Cross-Border Transfer of Evidence from Mainland China under International Commercial Dispute Resolution Scenarios

Cross-border transfer of evidence in litigation or arbitration proceedings is no longer an easy process in today’s world, with countries frequently at odds with each other over data security regulations. This was not the case a decade ago.

Mainland China was relatively slow to adopt data laws but the pace of legislation has gained a lot of momentum in recent years. In rather quick succession it introduced the Cybersecurity Law in 2017, followed by the Data Security Law (DSL) and Personal Information Protection Law (PIPL) in 2021 (altogether the PRC Data Laws) (see our previous article on the PIPL, regulations under the PRC Data Laws, and podcast episode on the PRC Data Laws). At the level of administrative regulations and departmental rules, there are the Measures for the Security Assessment of Outbound Data Transfer (Assessment Measures), introduced by the Cyberspace Administration of China (CAC) in September 2022; the Measures on the Standard Contract for Cross-border Transfers of Personal Information; as well as multiple consultation drafts – such as the Network Data Security Management Regulations (Draft on Network Data) and latest Provisions on Regulating and Promoting Cross-border Data Transfers (Draft on Easing Data Transfer). The consultation drafts – though not yet in effect – serve as benchmark reference for Chinese regulators in scrutinising cross-border data transfer activities. Alongside prevailing laws, regulations and departmental rules, they form the legal framework for cross-border data transfers and security in Mainland China.

In litigation or arbitration, evidence is often viewed as “data” – and consequently wrapped up in this tug-of-war. This Legal Update reviews cross-border commercial dispute resolution scenarios, delving into compliance obligations, practice developments and compliance insights regarding the transfer of evidence from Mainland China.

Compliance Obligations

The PRC Data Laws define “data” quite broadly to include any record of information in electronic or other forms¹. Similarly, personal information refers to all kinds of information related to identified or identifiable natural persons recorded electronically or by other means, but excluding data that is anonymized².

Regarding overseas judicial activities, Article 36 of the DSL and Article 41 of the PIPL stipulate that data or personal information stored within the territory of Mainland China shall not be made available to foreign judicial or law enforcement agencies without approval from the competent authorities.

The Assessment Measures, however, provided a clearer pathway for the outbound transfer of data by outlining in Article 4 the following circumstances where a security assessment and approval are required:-

1. where a data controller provides Important Data (see discussions below) abroad;
2. where an operator of a critical information infrastructure or a data controller who has processed personal information of over one million people provides personal information abroad;
3. where a data controller who has provided abroad the personal information of over 100,000 people or the sensitive personal information of over 10,000 people cumulatively since January 1 of the previous year provides personal information abroad; and
4. any other circumstance determined by the CAC.

Put simply, for overseas judicial or law enforcement activities, certain data or personal information stored in Mainland China can only be transferred overseas after undergoing a data security assessment and obtaining approval from competent authorities.

It is worth noting that, in the field of judicial assistance, the Ministry of Justice of Mainland China (MOJ) has reiterated that foreign judicial authorities or individuals seeking access to evidentiary materials located in Mainland China – or for questioning of witnesses – should apply to the MOJ or the Ministry of Foreign Affairs through the channels specified in international treaties. Unauthorised organisations or individuals are prohibited from taking evidence in Mainland China³. As this is explicitly stated, it will not be expanded upon in this article.

Practice Developments

What Types of Data Require Prior Approval before Outbound Transfer?

Article 36 of the DSL and Article 41 of the PIPL do not set any qualifications on the types of “data” or “personal information” that require approval for outbound transfer. This has led to the interpretation by some practitioners that all data and personal information stored in Mainland China, regardless of its nature and quantity, cannot be exported from Mainland China in the context of judicial proceedings without prior approval, and that this would apply even to trivial information such as an email or a photograph. If this interpretation is correct, the restriction is all-encompassing.

Meanwhile, it was reported that the MOJ previously indicated when responding to enquiries that, in principle, evidence not involving “Important Data” – and not falling under circumstances set out in the above-mentioned subparagraphs (2) to (3) of Article 4 of the Assessment Measures – could be transferred overseas directly without review and approval. However, the absence of legal documents confirming this exemption creates a compliance risk. This becomes more concerning when the Draft on Easing Data Transfer proposes to exempt certain cross-border data transfer activities from security assessment, but there is no mention of overseas judicial activities in the enumerated activities⁴.

