China’s New Data Security Law in U.S. Discovery Disputes
August 23, 2022
“Data Security Breach” by Visual Content
is licensed under CC BY 2.0
Discovery litigation regarding the impact of China’s Data Security Law (“DSL”), which took effect less than a year ago in September 2021, has steadily increased in U.S. courts, and it is likely to continue to increase over the coming months and years. One driver of this litigation is the uncertainty created by the newness of the DSL itself – including questions of whether and how China may enforce and implement the law, and what penalties will actually be imposed on those who fail to comply. It is anticipated that the Chinese government will promulgate further regulations to implement the DSL, but the timeframe is unclear.
The DSL is part of a constellation of data security laws in China. The Cybersecurity Law of 2017, the Guarding State Secrets Law (“SSL”), originally enacted in 1988 and revised in 2010, and the Personal Information Protection Law(“PIPL”), enacted in 2021, all have provisions that govern data security in China in varying ways. This post focuses specifically on the DSL and its intersection with U.S. discovery disputes. (For discussion of the PIPL specifically, see William Dodge’s analysis of a recent federal court decision.)
The Framework of the DSL
For purposes of U.S. discovery issues, the key text of the DSL is Article 36, which states:
The competent authorities of the PRC are to handle foreign justice or law enforcement institution requests for the provision of data, according to relevant laws and treaties or agreements concluded or participated in by the PRC, or in accordance with the principle of equality and reciprocity. Domestic organizations and individuals must notprovide data stored within the mainland territory of the PRC to the justice or law enforcement institutions of foreign countries without the approval of the competent authorities of the PRC. (Emphasis added.)
Further, under Article 21, the DSL contemplates the creation of “a categorized and graded protection system for data” and notes that “[d]ata related to national security, the lifelines of the national economy, important aspects of people’s livelihoods, major public interests, etc., constitute core national data, for which a stricter management system is to be implemented.” This regulatory framework is nascent, with limited regulatory guidance at this point. However, the DSL provides a basic framework of categories of data with corresponding protocols. The categories are core data, important data, and general data, although they are not yet well-defined.
Article 48 of the DSL gives the potential penalties for violation of Article 36. The potential penalties are fairly serious. The penalties include fines against the business entity and against responsible individuals and potential suspension of the business. For “serious consequences” (which are undefined), the penalty is up to 5,000,000 yuan, equivalent to roughly $740,000 USD, with lower but still significant financial penalties for general violations. In addition, in circumstances of “serious consequences,” business operations may be suspended or licenses may be revoked, which are potentially dire results for a business.
The DSL only applies to data stored in China. Under Article 2, “[t]his Law applies to data handling activities and their security regulation within the mainland territory of the People’s Republic of China.” (However, as noted in the linked translation, it is not entirely clear whether the DSL would apply in non-mainland areas such as Hong Kong or Macau, an issue that is likely to be clarified over time.)
U.S. Decisions on the DSL
The first case in the United States to adjudicate the effect of the DSL on U.S. litigation was In re Valsartan, Losartan, & Irbesartan Products Liability Litigation (D.N.J. 2021), a multi-district litigation over pharmaceutical sales. The discovery question addressed in that order primarily focused on the SSL, which the parties had been fighting over for a long time, but the enactment of the DSL in the midst of that dispute threw the new law into the mix.
The Valsartan court primarily focused on the SSL and readily dispensed with arguments under the DSL. The court reasoned that the DSL only prohibited information in China from being “given to U.S. courts” and did not, on its face, prohibit giving information to opposing parties. The court concluded that the DSL’s prohibition was therefore “inapplicable to these documents or indeed to any information produced in response to an FRCP discovery request.” The court further anticipated that an analysis of the DSL’s effect on U.S. litigation, if the DSL applied, would look to the balancing test of the Aérospatiale-Wultz factors, derived from Société Nationale Industrielle Aérospatiale v. U.S. District Court (1987) and Wultz v. Bank of China Ltd. (S.D.N.Y. 2013). Thus, while the Valsartan court considered the DSL, it largely sidestepped a detailed analysis of the law by concluding that the DSL was inapplicable to discovery exchanged between parties.
A district court in Illinois adopted similar reasoning in denying defendants’ efforts to avoid discovery in Philips Medical Systems (Cleveland), Inc. v. Buan (N.D. Ill. 2022), a trade secrets case. The court’s conclusion rested primarily on a burden analysis – that the defendants had not satisfied their burden of showing that Chinese law, including the DSL, actually barred production of the specific documents at issue – so their arguments were rejected. Further, as to the DSL, the court concluded, like the Valsartan court, that because “discovery requests and responses thereto in the American common law system are traded between the parties,” the DSL did not appear to apply. As quoted above, Article 36 of the DSL refers to data exchange with “justice or law enforcement institutions of foreign countries,” and thus this interpretation finds solid footing in the plain language of the DSL. That said, even if this specific language of Article 36 truly does mean that a Chinese entity can share data with an opposing party in the United States, it is pretty clear that Article 36 would apply if the documents were then to be used in any court filing or trial – so this narrow basis, which feels a bit like a technicality, relied upon by Valsartan and Philips only kicks the can down the road.
