Recent changes to Chinese law have broad implications on cross-border data transfer in the course of investigations conducted by non-Chinese regulators. Clients work closely with counsel to navigate potential legal landmines in any defense of an investigation involving data from China.
Just over six months ago, on March 24, 2020, the People’s Republic of China’s (PRC) revised Securities Law (revised on December 28, 2019) (中华⼈民共和国证券法（2019年修订) went into effect. While the revised Securities Law affects many aspects of China’s securities law framework (including the registration of new securities for initial public offerings, disclosure requirements, and investor protection rules), a new “blocking” provision is particularly notable. Specifically, Article 177 of the revised Securities Law prohibits non-Chinese securities regulators from conducting investigations within China and prevents Chinese individuals and entities from providing information to such regulators without first receiving approval from the China Securities Regulatory Commission and/or other competent departments under the State Council.
More recently, the open comment period ended for another law, the draft Data Security Law (中华人民共和国数据安全法草案), which was published on July 3. This proposed law is pending further review by the National People’s Congress Standing Committee, which is slated to convene October 13 through October 17, 2020. This proposed law includes a similar “blocking” provision to the Securities Law, requiring individuals and entities in China to first receive approval from relevant government departments before providing data located within China to foreign law enforcement organizations. These two laws appear to go much further than the 2018 International Criminal Judicial Assistance Law (国际刑事司法协助法) (ICJAL), which prohibits individuals and entities in China from providing information to criminal law enforcement authorities located outside of China unless such entities first receive permission from Chinese criminal law enforcement authorities.
These changes are occurring at a time when U.S. regulators have articulated greater scrutiny for Chinese firms (see SEC Chairman Jay Clayton’s statement at the Securities and Exchange Commission (SEC) Emerging Markets Roundtable (July 9, 2020); SEC/Public Company Accounting Oversight Board Joint Public Statement: Emerging Market Investments Entail Significant Disclosure, Financial Reporting and Other Risks; Remedies are Limited (April 21, 2020)), while China has sought to limit foreign governments’ ability to conduct investigations within China. Recent efforts to change U.S. law include the Senate’s passage of the Holding Foreign Companies Accountable Act in May 2020 (discussed here) and Nasdaq’s newly proposed listing criteria for companies in “restrictive markets” (discussed here).
Article 177 of the revised Securities Law
Article 177 of the revised Securities Law provides the following:
The securities regulatory authority under the State Council may establish cooperative arrangements for supervision and administration and implement arrangements for cross-border supervision and administration in conjunction with the securities regulatory bodies of any other country or region.
Overseas securities regulatory bodies shall not directly conduct investigation and evidence collection activities within the territory of the People’s Republic of China. Without the consent of the securities regulatory authority under the State Council and relevant competent departments under the State Council, no entity or individual may provide documents and materials relating to securities business activities overseas without prior authorization.
The government has not issued any guidance or formally defined key terms to clarify the extent of its application. The phrase “materials (资料),” for example, is undefined. The phrase “securities business activities (证券业务活动)” is commonly understood to refer to business conducted by a licensed securities company (证券公司) such as broker-dealer services and investment consultancy services. But Article 2 of the revised Securities Law defines the scope of this law as broadly regulating any “securities issuance and trading activities (证券发行和交易),” which allows for a reading of Article 177’s prohibition to cover all companies that issue securities and their interactions with securities regulators such as the SEC. Further, although the first sentence appears limited to actions in response to foreign government inquiries, it is less clear to what extent the second sentence is modified or limited to such inquiries.
Article 33 of the draft Data Security Law
Article 33 of the draft Data Security Law provides the following:
Where overseas law enforcement agencies require investigation of data stored in the territory of the People’s Republic of China, entities and individuals should report to the relevant competent authority and provide it after obtaining approval. Where the People’s Republic of China has concluded or participated in international treaties or agreements that have provisions for foreign law enforcement agencies to investigate and obtain domestic data, follow those provisions.
To the extent that the Securities Law left room for ambiguity, the draft Data Security Law provides a much clearer and wider prohibition that, if implemented, means Chinese individuals or entities will be prohibited from providing information to foreign agencies without first receiving approval from competent authorities in China.
Clients located in China will need to carefully consider what information may be provided to foreign counsel where non-Chinese regulatory agencies are involved or may become involved. Removal of documents from China for attorney review — even digitally — may be considered a violation of these regulations. This arguably could include hosting data on a server that runs from or through a territory outside China. Additionally, not only can the statutes be read to prohibit providing the actual documents to the foreign law enforcement or regulatory agencies, it is also unclear to what extent counsel may share the fruits of an investigation such as descriptions of documents or interviews. Although unlikely, it is conceivable that these regulations may even affect how and what a client can communicate with his/her foreign counsel. Given the breadth of these new laws, any information or documents transmitted to foreign counsel can be construed as, and may be the basis for, the foreign counsel’s communications with foreign regulators.
All of these uncertainties can by addressed by obtaining permission to share information from the appropriate Chinese authority. Deciding what permission to seek and when, however, necessitates careful and strategic decision-making by client and counsel as little public precedent exists to indicate how Chinese agencies will respond.