The Chinese government has promulgated a multitude of laws to prohibit disclosure of protectable data, including state secrets, personal information and trade secrets. Thus, satisfying a foreign regulator’s data request without considering local data privacy laws could trigger legal liabilities for multinational companies (MNCs) whose data is located in the PRC.
At the same time, failing to respond to a U.S. regulator’s demand for information in a complete and timely manner can also result in sanctions. MNCs may therefore find themselves caught between a rock and a hard place. To deal with this quandary, MNCs must strategize and develop a considered response that weighs these competing interests and obligations.
To manage the conflicting demands effectively, MNCs need to understand the scope and purpose of the regulator’s data request, the types and location of data that need to be produced, the company’s obligations under PRC law with respect to the information requested, and the management of the data production process to avoid inadvertent disclosure of protectable information in violation of PRC laws.
From the outset of the regulatory inquiry, companies should, together or through counsel, discuss the company’s obligations and associated liabilities under the PRC’s data protection regime with the regulators. These early communications aim to set the expectations around the scope of document production and the parameters for document exclusion. It is imperative, however, that the company does not appear to be hiding behind the “great wall” of China’s data protection laws.
In the past, companies have been sanctioned in the U.S. for “wilfully refus[ing]” to turn over documents, despite their invoking the PRC data protection laws as the basis and citing clear threats from the Chinese regulators of imposing “personal consequences” if impermissible disclosures are made. Companies should therefore proactively inform the regulators of their legal risks under the PRC regime and the methodology that they will employ to identify the responsive data or any protectable information contained therein. These communications would assure the regulators that the company intends to cooperate and produce all relevant data to the extent possible.
Document preservation and collection
Document preservation and collection in China can present unforeseen challenges, particularly where the data may be in the form of hardcopy documents or in the possession of an employee who refuses to turn them over. Accordingly, timely access to and control of this data is critical, which requires an understanding of where the data is housed. The company should therefore consider issuing a document retention notice to suspend regularly scheduled document destruction practices and prohibit employees from destroying documents. At this stage, the company should also determine where the data is stored and whether it has access thereto. For example, for electronic data, does the company have access to the relevant servers, laptops, smart phones and other storage devices? Generally, this depends on whether the devices are owned by the company and whether the company has obtained the employee’s consent and reserved the right to monitor and collect the employee’s data through the employment contract and company policies such as the employee handbook. In the absence of these criteria, the employer is unlikely to be able to proceed with the monitoring, collection, use, or transfer of the data from employee-owned devices, unless the employee voluntarily produces the device for the company’s inspection.
Identification of protectable data
Once the data collection is complete, the company should conduct a thorough review to identify all responsive documents. U.S. and PRC counsel should be engaged to review and identify the subset of responsive documents which contains privileged or protectable data. When in doubt, particularly with respect to state secrets, where the consequences of unlawful disclosure can be severe and the regulations are opaque, obtaining a view from the relevant PRC governmental authorities would be ideal. Getting such a view from a government agency, however, particularly in writing, remains virtually impossible, so the MNC will need to take a view.
If the MNC will withhold certain materials, a recent settlement between the Securities and Exchange Commission (SEC) and four major accounting firms provides useful guidance. The SEC order stated that it would take further enforcement action if its document requests are not met with “a materially complete production and/or an adequate privilege log, withholding log, initial declaration, and/or certification of completeness.”
With respect to the employees’ personal information, PRC law requires employers to protect the confidentiality of the employees’ personal data, and guidelines suggest protecting all sensitive personal data of individuals. The Chinese entity should confirm that it has obtained written consent to its data protection policy, which should cover the transfer of personal data for business purposes outside the employing entity. Nonetheless, companies should consider anonymizing or redacting sensitive personal information such as addresses, identification card numbers and bank account information, to ensure compliance with PRC privacy laws, particularly where such data is not relevant.
The MNC should prepare a detailed log of the review procedures performed on those documents which will be withheld from production, as well as the legal bases for their exclusion. Furthermore, the MNC is advised to communicate the rationale for data exclusion or redaction to the regulators in order to dispel any suspicion that the company might be delaying or resisting the regulators’ request.
