A federal magistrate judge in the Northern District of California recently rejected a Chinese company’s attempt to invoke China’s recent Personal Information Protection Law (“PIPL”) to limit discovery obligations in the United States. In Cadence Design Sys., Inc. v. Syntronic AB, No. 21-cv-03610-SI, United States Chief Magistrate Judge Joseph C. Spero refused to limit the PIPL’s legal obligations exception to Chinese laws and China-recognized orders. On June 24, 2022, the Court denied defendants’ motion for reconsideration of the Court’s earlier order compelling Defendant Syntronic (Beijing) Technology R&D Center Co., Ltd. (“Syntronic Beijing”) to produce computers in the possession and custody of defendants in China, for inspection in the United States. While on its face China’s PIPL would seemingly prohibit production of these China-stored computers into the United States without the consent of current and former individual employees (who have refused to consent), the Court ruled that its order in the case created a legal obligation sufficient to invoke the legal obligation exception under PIPL Article 13.
Last year China enacted two data privacy laws, which collectively created a new sweeping system dealing with data security and privacy. These two laws will undoubtedly have a significant impact on multinational companies whose operations relate to or touch China.
China’s Data Security Law (“DSL”), which was passed in June 2021 and went into effect on September 1, 2021, sets up a framework that classifies data collected and stored in China. The key focus of the DSL is the protection and security of critical data relating to national security and the public interest. The most significant element of the law is the data classification system whereby the government will classify different types of data based on its level of importance and then publish a protection standard for each class of data. Similar to recent data privacy laws in California and elsewhere in the United States, the DSL leaves a number of open items for further clarification by more detailed regulations, rules and notices.
China’s PIPL, which was passed in August 2021 and went into effect on November 1, 2021, is China’s first comprehensive legislation regulating the protection of personal information. The PIPL applies to “the activities of handling the personal information of natural persons within the borders of the People’s Republic of China.” And according to PIPL Article 3, the PIPL is intended to have extra-territorial reach. Personal Information is defined broadly under PIPL Article 4 as “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling.” Additionally, “[p]ersonal information handling includes personal information collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.” Given the breadth of these and other definitions in the PIPL, many questions likewise remain unanswered as to what and how the personal information is to be protected and handled under the PIPL.
Article 13 exceptions and the Cadence Design Court’s interpretation
PIPL Article 13 sets forth several exceptions that permit “Personal information handlers” to seek and obtain protected personal information of individuals in China. The three enumerated exceptions at issue in the Cadence Design case were exceptions 1, 3, and 7, which excuse compliance where (1) the Personal information handlers . . . [o]btain individuals’ consent”; (3) “Where necessary to fulfill statutory duties and responsibilities or statutory obligations;” and (7) “Other circumstances provided in laws and administrative regulations.”
In the Cadence Design case, the plaintiff’s discovery triggered PIPL Article 39, which applies “[w]here personal information handlers provide personal information outside of the borders of the People’s Republic of China,” and requires (a) notice to “the individual [whose personal information is sought] about the foreign receiving side’s name or personal name, contact method, handling purpose, handling methods, and personal information categories, as well as ways or procedures for individuals to exercise the rights provided in this Law with the foreign receiving side, and other such matters,” and (b) to “obtain individuals’ separate consent.” There was no dispute that the plaintiff did not comply with PIPL Article 39. Rather, the dispute was whether the discovery and the U.S. Court’s order excused compliance with PIPL Article 39 under exception 3 or 7 in PIPL Article 13. Thus, the questions for the Court were what constitutes “necessary to fulfill statutory duties and responsibilities or statutory obligations” and what is included under the “[o]ther circumstances provided in laws and administrative regulations” under the Article 13 exceptions.
The Court ruled that the PIPL does not require the legal obligation be “statutory” to fall within the third exception of Article 13, but instead “should be translated as referring to ‘obligations provided by law’ rather than ‘statutory duties or obligations.’” The Court also found that the seventh exception of Article 13 refers broadly to “other relevant provisions of this Law,” which does not explicitly limit its reach to provisions of the same chapter or section. Moreover, the Court found that nothing in the PIPL itself indicates the seventh exception of Article 13 is limited to Chinese law only.
