Cross-border transfer of evidence in litigation or arbitration proceedings is no longer an easy process in today’s world, with countries frequently at odds with each other over data security regulations. This was unexpected a decade ago.

Mainland China was relatively slow to adopt data laws but the pace of legislation has gained substantial momentum in recent years In rather quick succession it introduced the Cybersecurity Law in 2017, followed by the Data Security Law (DSL) and Personal Information Protection Law (PIPL) in 2021 (altogether the PRC Data Laws) At the level of administrative regulations and departmental rules, there are the Measures for the Security Assessment of Outbound Data Transfer (Assessment Measures), introduced by the Cyberspace Administration of China (CAC) in September 2022; the Measures on the Standard Contract for Cross-border Transfers of Personal Information; as well as multiple consultation drafts –such as the Provisions on Regulating and Promoting Cross-border Data Transfers (Draft on Easing Data Transfer). The consultation drafts – though not yet in effect – serve as benchmark reference for Chinese regulators in scrutinising cross-border data transfer activities Alongside prevailing laws, regulations and departmental rules, they form the legal framework for cross-border data transfers and security in Mainland China.

In litigation or arbitration, evidence is often viewed as “data” – and consequently wrapped up in this tug-ofwar. This Legal Update reviews cross-border commercial dispute resolution scenarios, delving into compliance obligations, practice developments and compliance insights regarding the transfer of evidence from Mainland China.

Compliance Obligations

The PRC Data Laws define “data” quite broadly to include any record of information in electronic or other forms [1]. Similarly, personal information refers to all kinds of information related to identified or identifiable natural persons recorded electronically or by other means, but excluding data that is anonymized [2].

Regarding overseas judicial activities, Article 36 of the DSL and Article 41 of the PIPL stipulate that data or personal information stored within the territory of Mainland China shall not be provided to foreign judicial or law enforcement agencies without approval from the competent authorities.

The Assessment Measures, however, provided a clearer pathway for the outbound transfer of data by outlining in Article 4 the following circumstances where a security assessment and approval are required:

1. where an operator of a critical information infrastructure or a data controller who has processed personal information of over one million people provides personal information abroad;

2. where a data controller provides Important Data (see discussions below) abroad;

3. where a data controller who has provided abroad the personal information of over 100,000 people or the sensitive personal information of over 10,000 people cumulatively since January 1 of the previous year provides personal information abroad; and

4. any other circumstance determined by the CAC.

Put simply, for overseas judicial or law enforcement activities, certain data or personal information stored in Mainland China can only be transferred overseas after undergoing a data security assessment and obtaining approval from competent authorities.

Practice Developments

Data Types Requiring Prior Approval before Outbound Transfer

Article 36 of the DSL and Article 41 of the PIPL do not set any qualifications on the types of “data” or “personal information” that require approval for outbound transfer. This has led to the interpretation by some practitioners that all data and personal information stored in Mainland China, regardless of its nature and quantity, cannot be provided for overseas judicial proceedings without prior approval, and that this would apply even to trivial information such as an email or a photograph.

Meanwhile, it was reported that the Ministry of Justice of Mainland China (“MOJ”) previously indicated that, in principle, evidence not involving “Important Data” –and not falling under circumstances set out in the above-mentioned subparagraphs (2) to (3) of Article 4 of the Assessment Measures – could be transferred overseas directly without approval. However, the absence of legal documents confirming this exemption creates a compliance risk.

The approval requirement is clear for the outbound transfer of Important Data and personal information caught by subparagraphs (2) to (3) of Article 4 of the Assessment Measures However, defining “Important Data” poses difficulties due to the breadth of its definition [3] Article 2 of the Draft on Easing Data Transfer now provides that data that has not been notified or published as Important Data by the competent authorities does not require security assessment, suggesting that applicants can presume they do not process Important Data unless notified otherwise.

Restrictions have also been imposed on the export of certain specific types of data, mainly relating to state secrets, healthcare data, surveying and mapping results, and information on human genetic resources [4]. These would require special approval from the relevant competent authorities before they can be transferred overseas [5].

Scope of “Foreign Judicial or Law Enforcement Agencies”

Courts, law enforcement agencies and securities authorities outside Mainland China are generally considered as falling within the scope of “foreign judicial authorities or law enforcement agencies”. Opinions differ in practice on whether international arbitration institutions and arbitral tribunals are included.

Some argue that arbitral institutions, such as the HKIAC, SIAC and LCIA, are all independent and nonadministrative bodies They are established as limited liability companies under the laws of their respective jurisdictions and shall therefore not be subject to Article 36 of the DSL and Article 41 of the PIPL

However, there are conflicting views among relevant governmental departments on this issue In a recent arbitration case handled by Mayer Brown, the MOJ considered the arbitral tribunal a “foreign judicial body” – and therefore required approval for the disclosure of Important Data to it.

Quite separately, from a jurisdictional perspective, Hong Kong SAR, Macao SAR and Taiwan Region should all be considered “foreign” territories for the purpose of Article 36 of the DSL and Article 41 of the PIPL [6].

