近日,香港英文季刊Asian Dispute Review(ADR,《亚洲争议评论》)2023年第四季度刊Arbitration(仲裁)专栏刊载了国浩执行合伙人车捷,国浩南京合伙人付鑫撰写的英文论文《国际仲裁中的数据出境——以中国法为视角》。本文由作者结合其办理国际仲裁案件的相关经验撰写,主要探讨了中方当事人参与国际仲裁时可能面临的数据出境难题。今日与大家分享全文如下:
Recently, the Arbitration Column of the October 2023 Issue of Asian Dispute Review published an English paper contributed by Jie Che (Executive Partner of Grandall) and Xin Fu (partner of Grandall Nanjing Office), entitled “Cross-Border Data Transfer in International Arbitration from a PRC Law Perspective”. This paper discusses some of the challenges which Chinese parties may face when transferring data across borders in an international arbitration context, and we share the full text as follows:
Cross-Border Data Transfer in International Arbitration from a PRC Law Perspective
Abstract: This article examines the challenges Chinese parties may face when transferring cross-border data during international arbitration. It first analyzes the restrictions and gaps in PRC law on Cross-Border Data Transfer ("CBDT") by reviewing legislation such as the Cyber Security Law, Data Security Law, and Personal Information Protection Law. Next, it explores the treatment of CBDT issues under PRC law by arbitral tribunals in the context of the IBA Rules on the Taking of Evidence in International Arbitration ("IBA Rules"). Finally, it provides specific recommendations for Chinese parties involved in CBDT in international arbitration.
As global economic integration deepens and international trade and cross-border investment expand rapidly, the swift development of global commercial arbitration and litigation is inevitable. In commercial arbitration and litigation, evidence plays a crucial role and directly affects the case outcome. With the increasing digitalization of industries, electronic evidence has become a vital form of evidence, with data taking on an increasingly important role in cross-border dispute resolution. Since the EU GDPR came into force on May 25, 2018, CBDT has emerged as a pressing issue in international commercial arbitration. The International Bar Association adopted a new version of the IBA Rules on December 17, 2020, which updates Article 2 to state that the arbitral tribunal may address the "treatment of any issues of cybersecurity and data protection" early on concerning evidentiary matters. This addition highlights the focus on technological developments in international arbitration, including compliance with applicable data protection laws (e.g., GDPR) and ensuring the security of teleconferences. Exploring and addressing how to adequately protect data security and cybersecurity in arbitration proceedings, comply with relevant laws while meeting disclosure requirements, and improve CBDT efficiency is essential. This article discusses the current legal requirements and practical measures relating to CBDT from the perspective of PRC law.
A. Potential PRC law restrictions and gaps
Before the introduction of the Cyber Security Law, the Data Security Law and the Personal Information Protection Law, China's restrictions on CBDT primarily involved several legal provisions prohibiting the transfer of specific categories of data. For example, Article 26 of the Law on the Guarding State Secrets prohibits the illegal copying, recording, and storage of state secrets; prohibits the transmission of state secrets on the Internet and other public information networks or in wired and Wireless communication; prohibiting the transmission of state secrets in private interactions and communications; and, for example, Article 7 of the Regulations on Human Genetic Resources provides that foreign organizations, individuals and institutions established or actually controlled by them shall not collect or preserve China's human genetic resources within China's territory, and nor shall they provide China's human genetic resources out of the country.
The Cyber Security Law took effect on June 1, 2017, requiring operators of critical information infrastructures to localize personal information and important data collected and generated by their domestic operations. If such data needs to be provided outside of the country, it is subject to a security assessment. This assessment requirement was not formally implemented until the implementation of the Security Assessment Measures for Outbound Data Transfers, and the assessment subjects were expanded based on the Cyber Security Law, no longer limited to the original "operators of critical information infrastructures."
