Business Law Journal

Background

Last year China enacted two data privacy laws, which collectively created a new sweeping system dealing with data security and privacy.  These two laws will undoubtedly have a significant impact on multinational companies whose operations relate to or touch China.

China’s Data Security Law (“DSL”), which was passed in June 2021 and went into effect on September 1, 2021, sets up a framework that classifies data collected and stored in China.  The key focus of the DSL is the protection and security of critical data relating to national security and the public interest.  The most significant element of the law is the data classification system whereby the government will classify different types of data based on its level of importance and then publish a protection standard for each class of data.  Similar to recent data privacy laws in California and elsewhere in the United States, the DSL leaves a number of open items for further clarification by more detailed regulations, rules and notices. 

China’s PIPL, which was passed in August 2021 and went into effect on November 1, 2021, is China’s first comprehensive legislation regulating the protection of personal information.  The PIPL applies to “the activities of handling the personal information of natural persons within the borders of the People’s Republic of China.”  And according to PIPL Article 3, the PIPL is intended to have extra-territorial reach.  Personal Information is defined broadly under PIPL Article 4 as “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling.”  Additionally, “[p]ersonal information handling includes personal information collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.”  Given the breadth of these and other definitions in the PIPL, many questions likewise remain unanswered as to what and how the personal information is to be protected and handled under the PIPL.

Article 13 exceptions and the Cadence Design Court’s interpretation

PIPL Article 13 sets forth several exceptions that permit “Personal information handlers” to seek and obtain protected personal information of individuals in China.  The three enumerated exceptions at issue in the Cadence Design case were exceptions 1, 3, and 7, which excuse compliance where (1) the Personal information handlers . . . [o]btain[] individuals’ consent”; (3) “Where necessary to fulfill statutory duties and responsibilities or statutory obligations;” and (7) “Other circumstances provided in laws and administrative regulations.”

In the Cadence Design case, the plaintiff’s discovery triggered PIPL Article 39, which applies “[w]here personal information handlers provide personal information outside of the borders of the People’s Republic of China,” and requires (a) notice to “the individual [whose personal information is sought] about the foreign receiving side’s name or personal name, contact method, handling purpose, handling methods, and personal information categories, as well as ways or procedures for individuals to exercise the rights provided in this Law with the foreign receiving side, and other such matters,” and (b) to “obtain individuals’ separate consent.”  There was no dispute that the plaintiff did not comply with PIPL Article 39.  Rather, the dispute was whether the discovery and the U.S. Court’s order excused compliance with PIPL Article 39 under exception 3 or 7 in PIPL Article 13.  Thus, the questions for the Court were what constitutes “necessary to fulfill statutory duties and responsibilities or statutory obligations” and what is included under the “[o]ther circumstances provided in laws and administrative regulations” under the Article 13 exceptions. 

The Court ruled that the PIPL does not require the legal obligation be “statutory” to fall within the third exception of Article 13, but instead “should be translated as referring to ‘obligations provided by law’ rather than ‘statutory duties or obligations.’”  The Court also found that the seventh exception of Article 13 refers broadly to “other relevant provisions of this Law,” which does not explicitly limit its reach to provisions of the same chapter or section.  Moreover, the Court found that nothing in the PIPL itself indicates the seventh exception of Article 13 is limited to Chinese law only.

The Court further agreed that Syntronic Beijing’s U.S. discovery obligations, including the Court’s previous order to produce the computers for inspection in the United States, is a cognizable legal duty within the meaning of the third exception in Article 13.  Thus, the Court ruled that Syntronic Beijing must comply with the Court’s prior discovery order and that doing so was within the scope of the exceptions in Article 13 and, therefore, did not violate the PIPL.

Conclusion

While the Cadence Design court found that Chinese data privacy law does not excuse a China-related party’s court-ordered discovery obligations in the United States, many questions remain unanswered.  Indeed, as Judge Spero observed in Cadence Design, “The PIPL is a recently enacted law that does not appear to have yet been subject to significant judicial or otherwise authoritative interpretation.”  With additional Chinese regulations still forthcoming for the PIPL and DSL, together with the uncertain implementations of China’s new data privacy laws and their extra-territorial application for U.S. litigants in U.S. courts, we likely have not heard the last word on the effect China’s PIPL and DSL may have on China-related parties’ discovery obligations in litigation venued in the United States.

For China-related parties engaged in litigation in the United States, it is important to have written discovery requests analyzed by counsel with an understanding of the PIPL and DSL.  If you have any privacy related questions, please contact the authors or the other attorneys in the Data Security and Privacy team at Atkinson Andelson Loya Ruud & Romo.

This AALRR post is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR publication does not create an attorney-client relationship. The Firm is not responsible for inadvertent errors that may occur in the publishing process. 

© 2022 Atkinson, Andelson, Loya, Ruud & Romo