In recent years, with the continuous expansion of business, it is inevitable that domestic enterprises will be involved in overseas litigation due to various commercial disputes when conducting business overseas. Cumbersome litigation procedures from foreign laws (e.g., discovery of evidence, which is more common in common law systems) and compliance requirements for cross-border data transfer in China often put tremendous pressure on domestic enterprises to respond to lawsuits.
in recent years, chinese domestic enterprises conducting business overseas are commonly known to be involved in foreign lawsuits raised by various commercial disputes due to the continuous expansion of their businesses. the complicated litigation procedures such as the discovery of documents in common law jurisdictions, plus the data compliance requirements on evidence cross-border transfer according to prc laws and regulations make chinese enterprises face overwhelming pressures in responding to their potential lawsuits.
One of our recent cross-border litigation cases involves the issue of data compliance for the transfer of evidence. During the project, we assisted the client in providing data to foreign judicial authorities for their participation in litigation. With this in mind, we have written this article to analyze the process and precautions, which are detailed below.
we recently handled an international litigation case involving the cross-border transfer of evidence/data. when handling this case, we assisted our client in successfully transferring their electronic documents as case evidence to foreign judicial authorities for litigation purposes. in this article, we will share our insights on the procedures of cross-border data transfer and some matters that may require special attention in the international litigation/arbitration procedures of a chinese company.
1. Background of the case.
i.background setting
A Technology Co., Ltd. (hereinafter referred to as "Company A") is a company incorporated in China, mainly responsible for the research and development of computer software. Due to the popularity of its products, Company A began to expand its overseas markets. However, not long ago, a Cayman Islands-incorporated company B sued Company A to the Cayman Court due to a business dispute. According to Caymanian law, Company A is required to participate in the discovery of documents and submit all relevant evidence to the Cayman Court for all cases arising in China.
company a is a tech company incorporated under prc laws, with its primary business scope of researching and developing computer software. thanks to its widely renowned products, company a began to expand its business in overseas markets. company a received a claim as the defendant a few months ago, with the plaintiff being company b, a tech company incorporated under the law of cayman island. according to the civil procedure laws of cayman, company a was required to participate in the process of discovery of documents and submit the evidence related to the case to the grand court of cayman in its entirety.
II. How is evidence transmitted across borders?
ii.how to transfer the case evidence abroad?
In the above case, the domestic enterprise Company A needs to submit the information generated in the course of its domestic operation to the overseas court as evidence of extraterritorial **. According to Chinese laws and industry practices, there are two main scenarios for domestic enterprises to transmit evidence to foreign courts: 1Domestic entities voluntarily submit to overseas law enforcement and judicial agencies; 2.Passive provision at the request of overseas law enforcement and judicial agencies.
in view of the case above, company a needs to submit a giant amount of its domestically generated data to the court of cayman for litigation purposes. according to prc laws and general practices, there are mainly two scenarios for chinese domestic entities to submit their electronic documents/case evidence to foreign judicial and law enforcement authorities: (1) the entity voluntarily submits the evidence to the authorities, and (2) the entity submits the evidence to the authorities upon requests.
1.Domestic enterprises take the initiative to provide information to foreign judicial authorities.
1. voluntary submission
Active provision, that is, the data processor voluntarily provides data overseas. In the context of this case, if Company A voluntarily provides the Cayman court with data generated in China for the purpose of discovery in accordance with the provisions of the Cayman Procedure Law, it is a voluntary provision of data by the domestic enterprise to a foreign judicial authority.
voluntary submission means the data processors submit the domestically generated data at their own will without any passive demands. in our case, it would be assumed as a voluntary submission if company a transfers its data to the court of cayman spontaneously for the discovery of documents according to the civil procedure laws of cayman.
In order to better understand the workflow of cross-border data transfer declaration of data processors, we take Company A as an example. According to the provisions of the Cayman Litigation Law, after responding to the lawsuit, Company A needs to submit all the evidence related to its case to the plaintiff in the case, i.e., Company B, during the discovery process. As an emerging technology-based enterprise established in China and involved in the development of instant messaging software, Company A's daily business will involve the processing of a large amount of data and personal information, and since the root cause of this lawsuit is also related to data processing, Company A must use part of the data stored in China for this lawsuit.
to understand the process of cross-border data transfer more vividly and concretely, we elaborate on the procedures through our case mentioned above. according to the law of cayman, company a would be obliged to disclose the relevant electronic documents and evidence to the counterparty (company b) in the course of discovery of documents should it wish to attend the lawsuit. as a prc law-incorporated new-tech company developing an instant messaging platform, company a needs to handle an abundant amount of personal even sensitive personal information. more importantly, as the litigation was to some degree related to data processing, company a has the duty to disclose certain parts of its data generated domestically.
