Another Court Rejects Chinese Data Privacy Law as a Bar to U.S. Discovery
March 1, 2023
“Online & Data Security With Padlock and Binary Code”
by Cloud Income is licensed under CC BY 2.0
A second U.S. decision has held that China’s Personal Information Protection Law (PIPL) did not bar a U.S. discovery request because of an exception in the law for statutory obligations. As previously reported on TLB, a federal court in California held last year that the PIPL’s exception for transfers “necessary to fulfill statutory duties and responsibilities or statutory obligations” applies to foreign legal obligations, not just Chinese ones. In Owen v. Elastos Foundation, the Federal District Court for the Southern District of New York (SDNY) (Magistrate Judge Barbara Moses) agreed.
In 2021, two new data security laws went into effect in China. The Data Security Law (analyzed here) prohibits the transfer of “data stored within the mainland territory of the PRC to the justice or law enforcement institutions of foreign countries without the approval of the competent authorities of the PRC.” The PIPL regulates the handling of natural persons’ personal information. It applies when the handling occurs in China; it also applies when the handling occurs outside of China if the purpose is to provide products or services to persons in China or to analyze their activities. The PIPL prohibits handling personal information unless those persons consent or some other exception applies.
The plaintiffs in Owen brought a class action against Elastos Foundaton and its founders, alleging that Elastos’s ELA Tokens (a cryptocurrency) were securities that Elastos sold to U.S. investors without registering them with the Securities Exchange Commission. The foundation is registered in Singapore, with its principal offices in Beijing and Shanghai. Because Elastos is decentralized, the relevant information was in the possession of various “custodians” inside and outside of China. It included emails, texts, and social media communications on both business and personal devices. Although some of the custodians consented to the processing of personal information, others either did not consent or limited their consents. As a result, the defendants withheld some discovery, arguing that producing the information without consent would violate the PIPL and subject them to penalties.
Judge Moses disagreed. She began by noting that the PIPL’s definition of personal information is broad. Article 4 states: “Personal information is all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling.” She rejected the argument that personal information could not include business communications and noted that, in this case, business communications were also mixed with personal communications in any event. The court concluded that complying with the discovery request would require “processing” of “personal information” as defined in the PIPL.
But some of the information sought by the plaintiffs was stored outside of China. With respect to these requests, Judge Moses held that the PIPL did not apply because the purpose of the handling was not to provide products or services to persons in China or to analyze their behavior. She read the behavior provision as limited to continuous tracking to predict a person’s interests, health, finances, etc.
With respect to requests for information stored in China, Judge Moses relied on an exception in Article 13, which permit the handling of personal information “[w]here necessary to fulfill statutory duties and responsibilities or statutory obligations” and in “[o]ther circumstances provided in laws and administrative regulations.” She noted that the court in Cadence Design Systems, Inc. v. Syntronic AB had interpreted the first of these exceptions to include obligations under foreign law and saw no reason to take a different approach with respect to the second.
In the alternative, the court held that the defendants would have to produce discovery even if Chinese law prohibited it. The court conducted the “comity analysis” required by the Supreme Court’s 1987 Aérospatialedecision, applying the five factors articulated there plus an additional two added by the SDNY in Wultz v. Bank of China (2012).
Judge Moses concluded that the information sought was important because it included information from key individuals who had yet to provide any documents. She noted that there was no other means of obtaining the information, ironically relying on an expert report by the defendant’s expert in an earlier case opining that the Hague Evidence Convention is not an effective means of collecting evidence in China. Judge Moses also reasoned that the United States has a significant interest in obtaining discovery and protecting investors, whereas China’s interest was weaker since Elastos is a Singaporean entity and the ELA Tokens were not sold in China. Finally, she doubted that the defendants faced serious sanctions under the PIPL, noting that defendants had cited no cases in which parties had been sanctioned under the law for complying with a U.S. discovery request.
As interpreted in Owen, China’s PIPL is not an obstacle to U.S. discovery. I doubt that the reference in Article 13(7) to “[o]ther circumstances provided in laws and administrative regulations” is properly interpreted to apply to foreign law. One finds parallel provisions in other articles in the law that clearly refer to Chinese laws and administrative regulations. These provisions seem to be intended to allow the Chinese government to flesh out the PIPL’s obligations with more detailed regulations.
On the other hand, Article 13(3)’s exception for handling “necessary to fulfill statutory duties and responsibilities or statutory obligations” can plausibly be interpreted to include foreign legal obligations. As Judge Moses noted (and has discussed here), another court has interpreted the exception this way. If other courts follow the same reasoning, then compliance with U.S. discovery requests will always be permitted, whether the information is store outside China or not. Of course, the Chinese government could clarify the interpretation through further regulations. But until then, it seems likely that U.S. courts will deal with the PIPL as Judge Moses did.
With respect to the comity analysis, U.S. courts seem to be treating data privacy laws the same way as other blocking statutes—which is to say, refusing to give them much weight. My colleague Ingrid (Wuerth) Brunk has argued that if litigants are able to show that data privacy statutes are generally enforced domestically (and might be enforced against them), it would be mistake to treat them like other blocking statutes, since data privacy laws serve legitimate purposes that have nothing to do with thwarting U.S. discovery. But so far, there seems to be little evidence that China is enforcing the PIPL domestically.
Transnational discovery raises lots of interesting questions, from foreign blocking statutes to the proper use of the Hague Evidence Convention. But the standard methods of U.S. discovery are so familiar and so effective, that using them is hard to resist.