Know Before You Go: Does What Happens in China (eDiscovery) Have to Stay in China?

Cross-border investigations and litigation are not a new business for U.S. legal teams, and they have never been easy, especially in countries with stringent data privacy rules. China’s new Cybersecurity Law (CSL), which became effective on June 1, 2017, is particularly tricky for U.S. legal teams involved in matters with companies in mainland China, and also raises complex questions around Taiwan and Hong Kong, as Chinese companies move their data operations to these countries in an attempt to avoid the PRC’s strict data privacy laws. Will there be ramifications for those companies and/or foreign entities, including law firms, transferring data related to litigation and investigations outside of those countries? The answer is not clear, but with the support of eDiscovery experts experienced in Asian cross-border issues, you can take to steer clear of potential issues.

China’s New Cybersecurity Law

First, background on China’s new Cybersecurity Law and the revised draft measures on data protection and security became effective on June 1, 2017. In addition to focusing on cybersecurity, the law also details how companies are to handle personal information and data.

The new law, together with the Measure for Security Assessment of Personal Information and important Data Leaving the Country, issued by the Cyberspace Administration of China (CAC), the primary governmental authority supervising and enforcing the CSL, expands localization requirements for all “network operators” and Critical Information Infrastructure (CII) providers, whose systems are used to support key businesses in important industry segments.

Four points on the scope of the new law:

1. The Cybersecurity Law applies to all organizations and individuals;
2. It imposes significant security and privacy obligations on” network operators” and suppliers of “network products and services”;
3. The law controls the collection and processing of “personal information” and “important data” of Chinese citizens through “critical information infrastructure”. Local data must remain inside China unless there are business needs requiring the data to be exported outside of the country; and,
4. The law reinforces the obligations imposed on organizations and individuals to protect personal information and business secrets from unauthorized access and disclosure.

Many global organizations found the text of the new cybersecurity regulations somewhat vague, for example, the definition of ‘Important Data’ – transfer of which might hurt national security or public interests. Details on how the new rules should be interpreted and how they will be enforced are still unclear.

Data Localization and eDiscovery

To allay early concerns from the global business community about the law’s stringent requirements and unclear implementation plan, the CAC modified the language of certain parts of the Law and delayed implementation of cross-border data localization provisions until the end of 2018. When uncertain legal or regulatory climates affect data privacy, security, hosting or cross-border data transfers, these pointers have helped legal teams, along with their eDiscovery providers, adapt to changes in regional data and security laws:

• Know the local laws and authorities. A familiarity with the regulatory environment and the governing bodies helps us anticipate change. Follow the issuance of new laws and regulations, study them in detail, and consult legal counsel should questions arise.
• Although businesses have until the end of 2018 to comply with data localization requirements, it is recommended that companies consult with legal counsel and proactively take steps to understand and comply with the law prior to the 2018 deadline.
• Until localization rules are clarified, keep data local whenever possible, to avoid the potential need for a security assessment. Corporations and law firms can accomplish this by enlisting the assistance of an established provider with experienced professionals to collect, process and host eDiscovery case data within the country.
• When you know that a cross-border case will involve Asian language data, talk with a local technology and service provider with extensive and current expertise in Asian language eDiscovery. They can help identify and address the unique challenges of processing, searching and review of documents in Chinese, Japanese, Korean or other Asian languages. For example, there are numerous historical email programs that have been used in Asia for years, including “Becky” email or “Thunderbird” that may have unusual file types common in legacy data but unrecognizable by western tools. Tools developed in Asia for this task will best handle these legacy data types, pictographic alphabet characters, tokenization (word recognition), and other unique challenges presented by Asian languages.
• Assemble a strong cross-border team. Local counsel, business experts and a global eDiscovery provider with local project managers and review resources can help bridge cultural and technical gaps. Keep translation to a minimum, as native language review often achieves better results in less time than large-scale translation of documents.

Not unlike the EU effort with GDPR, or recent cybersecurity regulations in New York, the data protection and security motivations behind the new cybersecurity laws in China have merit. But as is the case with most complex regulatory changes, the industry is in a transition period, waiting for clarity on some of the definitions and requirements needed for practical implementation. Watch our blog for future updates on the evolving cybersecurity law in China, as new directives or updates become available.