In view of this, Company A is required to complete the risk self-assessment and complete the risk self-assessment report in accordance with the Security Assessment Measures for Cross-border Data Transfer (the "Assessment Measures"). During the assessment process, Company A needs to pay special attention to whether the content, type and amount of data to be used in litigation meet the threshold prescribed by law, i.e., the personal information of 100,000 people or the sensitive personal information of 10,000 people has been provided overseas since January 1 of the previous year, or it involves important data.
in that case, according to measures for the security assessment of outbound data transfer (“the measures”),company a would be obliged to complete a two-step assessment—the "security self-assessment" and the "regulatory authority assessment" before transferring the evidence to its counterparty in cayman island. during the assessment, it would require company a special attention to note whether the document to be transferred abroad reaches the assessment threshold, specifically, transferring “personal information” abroad of over 1 million people, or “sensitive personal information” of over 10,000 people cumulatively since january 1 of the previous year, or information containing “important data”, etc.
If the assessment finds that the above criteria are met, Company A must submit the assessment report and other documents required by law to the local cyberspace administration for the second assessment and review by the regulatory authority after completing the risk self-assessment. Only after Company A has obtained the approval of the CAC can the data involved in the case be submitted to Company B for litigation.
if the abovementioned threshold is reached, company a should draft a self-assessment report concerning the risks of transferring data abroad based on its assessment result, and submit the report, together with other required **work to local cyberspace administration authorities (“cac”) for regulatory authority assessment. company a is only allowed to transfer its documents abroad once it has obtained permission from cac.
If Company A has any objection to the assessment result, Company A may apply to the department for a re-evaluation. However, it should be noted that, according to the provisions of the Assessment Measures, the re-evaluation result is only final, and there is no other remedy. Due to the finality of the re-evaluation, the administrative reconsideration and administrative lawsuit filed by Company A will not be accepted in accordance with the provisions of the Administrative Litigation Law.
if company a has any objection to the assessment result provided by cac, it may apply for a reassessment to the same authority. but note that the result of the reassessment is determined to be final and no further remedies are currently **ailable according to the measures. it therefore suggests that the finality of reassessment bans the applicant from further applying for administrative reconsideration even administrative litigation according to the administrative litigation law of the prc.
2.Passive provision at the request of overseas law enforcement and judicial agencies.
2. submission upon requests by foreign authorities
If Company A receives documents from the Cayman court in the course of the litigation and requests it to directly submit the data generated in China to the Cayman court in accordance with specific procedures, it is deemed to have passively provided the data at the request of the overseas judicial authority.
conversely, if company a receives court documents demanding a direct submission of its documents straightly to the court of cayman rather than to company b, it would then constitute a submission upon requests by a foreign judicial or law enforcement authority.
Different from active provision, passive provision is similar to a judicial assistance procedure, which involves a series of issues such as national judicial sovereignty, so it will be subject to stricter regulatory rules.
differentiating from voluntary submission, submission upon request is more akin to international judicial assistance. submission upon requests by foreign law enforcement or judicial authorities may involve a range of issues such as the judicial sovereignty of a country and thus subject to stricter regulatory rules.
Article 41 of the Personal Information Protection Act and Article 36 of the Data Security Law stipulate that the competent authorities of the People's Republic of China shall, in accordance with the relevant laws and international treaties and agreements concluded or acceded to by China, or in accordance with the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement agencies for the provision of data or personal information stored in China. Without the approval of the competent authority, institutions or personal information processors shall not provide data or personal information stored in China to foreign judicial or law enforcement agencies. It is not difficult to see that Chinese law imposes strict restrictions on the collection of domestic evidence by overseas law enforcement and judicial organs.
article 41 of the personal information protection law of china (“pipl”) and article 36 of the data security law of china (“data security law”) both provide that the competent authority of the prc shall process a request for data from a foreign judicial or law enforcement authority in accordance with relevant laws and international treaties and agreements entered into or acceded to by china, or under the principle of equality and reciprocity. without the approval of the competent authority, a domestic entity shall not provide data stored in the territory of china to any foreign judicial or law enforcement authority. as indicated, prc laws impose strict restrictions on foreign law enforcement and judicial authorities accessing domestically generated evidence.
