The past decade has witnessed a significant growth of international trade and investments between China and the United States. As a result, it is becoming increasingly common that litigation or arbitration involves a Chinese party or a party owned or controlled by a Chinese person or entity. Meanwhile, data privacy related legislation has been increasingly active in China. With such two trends, counsels are encountering more challenges and complexity in the discovery proceedings, particularly with respect to the document production by custodians located in China.
U.S. Discovery Requirements
Pursuant to rule 26(b) of Federal Rules of Civil Procedure (FRCP),
[p]arties may obtain discovery regarding any nonprivileged matter that is relevant to any party’s claim or defense and proportional to the needs of the case, considering the importance of the issues at stake in the action, the amount in controversy, the parties’ relative access to relevant information, the parties’ resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit.
Pursuant to New York’s Civil Practice Law and Rules (CPLR) section 3101(a), “[t]here shall be full disclosure of all matter material and necessary in the prosecution or defense of an action.” The scope of discovery is typically interpreted broadly, and usually includes any responsive communications via email, text message, and as more and more frequently seen in litigations involving Chinese parties, WeChat.
PRC Legal Restrictions on Data Transfer
When Chinese parties are involved in civil litigations in the United States and evidence found within the territory of China is to be exported for the litigation purpose, the following People’s Republic of China (PRC) legal restrictions must be taken into consideration.
The scope of “judicial assistance” and procedures to be followed. Pursuant to article 277 of the Civil Procedure Law of the PRC, “the request for the providing of judicial assistance shall be effected through channels provided in the international treaties concluded or acceded to by the People’s Republic of China; in the absence of such treaties, they shall be effected through diplomatic channels”; further, “no foreign organization or individual may, without the consent of the competent authorities of the People’s Republic of China, serve documents or make investigations and collect evidence within the territory of the People’s Republic of China.” Therefore, the evidence collection within China shall not be conducted by any foreign entities or foreign individuals. Otherwise, the foreign entities or individuals should apply to the Department of Justice of the PRC for approval in advance. As a result, if any custodian of the parties to a litigation is located in China, it is advisable that the U.S. counsel coordinate with a PRC domestic entity in the evidence collection.
Even if the evidence collection is conducted by a PRC domestic entity, certain restrictions on data export under the PRC law should still be taken into consideration.
General prohibition on export of personal information by operators of critical information infrastructure. The Cybersecurity Law (CSL) of the PRC became effective on July 1, 2017. Article 37 of the CSL provides that citizens’ personal information and important data collected and generated by the operators of Critical Information Infrastructure (CII) within the territory of the PRC shall be stored within the territory. Where it is necessary to export such information and data due to business needs, security assessment shall be carried out. However, it is unclear what “security assessment” and “business needs” constitute.
Article 31 of the CSL may shed some light on the meaning of CII as it states,
the State shall carry out strengthened protection of the key industries and fields, such as public communication and information service, energy, transportation, water conversancy, finance, public services and e-government affairs, and the critical information infrastructures that may endanger national security, people’s livelihood and public interest in case of damage, function loss or data leakage on the basis of multi-level protection system for network security.
However, the specific scope of CII is not clear yet.
This year, the Ministry of Public Security (MPS) released the Guidance on Implementing the Cybersecurity Multi-level Protection System and Critical Information Infrastructure Security Protection System (2020 CII Guidanc”). According to 2020 CII Guidance, competent departments in important industries and fields such as public communication and information services, energy, transportation, water conversancy, finance, public services, e-government, and defense technology industry shall formulate the identification of CII in their industries and fields in accordance with the identification rules, and timely notify the relevant facility operators of the identification results and report to the MPS.
Consent by data subject for exporting personal information. Personal information is broadly defined under PRC law. Email address, phone number, home address, and name are all personal information.
Paragraph 1 of article 41 of the CSL provides that,
when collecting or using the personal information, network operators shall comply with the principles of lawfulness, appropriateness and necessity, publicize the rules for collection and use, clearly indicate the purposes, methods and scope of the information collection and use, and obtain the consent of those from whom the information is collected.
The CSL imposes administrative penalties for activities breaching the consent requirement. The Civil Code of the PRC, effective January 1, 2021, also emphasizes the consent requirement.