Competent Authority, Process and Timeframe for Approval

The competent authorities that are supposed to process the approval application for cross- border data transfer relating to overseas judicial requests are not specified in the DSL and PIPL, while Articles 5 and 6 of the DSL suggest multiple competing responsibilities of governments at central and local levels, authorities of various industries and functions over data security supervisions. This inevitably presents challenges for applicants.

The lack of established protocols, inconsistent instructions and the passing of responsibilities between relevant authorities create further confusion and delays in the application process

Reviewing one of our recent cases, the application process can be briefly divided into the following steps [7]:

1. First, the applicant submits a written application to the MOJ with supporting materials.

2. Subsequently, the MOJ, in conjunction with the Supreme People's Court and the competent cyberspace administration, will review the submitted evidentiary materials. There is no definite timeline for the review, but this may take months depending on the significance and complexity of the case.

3. Upon approval, the MOJ will issue. a letter of approval to the applicant.

4. The applicant can then transfer the evidence across the border in accordance with the letter of approval

Compliance Insights

Early Assessment and Planning

In the initial stages of the proceedings, Chinese parties should start to determine the scope and nature of their evidence, and understand the applicable laws and regulations, the competent authorities, application procedures and timeframes involved. This enables a good evaluation of the compliance risk – and the adoption of appropriate compliance strategies to avoid data risks that may arise from the resolution of crossborder disputes.

Parties not based in Mainland China and involved in disputes that may necessitate the cross-border transfer of evidence, should keep an eye on developments in relation to PRC Data Laws, seek legal advice and deploy countermeasures, taking into account the overall strategy of the case.

Effective Communication to Enhance Procedure Predictability

As mentioned above, if parties are unsure whether approval is required for the outbound transfer of evidentiary material, the nature of the data involved (e.g., whether it is “Important Data”), or the nature of the arbitral tribunal, they should actively communicate with the MOJ and the competent authorities of their industries for guidance They should promptly relay the same to their lawyers, judicial and law enforcement agencies and counterparties.

For international arbitrations, given the principle of party autonomy, parties can negotiate necessary alternative measures for the discovery stage. The arbitral tribunal can also adjust the provisional timetable with reference to the procedures and timeframe required for the cross-border evidence transfer, to allow sufficient time and enhance procedure predictability.

Avoiding Extremes

Chinese parties should not disregard compliance obligations on outbound data transfers and directly submit evidence to foreign judicial bodies or law enforcement agencies If the evidence involves Important Data or a large amount of personal information, a violation of the PRC Data Laws can have serious consequences [8].

On the other hand, before consulting the MOJ and relevant authorities – or submitting an application – it is essential to first narrow down the scope of the evidence. Submitting all evidentiary materials without careful consideration can result in ineffective communication, application refusal, and delays in the review process It may be wise to involve legal advisors at an early stage to conduct an initial assessment of the documents.

Proper Management of Potential Adverse Effects from Inability to Provide Evidence

If it is indeed impossible to submit important evidence due to compliance obligations on crossborder data transfers, parties and their legal teams should proactively take measures to properly manage the potential adverse impact. This may include always adhering to good faith principles, demonstrating due diligence, and actively discussing and proposing alternative measures to minimise the adverse impact.

About Mayer Brown

Mayer Brown is a leading international law firm positioned to represent the world’s major corporations, funds and financial institutions in their most important and complex transactions and disputes. We are committed to delivering excellence in everything we do by:

• Delivering the best legal advice and service

• Leveraging our deep commercial instincts to serve as our clients’ strategic partners and trusted advisors

• Building diverse teams of lawyers from our marketleading practices to help achieve our clients’ goals

• Solving our clients’ most complex problems with creative and innovative ideas

• Collaborating across offices to deliver the best of our knowledge, wherever in the world it’s needed

• Using technology to develop new ways to deliver timely and efficient client service

Please visit mayerbrown.com for comprehensive contact information for all our offices.

Tom Fu

Partner

Raymond Yang

Partner

Evan Zhou

Registered Foreign Lawyer (The People’s Republic of China)

--

1 See Art.3, DSL.

2 See Art.4, PIPL.

3 According to Art, 21 of the DSL and Article 19 of the Assessment Measures, “Important Data” mainly refers to data that, if leaked, may directly affect or endanger national security, economic security, social stability, public health and safety.

4 This is reflected to in subparagraph (4) of Article 4 of the Assessment Measures.

5 See Art.30, Law of the People’s Republic of China on Guarding State Secrets, Art.30, Measures on the Standards, Safety and Service of National Healthcare Big Data (Trial Implementation), Art.34, Surveying and Mapping Law of the People’s Republic of China, and Art.57, Biosecurity Law of the People’s Republic of China.

6 This is evidenced in Art. 89 of Mainland China’s Exit and Entry Administration Law, Art. 13 of the Network Data Security Management Regulations (Consultation Draft) and Art.549 of the Interpretations on the Civil Procedural Law of the People’s Republic of China, effective on 10 April 2022.

7 This application was made in around the fall of 2022. It is unclear if the same process applies to subsequent applications.

8 See, for example, Art.48(2) of the DSL.