Article 36 of the Data Security Law, effective September 1, 2021, specifies that organizations and individuals in the PRC territory need competent authorities' approval before providing data stored in the PRC territory to foreign judicial or law enforcement agencies. Similarly, Article 41 of the Personal Information Protection Law, effective November 1, 2021, states that personal information handlers shall not provide personal information stored in the territory of the PRC to foreign judicial or law enforcement agencies without the approval of the competent authorities of the PRC.
Therefore, Chinese parties involved in international arbitration must adhere to additional regulations and process requirements to ensure the legality of CBDT. On June 24, 2022, the Ministry of Justice published the FAQs on Judicial Assistance in International Civil and Commercial Matters[1] on its official website. Article 9 states that, according to the Data Security Law and the Personal Information Protection Law, if data needs to be provided outside of the PRC, it must pass a security assessment and certification organized by the Cyberspace Administration of China before being submitted outside of China. In cases involving international judicial assistance, organizations and individuals within the PRC territory shall not provide data or personal information stored within the PRC territory to foreign judicial or law enforcement agencies without the approval of the competent authorities of the PRC. However, it is not clear whether this provision can be directly applied to international arbitration. It is understood that, in practice, there have been some Chinese parties to overseas litigation cases who have decided on CBDT matters by applying to the Judicial Assistance Exchange Center of the Ministry of Justice and having the Ministry of Justice organized the joint approval of the Cyberspace Administration department and the court.
Currently, there are no clear written rules[2] for CBDT in international arbitration scenarios, which creates uncertainty regarding the compliance requirements that may be triggered by the disclosure of evidence to the arbitration institution, such as HKIAC or other foreign arbitration institutions like SIAC, the arbitral tribunal, and the counterparty. This is compounded by the fact that there are many regulatory authorities for CBDT matters, and the regulatory standards of different bodies have not been fully agreed upon. As a result, Chinese enterprises face challenges in submitting CBDT applications, and even if the same government department has responded differently to the issue of CBDT in international arbitration, it can lead to confusion for Chinese parties. The opaqueness of the regulations may even be used to circumvent the obligation to disclose evidence in arbitration proceedings.
B. Arbitral Tribunal's Treatment of CBDT Issues Involving PRC Law
In certain international litigation cases, foreign courts have addressed the CBDT obligations of Chinese parties under the Data Security Law and the Personal Information Protection Law. For instance, in CADENCE v. SYNTRONIC[3], the U.S. District Court denied a motion for rehearing by the defendant, Syntonic Beijing, a wholly owned subsidiary of a Swedish company in China, against the court's previous request for discovery in favor of the plaintiff. The court ultimately upheld the original discovery order, finding that China's Personal Information Protection Law did not prevent the defendant from fulfilling its discovery obligations under the U.S. Code of Civil Procedure. The court required the defendant to provide 24 computers under its control for the plaintiff's inspection in the United States by July 15, 2022.
Disputes regarding the disclosure of evidence related to CBDT are becoming increasingly common in international arbitration. There are relatively few disputes in practice for data that is restricted by law from leaving the country, such as state secrets and human genetic resources. Qualified professionals can provide legal opinions or supporting materials to prove that the data belongs to a specific category and cannot be disclosed under the law, with limited obstacles to fulfilling their disclosure obligations. However, new regulations such as the Cyber Security Law, the Data Security Law, and the Personal Information Protection Law have raised new issues in CBDT, such as which situations require approval from competent domestic authorities and if additional compliance actions are required.
An article argues that the provisions of the Data Security Law and the Personal Information Protection Law on cross-border forensics do not juxtapose the requirement for a CBDT security assessment. Contextually, approval by the competent authorities of the People's Republic of China has the effect of a proxy for a CBDT security assessment[4]. If this view is confirmed by the competent authorities, the Chinese party that obtains the approval will not need to conduct additional compliance actions, such as conducting a CBDT security assessment or entering into a standard contract for personal information data transfer with the relevant overseas recipient.
