This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
viewpoints
Welcome to Reed Smith's viewpoints — timely commentary from our lawyers on topics relevant to your business and wider industry. Browse to see the latest news and subscribe to receive updates on topics that matter to you, directly to your mailbox.
| 1 minute read

Litigants Beware: Cross-Border Data Transfers From China Present New Perils

Parties involved in cross-border discovery are becoming accustomed to the hurdles and risks involved with transferring documents or data from Europe and the UK for litigation and discovery compliance. New legislation in China now presents similar risks for cross-border data transfers from China.

On November 1, 2021, China’s Personal Information Protection Law (“PIPL”) went into effect – that country’s first law designed explicitly to protect personal information. There are some significant differences between the European General Data Protection Regulation (“GDPR”) and the PIPL, including the specific derogations potentially available to permit processing and transfer of data to the U.S. for discovery compliance. However, there are also some similarities, including the laws’ extra-territorial reach, and their authorization of hefty fines for noncompliance.

On July 7, 2022, the Cyberspace Administration of China (“CAC”) – one of the enforcing bodies for China’s data privacy laws – released the Measures for Security Assessment of Cross-border Data Transfers, which go into effect September 1, 2022. These measures clarify some aspects of cross-border data transfers, but still leave some points open for interpretation. For instance, implementation of the measures, and how compliance will be enforced by the CAC and other authorities, is not yet fully known. Additionally, there is a six-month grace period for cross-border transfers.

Once the GDPR went into effect, there was a “leniency phase” in enforcement, allowing companies some time to adjust to the new laws. It now appears that there will be no similar leniency phase for the PIPL. On July 21, 2022, less than eight months after the PIPL’s effective date, the CAC imposed on Didi Global, Inc. a penalty of 8.026 billion yuan (equivalent to about US $1.2 billion) for noncompliance with the new law. Given the high stakes, parties faced with discovery demands seeking documents or data from China will be well-advised to consider the provisions of the PIPL before simply transferring documents or data from China to the U.S.

Tags

ediscovery, cross-border, data transfers, pipl, gdpr, sanctions, cross border, e-discovery, emerging technologies