The approval requirement is clear for the outbound transfer of Important Data and personal information caught by subparagraphs (2) to (3) of Article 4 of the Assessment Measures. However, defining “Important Data” poses difficulties due to the breadth of its definition⁵ and lack of unequivocal identification standards. Article 2 of the Draft on Easing Data Transfer now provides that data that has not been notified or published as important data by the competent authorities does not require security assessment, suggesting that applicants can presume that they do not process Important Data unless notified otherwise.

In addition, restrictions have been imposed on the export of certain specific types of data, mainly relating to state secrets, healthcare data, surveying and mapping results, and information on human genetic resources⁶. These categories appear to require special approval from the relevant competent authorities before they can be transferred overseas⁷.

Last, there are discussions as to whether different approaches should be adopted for voluntary provision of evidence as compared to provision at the request of judicial bodies overseas. The MOJ clarified in its Answers to Frequently Asked Questions on International Judicial Assistance in Civil and Commercial Matters (FAQ) dated June 2022 that regardless of type of transfer involved being voluntary or based on foreign compulsion, the pre-transfer procedures for outbound data transfer must be fulfilled in accordance with the law⁸. Interestingly, the FAQ has since been removed from the official website of the MOJ. This raises uncertainty about the official policy, but the risk of “voluntarily” submitting evidence overseas without fulfilling the compliance obligations remains.

Scope of “Foreign Judicial or Law Enforcement Agencies”

Courts, law enforcement agencies and securities authorities (e.g., the U.S. Securities and Exchange Commission) outside Mainland China are generally considered as falling within the scope of “foreign judicial authorities or law enforcement agencies”. Opinions differ in practice on whether international arbitration institutions and arbitral tribunals should be included.

Some argue that arbitral institutions, such as the HKIAC, SIAC and LCIA, are all independent and non-administrative bodies. They are established as limited liability companies under the laws of their respective jurisdictions, confirming their private and independent nature. Therefore, arbitral tribunals should not be subject to Article 36 of the DSL and Article 41 of the PIPL. 

However, there are conflicting views among relevant governmental departments on this issue. In a recent arbitration case handled by Mayer Brown, the MOJ considered the arbitral tribunal a “foreign judicial body” – and therefore required approval for the disclosure of Important Data to it.

Quite separately, from a jurisdictional perspective, Hong Kong SAR, Macao SAR and Taiwan Region are considered “foreign” territories. This is evidenced in Mainland China’s Exit and Entry Administration Law⁹ and the Draft on Network Data¹⁰, and is also in line with long-standing judicial practice in Mainland China civil litigation, whereby these three places are treated as foreign jurisdictions¹¹.

Competent Authority, Process and Timeframe for Approval

The competent authorities that are supposed to process the approval application for cross- border data transfer relating to overseas judicial requests are not specified in the DSL and PIPL, while Articles 5 and 6 of the DSL suggest multiple competing responsibilities of governments at central and local levels, authorities of various industries, public security and national security organs, and cyberspace administrations over data security supervisions. This inevitably presents challenges for applicants.

The lack of established protocols, inconsistent instructions and the passing of responsibilities between relevant authorities create further confusion and delays in the application process.

Reviewing one of our recent cases, the application process can be briefly described as involving the following steps¹²:-

1. First, the applicant submits a written application to the MOJ with supporting materials.
2. Subsequently, the MOJ, in conjunction with the Supreme People's Court and the competent cyberspace administration, will review the evidentiary materials to be transferred. There is no definite timeline for the review, but this may take months depending on the significance and complexity of the case.
3. Upon approval, the MOJ will issue a letter of approval to the applicant.
4. The applicant can then transfer the evidence across the border in accordance with the terms contained in the letter of approval.

Supporting materials for the application, according to Article 6 of the Assessment Measures, may include (1) an application form, (2) a self-assessment report on the risk of the outbound data transfer and (3) legal documents drawn up between the applicant and the overseas recipient. It is common to also submit a list of evidence and a legal assessment report prepared by a law firm in Mainland China.