As cross-border regulatory investigations increase, MNCs will need to keep abreast of the myriad related requirements that are embodied in various sector-specific laws in order not to run afoul of the PRC’s patchwork data protection regime in responding to U.S. regulatory investigations.
K. Lesli Ligorner and Dora W. Wang Simmons & Simmons, Shanghai
Chinese data protection and state secrecy laws are notoriously stringent and forbid many types of information from being transferred across national borders. Over the years, China has passed a series of statutes and policies to safeguard secrets belonging to the state, provincial or local governments and state-owned enterprises (SOEs). For example, the revised PRC Law on the Protection of State Secrets (State Secrets Law) restricts the export of electronic data and the use of computers and internet. Transferring data to another jurisdiction before it has been reviewed and cleared of sensitive information can be a violation and put the company at risk of receiving administrative and criminal sanctions.
The State Secrets Law is as vague as it is broad, which complicates the issue of data transfer and analysis. Transferring certain data could be deemed a violation, even if similar instances have previously been allowed. But there are ways to ensure compliance without incurring excessive costs. Depending on the nature of the investigation and the volume and type of data required, there are a few principles to keep in mind.
To avoid the risk and red-tape associated with removing data from the country, it is advisable to consult with a technology partner with a local presence that has experts who not only understand the technical side of e-Discovery but are also familiar with the Chinese language, culture and jurisdiction. Beyond the State Secrets Law itself, there are a range of other pieces of legislation that can impede external transfer of data, such as those around accounting archives and obtaining permission from the subjects under investigation. Since these laws are open to interpretation, the safest option is to conduct all discovery locally in China and share only the results with U.S. courts.
If there are issues regarding the removal of data from the premises themselves, or processing in a local data centre is not possible, a mobile solution may be the answer. Over the past couple of years, mobile technology has become incredibly powerful, facilitating processing, filtering and analysis onsite. Mobile solutions can also be used in tandem with traditional processing by acting as cost-effective method of segregating and filtering out personal information, sensitive company data or privileged documents early on and prevent unwanted disclosure. When conducting e-Discovery in China, companies must review and clear any state secrecy concerns or redacting sensitive information prior to sharing it out of the country. This in turn reduces the risks and costs associated with over-collection by culling irrelevant data and focusing on what is relevant or responsive.
While choosing the most appropriate technology is a key aspect of carrying out an investigation, ensuring the legal technology partner has the right experts in place is just as important. The stakes are high when faced with short deadlines, ever-increasing data volumes and a complex legal environment.
A partner with expert legal and electronic evidence consultants, computer forensic professionals, case and document review managers, ensures timely and compliant data collection, analysis and review phases of an investigation.
An e-Discovery team will bring the added value of consultative advice. For example, if time is of the essence, an electronic evidence consultant may advise a client on the best way to use Technology Assisted Review (TAR) tools to automate and compliment the document review process reliably while reducing costs.
For full confidence that any misconduct is uncovered, it is important to examine both unstructured data (emails, chat logs and text messages) and structured data (financial, transactional and operational data).
Even if financial data appears to be legitimate or not a primary concern of the investigation, sophisticated structured data analytics techniques can often uncover wrongdoing that has been hiding in plain sight. Specialists are able to analyze and help visualize large and often disparate sets of structured data to provide intelligence.
Choosing a legal technology consultancy that offers both these services reduces the need for data transfers and therefore lessens the risk of breaching privacy laws.
Finally, dealing with an investigation, particularly in a highly-regulated environment like China, can be an overwhelming and stressful time for any company. Agreeing a schedule of communications at the outset with the e-Discovery provider and staying informed without being bombarded with information will go a long way to keeping calm throughout the process.
Business in China is not without its obstacles, but companies can develop a strategy alongside their local counsel, U.S. counsel and legal technology consultant to minimize their risk. While certain circumstances can make it impossible to transfer any data out of China, firms will at least be able to show the U.S. courts that they have taken sensible steps to try and provide requested information, all while ensuring no Chinese laws were violated.
Kate Chan Kroll Ontrack, Hong Kong