China’s New Data Security Privacy Laws and Potential Impact on U.S. Based Litigation
China has enacted two laws related to information and data security. The first is China’s Data Security Law (“DSL”), which was passed on June 10, 2021, and took effect on September 1, 2021.[1] The DSL governs data processing and management of data both within China and data stored in countries that have the potential to affect China.[2] Data under the DSL covers records in electronic or other forms; this would cover not just digital data but hard copies of documents as well. Article 36 of the DSL states that government approval would be required before any data stored in China is provided to a foreign judiciary or enforcement authority in criminal or civil proceedings.[3] Violations of this law could bring fines of up to 5 million Yuan, as well as suspension of business operations.[4] It could also lead to fines of up to 500,000 Yuan for related personnel.[5]
The second law, passed on August 20, 2021, is a new privacy law often cited as the Personal Information Protection Law (“PIPL”)[6]. This law became effective on November 1, 2021. This law governs the way personal data may be transmitted out of China. Companies that fail to comply may be fined up to 5% of annual revenue or 50 million Yuan.[7] The business may also be ordered to suspend or cease operations until it complies.[8] Individuals in violation may be fined 100,000 to 1 million Yuan and may be prohibited from being a director or manager for a determined period of time.[9]
There will be obvious tensions between privacy laws of other countries and the broad discovery standards involving litigation in the United States. The issue of discovery practices of the United States involving the production of documents from other countries is not new. In the United States, the Supreme Court has found that once a federal court has jurisdiction over a party, it does not matter that the documents are located in a foreign country; the district court still has jurisdiction.[10] U.S. courts can order extraterritorial discovery using a set of factors from the Restatement of Foreign Relations Law.[11]
The battle between privacy laws and discovery is also not a new phenomenon. Many countries have instituted privacy laws. In April 2016, the European Parliament passed a General Data Protection Regulation (“GDPR”).[12] The GDPR was meant to protect the data and privacy of residents within the European Union and the larger European Economic Area.[13] The GDPR and other privacy laws may not shield companies from the requirement to produce documents in U.S. courts. In the United States, federal courts have recognized an interest in protecting privacy is diminished when a court has entered a protective order preventing disclosure of secret information.[14] They have also required the production of documents despite privacy laws that have been enacted abroad.[15]
Given the fact that federal courts in the United States have been ordering the production of documents despite foreign privacy laws, a choice must be made. It is not a simple choice; one would either be found in violation of a federal court in the United States, which could lead to a default judgment or sanctions,[16] or risk violating international data security or privacy laws. While China’s law is relatively new, it is uncertain how China will handle transfer of data issues and how companies can navigate a path to comply with both the courts of the United States and Chinese law. While methods created to work with the GDPR may be adapted, Chinese authorities may react differently than the European Union. What will happen in actual practice remains to be seen.
Anthony Wong is a staff member of Fordham International Law Journal Volume XLV.
This is a student blog post and in no way represents the views of the Fordham International Law Journal.
—
[1] See.Translation: Data Security Law of the People’s Republic of China (Effective Sept. 1, 2021)( Rogier Creemers et al. trans., Graham Webster ed.), DigiChina, (June 29, 2021), https://digichina.stanford.edu/work/translation-data-security-law-of-the-peoples-republic-of-china/.
[2] See id.
[3] See id.
[4] See id.
[5] See id.
[6] See Translation: Personal Information Protection Law of the People’s Republic of China – Effective Nov. 1, 2021( Rogier Creemers et al. trans., Roger Creemers & Graham Webster eds.), DigiChina, (Sept. 7, 2021), https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-republic-of-china-effective-nov-1-2021/.
[7] See id.
[8] See id.
[9] See id.
[10] See Societe Nationale Industrielle Aerospatiale v. U.S. Dist. Ct. for S. Dist. of Iowa, 482 U.S. 522, 539–40 (holding that the Hague Convention does not deprive a district court of the jurisdiction it would otherwise possess over a foreign national party regarding production of evidence).
[11] See id. at 544 n.28 (listing the five factors of the restatement).
[12] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Council Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN [hereinafter GDPR].
[13] This includes the EU countries plus Iceland, Liechtenstein and Norway. See The GDPR: new opportunities, new obligations What every business needs to know about the EU’s General Data Protection Regulation, https://ec.europa.eu/info/sites/default/files/data-protection-factsheet-sme-obligations_en.pdf (last visited Jan. 2, 2022).
[14] Finjan, Inc. v. Zscaler, Inc., No. 17CV06946JSTKAW, 2019 WL 618554, at *3 (N.D. Cal. Feb. 14, 2019).
[15] See id. (rejecting the objection that production of emails from a U.K. citizen would violate the GDPR); see also Reino de Espana v. Am. Bureau of Shipping, No. 03 CIV. 3573 LTS/RLE, 2006 WL 3208579, at *6 (S.D.N.Y. Nov. 3, 2006) (holding that Spain’s failure to preserve and produce data based on an justification of Spanish privacy laws was not enough and holding that “[t]his litigation is in the Southern District instead of a court in Spain. Discovery is governed by the Federal Rules of Civil Procedure, not Spanish privacy laws and government privileges.”).
[16] See Graco, Inc. v. Kremlin, Inc., 101 F.R.D. 503, 527 (N.D. Ill. 1984) (holding that if defendant is unable to comply with the court’s order, there could be a default judgment issued or other sanctions).