”[6] This clause seems to widely apply to all data stored in China, regardless of its sensitivity and subject matter. The Chinese government further doubled down on this prohibition by incorporating the portion quoted above almost verbatim as Article 41 of the PIPL. For data transferred to entities other than foreign law enforcement institutions, the PIPL incorporated a series of requirements that the data processors had to meet before any transfers. [7]
Finally, the PIPL incorporated many individual rights elicited in the GDPR, including the rights to information, access, correction, erasure, and objection. The second draft of the PIPL intentionally left out the right to portability. Notably, the Chinese government subsequently added it to the final legislation, granting individuals the right to request their Data Controllers to transfer their personal information.[8]
II. The Clash Between U.S. Investigations and Other Foreign Data Privacy Laws
The DSL and PIPL are not the only foreign laws that could clash with U.S. regulatory actions or data production obligations in U.S. litigations. The Supreme Court has long established a multi-factor comity analysis to determine whether a foreign data protection statute can excuse a party from document production.[9] In resolving such a conflict, a Court should look to “(1) the importance to the litigation of the information requested; (2) the degree of specificity of the request; (3) whether the information originated in the United States; (4) availability of alternative means of securing the information; and (5) the relative interests of the United States and the foreign nation.”[10]
The case law shows that under this five-factor balancing test, the Court recognizes foreign data privacy laws as legitimate grounds for withholding otherwise discoverable information, but judges also warned that these foreign laws were far from a blank check for litigants to avoid its discovery obligations.[11] [12]In January 2020, the Southern District of New York applied the test to evaluate whether to grant the SEC’s motion to compel Telegram Group Inc. (“Telegram”) to produce overseas bank records.[13] Telegram claimed that the documents contained personal information protected by a host of foreign data privacy laws and objected to any document production.[14] As a result, the Court granted SEC’s motion but allowed Telegram to redact any information “necessitated by foreign privacy laws.” [15] [16]This decision is congruent with the general approach of U.S. Courts, which generally prioritized U.S. discovery interests over those of conflicting European data privacy laws.[17]
III. The Situation with the Chinese Data Privacy Laws is Uncertain
The Courts’ rulings regarding European data privacy laws are fairly consistent. However, these cases might provide little guidance in situations involving the DSL and the PIPL. First, U.S. Courts understand that the GDPR gives explicit permission for data transfers to a third country if the transfer is either “necessary for important reasons of public interest” or “necessary for the establishment, exercise or defense of legal claims.”[18] The GDPR actively furthers litigants’ interest in collecting evidence and provides wide latitude for Courts to interpret what constitutes “public interest.” However, such flexibility does not exist in the Chinese laws. Both the DSL and the PIPL banned the provision of data to foreign justice or law enforcement institutions unless the data processors got approvals from “competent authorities.”[19] Other laws in China also corroborated this stance. The China Securities Law prohibits “foreign regulators from directly conducting investigations and collecting evidence” in China.[20]
In addition, the Courts will likely come to a different conclusion when applying the fifth prong of the comity analysis to China as opposed to European countries. Some Courts deem the fifth factor, the balancing of U.S. and foreign national interests, as the most important, as it “directly addresses the relations between sovereign nations.”[21] While in the evaluation of U.S.-Europe relations, the Courts can comfortably prioritize U.S. regulatory interests, the Courts will inevitably be more cautious in weighing national interests of the U.S. and China, especially since the relationship has been fraught with tensions.
Finally, the lack of clarity in the Chinese laws and uncertainty in their application might further complicate the Courts’ analysis. For example, even though the PIPL exerts jurisdiction over exterritorial data processing activities that influence individuals located in China, the law did not specify how close the nexus has to be between the influence and the data processing activities. In addition, both the DSL and the PIPL require “approval of the competent authorities of the PRC” for entities to conduct certain data transfers. However, the laws have not specified who are the “competent authorities.” Thus, companies seeking to respond to SECs’ production demands and comply with the Chinese laws might find themselves stuck between a rock and a hard place.
IV. Conclusion and Next Steps
After the enactment of the DSL and the PIPL, Chinese companies listed on U.S. stock exchanges and American companies with business interests in China are facing new challenges when answering SEC’s data production requests. Even though U.S. Courts have traditionally favored the interests of U.S. agencies and litigants in their analysis of European data privacy laws, the application of similar analysis to the Chinese laws might run into additional difficulties. However, the situation is still redeemable. According to Article 36 of the DSL and Article 41 of the PIPL, the Chinese authority would handle the requests for data from foreign law enforcement institutions in accordance with “relevant laws and treaties or agreements concluded or participated in by the PRC.”[22] Going forward, the authorities from both countries could work together on treaties or agreements regarding cross-border data transfer to further the regulatory interests of both parties.
---------------------
[1] See Shuju Anquan Fa (数据安全法) [Data Securities Law] (promulgated by the Standing Comm. Nat’l People’s Cong., June 10, 2021, effective Sept. 1, 2021), https://digichina.stanford.edu/work/translation-data-security-law-of-the-peoples-republic-of-china/; Geren Xinxi Baohu Fa (个人信息保护法) [Personal Information Protection Law] promulgated by the Standing Comm. Nat’l People’s Cong., Aug. 20, 2021, effective Nov. 1, 2021), http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml.
[2] Todd Liao et al., Personal Information Protection Law: China’s GDPR Is Coming, Morgan, Lewis & Bockius LLP (Aug. 24, 2020), https://www.morganlewis.com/pubs/2021/08/personal-information-protection-law-chinas-gdpr-is-coming.
