What Does China’s New-Ish Data Security Law Mean For You?

Though it’s been about one year since China enacted its new Data Security Law in September 2021, we are only just beginning to understand its impact on U.S. discovery. Some open questions still remain (like, how China will enforce and implement the law, what penalties will be imposed when the law is not followed, etc.), but the below is a brief primer on what we know so far:

What is the Data Security Law?

The Law is actually a part of several data security laws in China. Preexisting law includes the Cybersecurity Law of 2017, the Guarding State Secrets Law revised in 2010, and the Personal Information Protection Law enacted in 2021. All these sets of law have intertwining provisions that govern data security in China.

What Does the Data Security Law Say Relevant to U.S. Discovery?

Most agree the key text is Article 36:

“Article 36: The competent authorities of the PRC are to handle foreign justice or law enforcement institution requests for the provision of data, according to relevant laws and treaties or agreements concluded or participated in by the PRC, or in accordance with the principle of equality and reciprocity. Domestic organizations and individuals must not provide data stored within the mainland territory of the PRC to the justice or law enforcement institutions of foreign countries without the approval of the competent authorities of the PRC.”

This is a big change. Previously, subject to state secrecy and data privacy screening by qualified Chinese lawyers, multinational companies in China were able to respond to subpoenas and requests for information directly. This is no longer the case; if a company wants to comply with U.S. discovery or information requests, it must obtain approval of the Chinese authorities. Overall, this means that the process of getting information from China will likely be more onerous and expensive.

What Does This Mean For U.S. Litigation?

The U.S. litigation issues arising from China’s Data Security Law have not been extensively litigated, by any means. But at least one Federal Court in California relied on the Data Security Law, in part, to block requested discovery. In Juul Labs, Inc. v. Chou (C.D. Cal. 2022), the Court denied a party’s request for electronic discovery in China, concluding that although the “[DSL] issue is not dispositive, along with the other factors cited by Defendants, it demonstrates the burden of the proposed discovery.”

Though we anticipate China will promulgate more regulations relating to its Data Security Law, the timeline on when that will happen is unclear. At the end of the day, parties should reasonably anticipate that Chinese litigants in U.S. cases may raise the issue of the Data Security Law to avoid their discovery obligations, and they should be mindful of how that may impact their overall case.