Cross-border investigations and litigation are not a new business for U.S. legal teams, and they have never been easy, especially in countries with stringent data privacy rules. China’s new Cybersecurity Law (CSL), which became effective on June 1, 2017, is particularly tricky for U.S. legal teams involved in matters with companies in mainland China, and also raises complex questions around Taiwan and Hong Kong, as Chinese companies move their data operations to these countries in an attempt to avoid the PRC’s strict data privacy laws. Will there be ramifications for those companies and/or foreign entities, including law firms, transferring data related to litigation and investigations outside of those countries? The answer is not clear, but with the support of eDiscovery experts experienced in Asian cross-border issues, you can take to steer clear of potential issues.
China’s New Cybersecurity Law
First, background on China’s new Cybersecurity Law and the revised draft measures on data protection and security became effective on June 1, 2017. In addition to focusing on cybersecurity, the law also details how companies are to handle personal information and data.
The new law, together with the Measure for Security Assessment of Personal Information and important Data Leaving the Country, issued by the Cyberspace Administration of China (CAC), the primary governmental authority supervising and enforcing the CSL, expands localization requirements for all “network operators” and Critical Information Infrastructure (CII) providers, whose systems are used to support key businesses in important industry segments.
Four points on the scope of the new law:
Many global organizations found the text of the new cybersecurity regulations somewhat vague, for example, the definition of ‘Important Data’ – transfer of which might hurt national security or public interests. Details on how the new rules should be interpreted and how they will be enforced are still unclear.
Data Localization and eDiscovery
To allay early concerns from the global business community about the law’s stringent requirements and unclear implementation plan, the CAC modified the language of certain parts of the Law and delayed implementation of cross-border data localization provisions until the end of 2018. When uncertain legal or regulatory climates affect data privacy, security, hosting or cross-border data transfers, these pointers have helped legal teams, along with their eDiscovery providers, adapt to changes in regional data and security laws:
Not unlike the EU effort with GDPR, or recent cybersecurity regulations in New York, the data protection and security motivations behind the new cybersecurity laws in China have merit. But as is the case with most complex regulatory changes, the industry is in a transition period, waiting for clarity on some of the definitions and requirements needed for practical implementation. Watch our blog for future updates on the evolving cybersecurity law in China, as new directives or updates become available.