Compliance Insights

Early Assessment and Planning

In the initial stages of the proceedings, Chinese parties should start to determine the scope and nature of their evidence, and understand the applicable laws and regulations, the competent authorities, application procedures and timeframes involved. This enables a good evaluation of the compliance risk associated with the outbound data transfer – and the adoption of appropriate compliance strategies to avoid data risks that may arise from the resolution of cross-border disputes.

Parties not based in Mainland China and involved in disputes that may necessitate the cross-border transfer of evidence, should keep an eye on developments in relation to PRC Data Laws, seek legal advice and try to deploy countermeasures, taking into account the overall strategy of the case.

Effective Communication to Enhance Procedure Predictability

As mentioned above, if parties are unsure whether approval is required for the outbound transfer of evidentiary material, the nature of the data involved (e.g., whether it is “Important Data”), or the nature of the arbitral tribunal, they should actively communicate with the MOJ and the competent authorities of their industries and seek guidance. They should promptly relay the same to their lawyers, judicial and law enforcement agencies and counterparties.

For international arbitrations, given the principle of party autonomy, parties can negotiate necessary alternative measures for the discovery stage. The arbitral tribunal can also adjust the provisional timetable with reference to the procedures and timeframe required for the cross-border evidence transfer, to allow sufficient time and enhance procedure predictability.

Avoiding Extremes

Chinese parties should not disregard compliance obligations on outbound data transfers and directly submit evidence to foreign judicial bodies or law enforcement agencies. If the evidence involves Important Data or a large amount of personal information, a violation of the PRC Data Laws can have serious consequences¹³.

On the other hand, before consulting the MOJ and relevant authorities – or submitting an application – it is essential to first narrow down the scope of the evidence. Submitting all evidentiary materials without careful consideration can result in ineffective communication, application refusal, and delays in the review process. A well-established document management system is crucial for the pre-approval of document collation. Therefore, it may be wise to involve legal advisors at an early stage to conduct an initial assessment of the documents. This will also facilitate preparation of the legal assessment report required for the application.

Proper Management of Potential Adverse Effects from Inability to Provide Evidence

If it is indeed impossible to submit important evidence due to compliance obligations on cross-border data transfers, parties and their legal teams should proactively take measures to properly manage the potential adverse impact. This may include always adhering to good faith principles, demonstrating due diligence, and actively discussing and proposing alternative measures to minimise the adverse impact.

The article is published on mayerbrown.com and republished by the British Chamber of Commerce in Hong Kong and the Hong Kong Lawyer. 

¹ See Art.3, DSL.

² See Art.4, PIPL.

³ See Part II of the Answers to Frequently Asked Questions on International Judicial Assistance in Civil and Commercial Matters published by the MOJ in March 2023.

⁴ See Art.1, Draft on Easing Data Transfer.

⁵ According to Art, 21 of the DSL and Article 19 of the Assessment Measures, “Important Data” mainly refers to data that, if leaked, may directly affect or endanger national security, economic security, social stability, public health and safety.

⁶ This is reflected to in subparagraph (4) of Article 4 of the Assessment Measures.

⁷ See Art.30, Law of the People’s Republic of China on Guarding State Secrets, Art.30, Measures on the Standards, Safety and Service of National Healthcare Big Data (Trial Implementation), Art.34, Surveying and Mapping Law of the People’s Republic of China, and Art.57, Biosecurity Law of the People’s Republic of China.

⁸ See Question 8 of the FAQ.

⁹ “Exit” is defined as “leaving Mainland China for other countries or regions, for the Hong Kong Special Administrative Region or the Macao Special Administrative Region or for Taiwan Region” in Art.89.

¹⁰ In Art.13, “where the data processor lists in Hong Kong, affecting or possibly affecting national security”, “shall report for cybersecurity review in accordance with relevant State regulations”.

¹¹ See Art.549, Interpretations on the Civil Procedural Law of the People’s Republic of China, effective on 10 April 2022.

¹² This application was made in around the fall of 2022. It is unclear if the same process applies to subsequent applications.

¹³ See, for example, Art.48(2) of the DSL.