If the Chinese party raises potential legal obstacles to its discovery obligations, the arbitral tribunal may rely on Article 9 of the IBA Rules to exclude the disclosure of the relevant evidence. The tribunal must consider the performance of the potential statutory obligations of the Chinese party, the specific circumstances of the CBDT, the efficiency of the arbitration, and the fairness of the relevant decision, and take corresponding measures, such as drawing adverse inferences against the relevant party or allocating costs, to prevent arbitration participants from only arguing for disclosure when it is in their favor. The tribunal may also order the parties to take protective measures, such as enhanced network security and data encryption, and operations such as de-identification or anonymization of the relevant data.
C. Recommendations for Chinese Parties to Address Potential Obstacles to CBDT
As mentioned earlier, Chinese parties face potential legal obstacles in arbitration cases involving CBDT. To address these potential obstacles, Chinese parties can take the following measures:
First, early planning and preparation: Chinese parties should consider their plans for CBDT at an early stage of the arbitration proceedings, before the procedural schedule is set. Approval for data transfer in overseas litigation scenarios can take anywhere from one to four months, so early planning is crucial. The party should also comply with relevant laws and regulations if the data to be transferred belongs to specific categories such as important data or personal information (including sensitive personal information). If personal information is involved, separate consent should be obtained from the relevant data subjects.
Second, monitoring changes in laws and regulations: in the process of CBDT, parties must be aware of changes and developments in laws and regulations regarding CBDT and maintain communication with regulatory authorities to determine the necessary compliance obligations. If it is determined that there is no need to report to the Ministry of Justice for approval under Article 36 of the Data Security Law and Article 41 of the Personal Information Protection Law, compliance measures such as CBDT security assessment, signing a standard contract for personal information CBDT with the relevant overseas recipient or conducting security certification for personal information cross-border processing activities will be selected promptly depending on their specific situation. According to practical experience, such compliance measures sometimes also require the cooperation of international arbitration parties (such as signing standard contracts, etc.), and these factors should be taken into consideration when designing a CBDT plan.
Finally, strengthening data management control and supervision: to address the CBDT issue, the parties can strengthen the control and supervision of data management in various ways to ensure the security and confidentiality of the data. For example, parties can seek assistance from third-party professional organizations such as data processing organizations to help process and maintain the data, which can provide additional assurance and credibility. A clear data processing agreement can also be formulated for data involving the proposed CBDT, specifying the control requirements and security supervision measures. Technical measures such as encryption technology and cloud storage technology can also be considered to ensure the safety and reliability of the data.
D. Conclusion
The issue of CBDT in international arbitration is currently a challenging issue. To ensure the procedural fairness of arbitration and comply with applicable data protection laws, Chinese parties should plan early, assess potential risks, communicate with competent authorities promptly, and determine a CBDT strategy to avoid potential data risks. By taking these measures, Chinese parties can effectively address potential obstacles to CBDT and ensure the smooth conduct of arbitration proceedings.
Notes and References
(本文原载于《亚洲争议评论》)2023年第四季度刊,点击文末“阅读原文”查阅电子版刊物。)
作者简介
Author's Profile
车捷 Jie Che
国浩执行合伙人 Executive Partner of Grandall
曾任第十三届全国人大代表、全国律师协会网络与高新技术法律专业委员会主任,现为全国律协反垄断与反不正当竞争专业委员会主任,国浩执行合伙人。主要从事商事争议解决、涉外诉讼等法律服务领域。
邮箱:chejie@grandall.com.cn
付鑫 Xin Fu
国浩南京合伙人partner of Grandall Nanjing Office
江苏省工商联法律顾问、江苏省网络安全协会法律专家、江苏省司法厅立法专业团队成员,入选首届司法部涉外律师高级研修班、江苏省涉外律师人才库。主要从事商事争议解决、公司治理及数据合规等法律服务领域。
邮箱:fuxin@grandall.com.cn
【 特别声明:本篇文章所阐述和说明的观点仅代表作者本人意见,仅供参考和交流,不代表本所或其律师出具的任何形式之法律意见或建议。】