On 30 March 2023, the Ministry of Justice (MOJ) issued a further explanation on international judicial assistance in civil and commercial matters, clarifying that if a foreign judicial organ collects evidence in China, it shall submit a request to the relevant authority in accordance with the channels stipulated in the Hague Convention on the Collection of Evidence Abroad in Civil and Commercial Cases (the "Hague Convention"), and the court shall enforce it after approval[1]. From this, we can also infer that domestic enterprises are not allowed to directly provide data stored in China to foreign judicial authorities at their request, but should complete the transfer of evidence through designated channels.
the ministry of justice made an additional clarification regarding international civil and commercial judicial assistance on 30 march 2023, stating that a foreign judicial or law enforcement authority is not allowed to obtain domestically generated or stored data unless requested through channels stipulated in convention on the taking of evidence abroad in civil or commercial matters (“the hague convention”).the transfer of the evidence shall be executed by the competent court upon permission granted. given these points above, we can also deduce that domestic entities are not allowed to transfer documents directly to foreign law enforcement or judicial authorities unless following the designated channels upon permission.
In addition, the Ministry of Justice has given detailed explanations in the Q&A on some of the issues that overseas law enforcement and judicial agencies may encounter when collecting evidence in China, such as:
besides, the clarification provided by the ministry of justice detailly elaborates on some potential scenarios that may be encountered by foreign authorities, for example:
Where a foreign judicial organ or judicial personnel collects evidence within the territory of China, it is necessary to submit a request for investigation and evidence collection to the Ministry of Justice by a foreign judicial organ or individual with the qualifications to submit a request for evidence collection in accordance with the channels provided for in the Hague Convention. Countries or regions that have not concluded relevant treaties with China need to submit a request to ***. After the request is approved, it is executed by the court, and the result is answered by the requesting party by the department receiving the request.
foreign judicial authorities must follow the procedures specified in the hague convention should they seek to obtain evidence in china. the qualified requesting party needs to submit an evidence investigation and collection request to the ministry of justice. for countries or regions with which china has yet to enter into treaties, requests should be submitted to the ministry of foreign affairs and executed by the competent court upon approval. the results of the collection request will be provided by the receiving authority.
Since China made a reservation to Chapter II except Article 15 when it acceded to the Hague Convention, foreign judicial organs or individuals are not allowed to directly question (including through technical means) witnesses located in China, and are only allowed to submit a request for evidence collection to the Ministry of Justice or to the Ministry of Justice through diplomatic channels through the channels stipulated in the treaty, and the request will be executed by the court after approval.
due to china’s reservation made upon acceding to the hague convention on chapter ii in its entirety except for article 15, foreign judicial authorities or relevant personnel are prohibited from directly questioning witnesses located within the territory of china, including technological methods such as phone calls or video. the only permissible method would be through the channels mentioned above.
According to the provisions of the Civil Procedure Law, foreign judicial organs or relevant personnel, except for Chinese lawyers, may not entrust any other person in China to assist in obtaining evidence or questioning witnesses, and the appointment of a lawyer must be approved by the court before enforcement.
according to the civil procedure law of china, except for qualified chinese lawyers, foreign judicial authorities or relevant personnel are not allowed to engage any individuals within china to assist in obtaining evidence or questioning witnesses. approval from the court is required before engaging the services of a chinese lawyer for such purposes.