Neither the CSL nor the Civil Code of the PRC explicitly provides that exporting personal information is subject to consent by data subjects. However, in practice, “use of personal information” under the CSL and “processing of personal information” under the civil code includes providing personal information to a third party and also transferring personal information overseas.
Certain types of information prohibited or restricted from being exported. Other than the restrictions listed above, the PRC law also prohibits or restricts certain types of information from exportation—for example, state secrets, personal financial information, population health information, mapping, and surveying data.
Potential requirements under the draft of personal information protection law. On October 21, 2020, the first draft of the Personal Information Protection Law of the PRC was released for public comments. According to the draft, companies are required to obtain consent from data subjects for exporting personal information and also to conduct risk assessments. Article 40 of the draft further provides that exporting personal information by non-operators of CII (CIIO) may also be subject to security assessment requirements if the entity that is not a CIIO processes personal information up to a threshold prescribed by the State Cyberspace Administration. However, the draft is silent about such a threshold. For companies which are not CIIOs and do not reach the threshold, they are required to obtain personal information protection certification by professional organizations or enter into a contract with the overseas recipient before exporting personal information.
Challenges and Tips
The sensitivity and the private nature of information may differ depending on its type. For example, with respect to the emails exchanged between work email address, the sender may not expect that only the recipient of such email will read the content since it is reasonable to expect that the recipient would forward such email to others for work purpose. Under such circumstances, the legal risk of exporting such information for litigation purposes without obtaining consent from the specific sender of the email is relatively remote. On the other hand, if the evidence collection involves other communications, for example WeChat record, it will normally be regarded as a record of correspondence which likely constitutes both personal information and privacy, thus subject to broader restriction.
To be more specific, WeChat is a multi-purpose messaging and social media app platform that is used by virtually everyone in China in their daily life. Over the past few years, people have been establishing a habit of discussing business matters via WeChat due to its popularity and convenience. Compared to emails, the production of WeChat messages is extremely controversial in the context of litigation due to the commingled use of WeChat for both personal and business purposes. WeChat record normally involves two or more people. Therefore, theoretically speaking, consent by all parties to such conversation is required for exporting the full content of WeChat record, while such consent may be difficult to be obtained.
As a result, Chinese parties may usually find themselves in a dilemma between complying with U.S. civil procedure rules regarding discovery obligations and complying with Chinese privacy laws, especially in the context of WeChat record. In the past few years, several cases have indicated that reckless and hasty refusal to produce responsive WeChat messages may not be advisable and is likely to lead to severe consequences, including court sanctions. For instance, in Brooks Sports, Inc. v. Anta (China) Co., Ltd. (2018 WL 7488924 (E.D. Va. 2018)), the defendant declined to produce certain responsive WeChat messages and failed to obey the production order, claiming that it could not demand consent from the custodians as that would violate Chinese privacy laws. The court imposed sanction against the defendant for the failure of obeying the production order, holding that although the court “will not delve into an analysis of the applicable Chinese law and will assume the custodians lawfully invoked their rights . . . Anta should not be able to conveniently use Chinese law to shield production of communications responsive to discovery requests . . . .”
In WeChat messages responsive to the claims, anonymization of certain parties’ identities or personal information may be an approach. When producing WeChat messages with redactions, counsels should carefully balance the cruciality of the redacted information and the likelihood that the redactions may be challenged by the opposing party.
Counsels may also consider seeking a protective order with respect to the redacted information. Pursuant to rule 26(b)(2)(B) of FRCP, “[a] party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost.” Pursuant to CPLR § 3103(a), a court may make a protective order “denying, limiting, conditioning or regulating the use of any disclosure device” to prevent “unreasonable annoyance, expense, embarrassment, disadvantage, or other prejudice to any person or the courts.” Counsels should be prepared to show that the undue burden and expenses of producing the redacted information outweigh its benefit.
Alex Hao is a partner and Eloise Liu is and associate at JunHe LLP in their New York, New York, office. Marissa Dong is a partner and Lena Yuan is an associate at JunHe LLP in their Beijing, China, office.
Copyright © 2021, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).