Chinese Data Security, Data Protection, and Cybersecurity Law: A Recent Enforcement Action Resulting in Large Fines Highlight Risks
Electronic discovery for US litigation and legal proceedings often implicates data outside the US. As data privacy and protection laws evolved around the globe, it’s critical to understand the limitations obstacles that may arise when collecting, processing, reviewing, and producing such data. China’s Data Security Law (“DSL”) and Personal Information Protection Law (“PIPL”), both enacted in 2021, have received heightened attention following China’s imposition of fines totaling roughly $1.2 billion in light of violations of these laws and its Cybersecurity Law (“CSL,” enacted in 2017) by Didi, China’s largest ride-sharing service provider. China’s DSL and PIPL are particularly noteworthy of their potential application to data processing and transfer actions that may occur both during the ordinary course of business and in response to litigation in other jurisdictions, such as the United States.
The DSL and PIPL have different (but, in some instances, overlapping) scopes, so organizations with Chinese operations should consider which data and data processing activities are relevant to each (or both) laws. The DSL focuses primarily on “important data,” which includes information that could jeopardize China’s national security, economic develop, and/or public interests if destroyed or illegally obtained, used, or distributed. In contrast, the PIPL focuses on personal information of individuals.
Also, different organizations operating in China bear different responsibilities under these laws. For instance, these laws apply more stringent requirements on organizations that handle large amounts of personal information or that manage “critical information infrastructure,” such as network operations and information systems in industries (including energy, transportation, utilities, finance, government affairs, public communications, and defense) that, if impaired, would seriously endanger national security, the national economy, individuals’ livelihoods, or the public interest.
As indicated by the fines assessed against Didi, the potential sanctions for violations of DSL and PIPL are severe. Accordingly, companies operating in China should assess their obligations and compliance efforts with these laws, including in the context of their litigation planning and discovery response efforts.