We understand that because national judicial sovereignty is involved, legislators usually set more stringent procedures for foreign authorities to directly collect domestic evidence. Arbitrarily allowing foreign authorities to collect evidence will not only undermine a country's judicial sovereignty, but may also involve the disclosure of state secrets, which may endanger ******, therefore, the DSL imposes heavy legal liabilities on providing domestic data to foreign judicial authorities without legal procedures, such as administrative penalties such as warnings, suspension of business for rectification, revocation of business licenses, and fines of up to several million yuan[2]. Domestic enterprises must not ignore the above provisions and provide data abroad in accordance with the law, otherwise they will face heavy legal liability.
we understand that legislators are purposefully imposing strict procedures on foreign judicial authorities obtaining domestically generated evidence because it may relate to the judicial sovereignty of a country. arbitrarily allowing foreign authorities to obtain evidence not only undermines judicial sovereignty but also threatens national security. therefore, data security law imposes he**y legal responsibilities for straightly providing domestically generated data to foreign authorities without following the prescribed legal procedures such as warning, suspension of business for overhaul, revocation of business license, or fines up to millions of cny. thus, it is crucial that chinese entities do need to comply with designated procedures before transferring their data abroad, especially to judicial or law enforcement authorities. otherwise, a he**y legal burden may be imposed if disobeying the law.
3. Practical suggestions.
iii.recommendations on general practices
In the process of operation, enterprises will inevitably generate sensitive information, which undoubtedly makes it difficult for enterprises to respond to lawsuits outside the territory. In view of this, in order to help domestic enterprises protect their legitimate rights and interests, we make the following suggestions.
it is almost inevitable for enterprises to generate sensitive information while operating, and such information would no doubt impose burdens on responding to lawsuits. in view of the above and for the sake of helping domestic enterprises safeguard their legitimate rights and interests, we would make the following suggestions.
1.Anonymize the information.
1. information redaction
According to Article 4 of the Personal Information Protection Act, anonymized information does not fall under the definition of "personal information" under the Act. Therefore, in the case of voluntary overseas provision, the enterprise can evaluate the data according to the actual situation, and if the situation permits, it can anonymize part of the information to avoid the review of the CAC.
article 4 of pipl provides that information being redacted and anonymized does not belong to the “personal information” defined under pipl. therefore, under the circumstance of voluntary submission, domestic entities can redact their documents, depending on the actual situation if permissible, to circumvent the requirement of cac assessment.
2.Truthfully report to the relevant departments.
2. truthful declaration
In the case of voluntary provision, such as personal information and important data that involve important data or personal information and important data that are not allowed to be anonymized in practice, we recommend that enterprises complete the security self-assessment and the security assessment of the cyberspace administration in strict accordance with the law, and obtain permission from the regulatory authorities before cross-border transmission. In cases where a passive request is received, data handlers shall report to the relevant local departments as soon as possible, and complete the collection of domestic evidence in accordance with the prescribed procedures, so as not to miss the period and harm their own rights and interests.
under the circumstances of voluntary submission, if the documents to be transferred abroad contain data such as unredacted personal information and important data, we recommend domestic entities strictly abide by prc laws on performing security self-assessment and regulatory authority assessment duly. the evidence can be transferred abroad only when permission is granted from regulatory authorities. under the circumstances of submission upon requests, we recommend the domestic entities contact relevant local authorities immediately after receiving foreign court orders and transfer the evidence following the prescribed channels.
The transfer of data across borders is no small matter. With the continuous expansion of opening up to the outside world, the number of overseas litigation or arbitration in which Chinese enterprises participate will only increase, and the cross-border data transfer involved will also increase. In order to protect their legitimate rights and interests and ensure that the litigation process proceeds as scheduled, we recommend that enterprises complete the necessary risk assessment of cross-border data in accordance with the provisions of the law, and perform relevant filing and declaration procedures to ensure that cross-border data is legal and compliant.
as chinese enterprises are continuously expanding their involvement in international trading, the number of overseas litigations or arbitrations is expected to be increasing in the following years. consequently, the volume of cross-border data transfer associated with the cases is likely to grow as well. to safeguard legitimate rights and ensure the smooth progress of litigation procedures, it is suggested that prc companies should conduct necessary risk assessments for cross-border data transfer as per legal requirements. prc companies are also advised to fulfill relevant declaration obligations to ensure that data transfer is conducted in a legal and compliant manner to **oid its potential legal responsibilities.
Special statement: Dentons strictly abides by the obligation to protect the client's information, and the content of the client's project involved in this article is taken from public information or obtained the client's consent. The content and opinions expressed in this article are for reference only and do not represent any position of Dentons, nor should they be regarded as issuing any form of legal advice or recommendation. If you need to ** or quote any content of the article, please send a private message to communicate the authorization and indicate ** at the beginning of the article**. You may not ** or use any of the content in such articles without authorization.