A recent New York appellate decision also avoided dealing with the substance of the DSL by concluding that defendants had failed to meet their burden of showing that the DSL prohibited their discovery obligations. In Heng Ren Silk Road Investments LLC v. Duff & Phelps, LLC (N.Y. App. Div. 1st Dept. 2022), the court concluded that the “speculat[ion]” of defendants’ expert was “conclusory” and “insufficient for good cause” regarding potential penalties under the DSL. Further, the document at issue in Heng Ren had been created more than three years prior to enactment of the DSL, and the court concluded that defendants did not establish the “likelihood of the Chinese authorities to apply the DSL . . . retroactively.” The court was thus able to sidestep a substantive analysis of the DSL.
However, a recent California federal court relied on the DSL to deny a discovery request, thus bucking the trend of courts rejecting the DSL as a basis to block discovery. In Juul Labs, Inc. v. Chou (C.D. Cal. 2022), the plaintiff sought a forensic examination of various electronic devices of the defendants, several of which were physically located in China. The court denied this request on several bases, including proportionality under FRCP 26. The defendants had contended that the DSL prohibited them from shipping the devices out of China without prior governmental approval. The court concluded that although the “[DSL] issue is not dispositive, along with the other factors cited by Defendants, it demonstrates the burden of the proposed discovery.” The court provided no analysis of the DSL. But for parties looking to rely on the DSL or other blocking statutes to fend off discovery, the Juul decision offers a foundation.
In addition, the application and effect of the DSL is being actively litigated in other cases and surely has come up in numerous meet-and-confer discussions between counsel that have not progressed yet to discovery motion practice. For example, in Facebook, Inc., et al. v. OnlineNIC Inc. (N.D. Cal.), several of the parties are embroiled in a dispute over the effect of the DSL and other Chinese blocking statutes. No ruling has yet been made and it appears that the issue has been tabled for now. However, one of the defendants submitted a declaration from a Chinese legal expert who concluded that because the information requested was not “core data or important data,” the defendant would “not expose itself to substantial legal risks by producing such information in the U.S. proceeding.” It is likely that other cases will also involve a battle-of-the-experts between Chinese lawyers opining on the DSL.
In a New York state court matter, CF 125 Holding LLC v. VS 125 LLC, the plaintiff prevailed on a motion to compel discovery despite an objection based on the DSL. The defendants contended that the burden and legal risks of discovery – particularly due to the DSL and PIPL – outweighed the utility of the requested documents. The court summarily rejected the arguments grounded in the DSL, holding that “[d]efendants have failed to establish that foreign law prohibits the production.” Defendants have recently filed a notice of appeal. However, given the New York appellate court’s succinct ruling in Heng Ren, it is unlikely that the appeal will generate much substantive analysis of the DSL.
Litigation involving the DSL in U.S. courts is likely to evolve significantly over the coming months and years, along with jurisprudence involving the other statutes in the constellation of Chinese data security laws. Once China promulgates further regulations implementing the DSL, there will be greater clarity for litigants on the scope and application of the law. However, at this point it is unclear when additional regulations will be rolled out.
Reasonable minds may differ on whether the Chinese authorities will approve requests made under Article 36 of the DSL. The court in Valsartan reasoned that “PRC data handlers will just say no to any request for a cross-border transfer of information they deem even remotely covered by the DSL.” However, the legal expert in the Facebook case concluded that “[d]epending on the type of information required to be produced, it is therefore reasonable to assume that the relevant authorities would provide permission to produce to a foreign court the vast majority of evidence requested by the Plaintiffs.” The reality remains to be seen, and it may take time for any patterns to develop.
The weight of authority so far has concluded that the DSL does not block Chinese litigants’ discovery obligations, but some of those decisions have been based upon a moving party’s failure to carry its burden on the threshold applicability of the DSL to their particular documents and the nascent state of the DSL law. Only the Juul decision so far gives (modest) support for parties seeking to rely on the DSL to avoid discovery obligations.
It is likely that courts will apply the Aérospatiale-Wultz balancing analysis in assessing the DSL, but no courts have to date undertaken more than a preliminary analysis under that test. The Valsartan court noted that “no express federal jurisprudence exists yet for these laws,” but it “anticipated” that Aérospatiale-Wultz would apply to the DSL. The court further speculated that, for the case under consideration there, it was likely that under the Aérospatiale-Wultz analysis, the DSL would not justify non-disclosure. However, the Valsartan court did not reach the issue.
Several court decisions reflect concern that the DSL and other Chinese security laws could have an adverse effect on U.S. litigants and the U.S. court system by unfairly protecting Chinese parties. In Valsartan, the court stated:
I cannot subordinate the legitimate interests of U.S. plaintiffs in determining civil liability and possibly money damages because of uncertain-at-this-point-but-perceived liability under the SSL. . . . PRC defendants cannot enter the U.S. market expecting a possible shield from unfavorable discovery by PRC blocking statutes. As one judge’s decision has implied, if you don’t like the rules, then stop doing business in the U.S.
In Philips, the court also expressed concern that allowing the DSL to serve as a barrier to U.S. discovery
would give the Chinese Supreme People’s Court broad power to delay or prevent discovery in American courts. Such an interpretation would in essence permit the Chinese judiciary to oversee discovery decisions made by American courts regarding the responsibilities of Chinese litigants. . . . Not only would such a law infringe upon the sovereignty of the United States . . . but it would also severely disadvantage parties opposing Chinese litigants in American courts.
At the end of the day, it is certain that Chinese litigants in the U.S. will continue to raise the issue of the DSL in their discovery disputes, and U.S. parties facing or anticipating litigation against Chinese counterparties should be aware