China's New Data Security Law Restricts Cross-Border Transfers of All Data to Foreign Authorities
In Short
The Situation: Once China's Data Security Law ("DSL") becomes effective on September 1, 2021, it will restrict certain data transfers out of China, including transfers of any data to a foreign judicial or law enforcement authority without prior approval by Chinese authorities. The DSL, however, does not state what activity would constitute a transfer to a foreign judicial or law enforcement authority—such as whether it encompasses cross-border transfers in a purely civil litigation context—or how one may obtain approval.
The Result: There likely will be a period of uncertainty for multinationals operating in China as the DSL's details are fleshed out. Despite the ambiguities in the new law, Chinese authorities have indicated that they intend to take enforcement action for violations, which may result in significant penalties.
Looking Ahead: Companies and individuals will need to assess their current procedures for engaging in cross-border data transfers in response to requests for information and evidence originating from not only foreign government authorities but also from foreign parties collecting evidence for civil disputes. The Chinese government likely will issue more detailed implementing regulations and guidance, which may assist companies in evaluating the need for government approvals for certain cross-border data transfers and in assessing compliance risk.
When the DSL goes into effect on September 1, 2021, it will impose certain restrictions on a company's ability to transfer data out of China without the prior approval of Chinese authorities. One significant restriction is that the Chinese government's approval is required for the transfer of data to a foreign judicial or law enforcement authority.
Article 36 provides that organizations and individuals in China, which includes multinational companies with operations in China, must seek approval from competent Chinese authorities in connection with providing data stored in China to any foreign judicial or law enforcement authority. This restriction on transfer appears to apply to all types of data, and is not limited to sensitive categories of data such as "important data" or "core data," which are subject to additional restrictions under the DSL as well as under China's Cybersecurity Law. The DSL currently does not set out what activity would constitute a transfer to a foreign judicial or law enforcement authority, or how one may obtain approval. Article 36 does suggest, however, that when deciding whether to approve a proposed transfer, the competent Chinese authority will consider how the relevant foreign country has handled reciprocal requests for data from Chinese authorities.
Notably, the Personal Information Protection Law ("PIPL"), which was passed on August 20, 2021, and which will become effective on November 1, 2021, contains an almost identical provision in Article 41 that prohibits transfer of personal information to any foreign judicial or law enforcement authority without the approval of the competent Chinese authorities.
Like the DSL, the PIPL currently does not set out additional details on the scope of this restriction or the mechanics of approval.
When Article 36 of the DSL is read in the broader context of related Chinese laws that already restrict gathering evidence in China or providing evidence to foreign law enforcement authorities—such as those found in China's Civil Procedure Law, the Securities Law, and the International Criminal Judicial Assistance Law—a conservative interpretation may mean that directly providing any data stored in China to a foreign judicial or law enforcement authority for either a criminal or civil proceeding may trigger the need for government approval. It is less clear, however, whether a transfer directly to a private party similarly would trigger the obligation to seek government approval where the transfer is compelled by the rules of a foreign judicial authority and the data will be used for a proceeding before that authority. In other words, it remains to be seen whether the restrictions in the DSL apply to all cross-border transfers of data in response to a private party's civil subpoena or discovery request for potential use in foreign civil litigation.
The DSL provides for significant penalties that are specific to violations of the cross-border data transfer restrictions. These include financial penalties of up to RMB 5 million (approximately US$770,000) and the suspension of the violating entity's operations or business license.
The enforcement risk may not be only theoretical. In July 2021, the Cyberspace Administration of China and other enforcement authorities initiated data security investigations against a major Chinese technology company that concern, among other things, the data the Chinese company provided to foreign authorities. Although the investigation is still pending, authorities already have ordered the company to remove its apps from Chinese app stores.
Implementing regulations and further guidance concerning the DSL are expected in due course, but it is unknown whether such additional details will clarify how Article 36 will be implemented. In anticipation of the DSL soon becoming effective, companies should consider conducting a careful analysis of the types of data they may wish to transfer, and assessing potential restrictions and approvals needed under the new law. They should also continue to monitor for new guidance, judicial interpretations, and related enforcement actions in China.
Three Key Takeaways
- The DSL applies to all companies and individuals operating in or collecting data from China, including multinationals with operations and data in China.
- Article 36 of the DSL restricts a company's ability to transfer any data stored in China to a foreign judicial or law enforcement authority without government approval, but currently it does not provide details on the precise scope of this restriction.
- Companies will need to carefully review and consider their obligations under the DSL before responding to requests for data stored in China when the requests originate from foreign government criminal or civil proceedings, or even from purely private civil litigation.