The Court further agreed that Syntronic Beijing’s U.S. discovery obligations, including the Court’s previous order to produce the computers for inspection in the United States, is a cognizable legal duty within the meaning of the third exception in Article 13. Thus, the Court ruled that Syntronic Beijing must comply with the Court’s prior discovery order and that doing so was within the scope of the exceptions in Article 13 and, therefore, did not violate the PIPL.
While the Cadence Design court found that Chinese data privacy law does not excuse a China-related party’s court-ordered discovery obligations in the United States, many questions remain unanswered. Indeed, as Judge Spero observed in Cadence Design, “The PIPL is a recently enacted law that does not appear to have yet been subject to significant judicial or otherwise authoritative interpretation.” With additional Chinese regulations still forthcoming for the PIPL and DSL, together with the uncertain implementations of China’s new data privacy laws and their extra-territorial application for U.S. litigants in U.S. courts, we likely have not heard the last word on the effect China’s PIPL and DSL may have on China-related parties’ discovery obligations in litigation venued in the United States.
For China-related parties engaged in litigation in the United States, it is important to have written discovery requests analyzed by counsel with an understanding of the PIPL and DSL. If you have any privacy related questions, please contact the authors or the other attorneys in the Data Security and Privacy team at Atkinson Andelson Loya Ruud & Romo.
This AALRR post is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR publication does not create an attorney-client relationship. The Firm is not responsible for inadvertent errors that may occur in the publishing process.
© 2022 Atkinson, Andelson, Loya, Ruud & Romo
- Senior Associate
Runmin (Ivy) Gao is a tenacious litigator who specializes in all types of complex commercial and business matters involving contract disputes, fraud, investment issues, corporate governance disputes, and the protection of trade ...
Brian Wheeler leads the firm’s Intellectual Property and Data Security & Privacy team. His practice focuses on intellectual property, data security and privacy, and high-stakes complex commercial litigation, water ...
Other AALRR Blogs
- California Court of Appeal Rules That The Americans With Disabilities Act Does Not Apply To A Website That Does Not Provide Goods Or Services Connected With A Physical Location
- China’s Personal Information Protection Law Does Not Excuse China-Related Party From Discovery Obligations in the United States, Northern District Says
- Reliance on Third-Party Agents Can Expose You to Substantial Liability
- California Labor Codes’ Policy Against Forum Selection Clauses Overrides Compulsory Cross-Complaint Laws
- Privacy and Data Security National Update: Increasing Federal Involvement in Data Security and Enforcement
- California Privacy Law Update: The California Privacy Protection Agency Takes Shape and CCPA Litigation Update
- California Privacy Law Update: The CCPA and CPRA Amended (Yet Again) and New Protection for Genetic Information
- California Court of Appeal Issues Potentially Far Reaching Decision Regarding California’s “Bounty Hunter” Labor Code Private Attorneys General Statute
- Supreme Court Ruling Narrowing Patent Assignor Estoppel Doctrine Favors Employee Mobility In Post-Employment Disputes Involving Invention Assignments
- Supreme Court Ruling in Google v. Oracle Marks Significant Victory for Copyright “Fair Use” in Commercial Works
- Christopher S. Andre
- Cindy Strom Arellano
- Eduardo A. Carvajal
- Michele L. Collender
- Scott K. Dauscher
- Lauren D. Fierro
- Runmin (Ivy) Gao
- Evan J. Gautier
- Carol A. Gefis
- Amber S. Healy
- Edward C. Ho
- John E. James
- Jonathan Judge
- David Kang
- Neil M. Katsuyama
- Joseph K. Lee
- Damian J. Martinez
- Shawn M. Ogle
- David B. Sarfati
- Jon M. Setoguchi
- Adam P. Snyder
- Brian M. Wheeler
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- June 2019
- May 2019
- April 2019
- March 2019