[3] Zhiying Yu et al., Analyzing China's PIPL and how it compares to the EU's GDPR, IAPP (Aug. 24, 2021), https://iapp.org/news/a/analyzing-chinas-pipl-and-how-it-compares-to-the-eus-gdpr/
[4] The DSL has a more limited coverage, only affecting foreign data processing activities that harm “national security of People’s Republic of China, the public interest, or the lawful rights and interests of citizens or organizations of the PRC .” See Shuju Anquan Fa (数据安全法) [Data Securities Law] (promulgated by the Standing Comm. Nat’l People’s Cong., June 10, 2021, effective Sept. 1, 2021), art. 2, https://digichina.stanford.edu/work/translation-data-security-law-of-the-peoples-republic-of-china/.
[5] See Connell O’Neill et al., China Passes the Personal Information Protection Law, to Take Effect on November 1, Gibson, Dunn & Crutcher LLP (Sept. 10, 2021), https://www.gibsondunn.com/china-passes-the-personal-information-protection-law-to-take-effect-on-november-1/; Geren Xinxi Baohu Fa (个人信息保护法) [Personal Information Protection Law] promulgated by the Standing Comm. Nat’l People’s Cong., Aug. 20, 2021, effective Nov. 1, 2021), art. 3, http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml.
[6] See Shuju Anquan Fa (数据安全法) [Data Securities Law] (promulgated by the Standing Comm. Nat’l People’s Cong., June 10, 2021, effective Sept. 1, 2021), art. 36, https://digichina.stanford.edu/work/translation-data-security-law-of-the-peoples-republic-of-china/.
[7] The PIPL casts a wide coverage on any activities if “(1) the purpose of processing the data is to provide products or services to individuals located in China, (2) the data are used to analyze or assess the behaviors of individuals located in China, or (3) the activities are under other “circumstances stipulated by laws and administrative regulations.” See Geren Xinxi Baohu Fa (个人信息保护法) [Personal Information Protection Law] promulgated by the Standing Comm. Nat’l People’s Cong., Aug. 20, 2021, effective Nov. 1, 2021), art. 3, http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml; Ken Dai and Jet Deng, The comparison between China's PIPL and EU's GDPR: Practitioners’ perspective, JDSupra (Oct. 11, 2021), https://www.jdsupra.com/legalnews/the-comparison-between-china-s-pipl-and-2189482/.
[8] To transfer such data, the data processors need to (1) pass the evaluation by obtaining personal information protection certification conducted by a professional institution or signing the standard contract formulated by the CAC with the overseas recipients, and (2) complete other administrative steps. See Geren Xinxi Baohu Fa (个人信息保护法) [Personal Information Protection Law] promulgated by the Standing Comm. Nat’l People’s Cong., Aug. 20, 2021, effective Nov. 1, 2021), art. 38, http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml/
[9] Société Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, 482 U.S. 522, 544 (1987).
[10] Id.
[11] Katalina Bateman and Karen Lee, GDPR vs. U.S. discovery: The conflict continues, Reed Smith LLP (June 23, 2020), https://www.technologylawdispatch.com/2020/06/in-the-courts/gdpr-vs-u-s-discovery-the-conflict-continues/.
[12] John Davis, Burden of Compliance With Foreign Data Privacy Laws Does Not Justify Withholding of Banking Records, Crowell & Moring LLP (Jan. 21, 2020), https://www.crowelldatalaw.com/category/transnational-discovery/
[13] SEC v. Telegram Group Inc. et al., No. 19 Civ. 9439 (Dkt. 67).
[14] SEC v. Telegram Group Inc. et al., No. 19 Civ. 9439 (Dkt. 55).
[15] SEC v. Telegram Group Inc. et al., No. 19 Civ. 9439 (Dkt. 67).
[16] Note that in this case Telegram failed to cite the applicable data privacy laws and specific countries whose data privacy laws they claim to have applied. See SEC v. Telegram Group Inc. et al., No. 19 Civ. 9439 (SEC Renewed Motion to Compel).
[17] For examples, see Corel Software, LLC v. Microsoft Corp., No. 2:15-cv-00528, 2018 WL 4855268, at *1 (D. Utah Oct. 5, 2018), where the Court ordered production of data relevant in a patent infringement case that Microsoft claimed “raises tension” with the GDPR but allowed Microsoft to redact key personal information. Giorgi Global Holdings v. Wieslaw Smulski, No. 17-4416, 2020 BL 190347 (E.D.P.A. May 21, 2020) also presents a similar view, where the court ordered productions after concluding that in this case, the interests of U.S. litigation were more important than the need to comply with the GDPR or other foreign privacy laws. However, it is notable that in Giorgi, the parties also had a protective order that limited disclosure of the documents to the extent that the court considered to be sufficient under the Polish data protection law.
[18] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), arts. 4, 9, 2016 O.J. (L 119) 49(1)(d), 49(1)(e).
[19] See Shuju Anquan Fa (数据安全法) [Data Securities Law] (promulgated by the Standing Comm. Nat’l People’s Cong., June 10, 2021, effective Sept. 1, 2021), art. 36, https://digichina.stanford.edu/work/translation-data-security-law-of-the-peoples-republic-of-china/.
[20] Patrick F. Stokes et al., China Constricts Sharing of In-Country Corporate and Personal Data Through New Legislation, Dunn & Crutcher LLP (June 17, 2021), https://www.gibsondunn.com/china-constricts-sharing-of-in-country-corporate-and-personal-data-through-new-legislation/
[21] SEC v. Gib. Global Sec., Inc., 13 Civ. 2575, 2015 WL 1514746, at 2 (S.D.N.Y., Apr. 1, 2015).
[22] See Shuju Anquan Fa (数据安全法) [Data Securities Law] (promulgated by the Standing Comm. Nat’l People’s Cong., June 10, 2021, effective Sept. 1, 2021), art. 36, https://digichina.stanford.edu/work/translation-data-security-law-of-the-peoples-republic-of-china/.