Credit: BeeBright/Shutterstock.com Credit: BeeBright/Shutterstock.com

While U.S. lawyers who frequently conduct internal investigations may be well-versed in how to collect and analyze electronic evidence, there are nuances when the investigation involves entities, conduct or data in mainland China. As a result, a U.S. lawyer's typical playbook may need to be tweaked, and special precautions taken, if undertaking investigative steps in the PRC.

This article aims to summarize some key nuances and differences in gathering and reviewing electronic evidence in China of which U.S. practitioners should be aware.

  • Strict protection over personal information.

Most investigations begin with the collection of relevant information. Such information sometimes includes personal information, either in hard copy or electronic form. With the growth of "bring your own device" policies and the fact that many employees use personal email accounts, instant messaging apps and cloud-sharing platforms for work purposes (even when not authorized to do so), personal data may be intermingled with information relevant to an investigation.

While in the U.S., companies often lean on their corporate polices or handbooks to authorize collection and review of documents and devices for their investigations, even if that results in collection and review of personal information, the matter is not as simple in mainland China. In fact, China has a slew of laws and regulations providing strict protection of personal information. For example, under the recently issued PRC cybersecurity law, when collecting and using personal information, the network operator must prove the necessity of collecting and using such information. It also needs to articulate the purpose, means and scope of the collection and use of that personal information. The same rules may also apply to the collection of an employee's personal information by an employer. Violation of these rules could constitute "illegal use" of the employee's personal information, even if the company's internal policy permits it.

Additionally, if a company were deemed to have obtained personal information or provided the same to others in an "illegal" way under any PRC law that leads to a grave result, the company may be further subject to criminal liability. The Humphrey case is a good example on this. In 2014, a British national and his wife, acting as consultants for a U.K. pharmaceutical company, were conducting investigations on Chinese citizens for alleged commercial bribery and corruption in its business in mainland China. Both were arrested by mainland Chinese authorities for the trade of illegal personal information.

Legal protections over the same subject matter can similarly be found in the Chinese Constitution, the General Principle of Civil Law and other laws. Also, according to the legislative plan of the PRC published in September 2018, a new law will be passed soon that would further strengthen the protections afforded to personal information. The draft proposal of that legislation provides that for nongovernmental entities that need to collect personal information "beyond a specific purpose," such entity needs to avail itself of one of the following high-threshold safe harbors: have written consent or authorization of the individual, have a contractual relationship with the individual whose interest would not be harmed by the collection, the personal information is already in public domain and obtaining the same would not be injurious to the individual's interest, collection is both necessary for academic research and not injurious to the individual's interest, or other situations where collection of personal information is allowed under the law. However, it is unclear how that "specific purpose" would be defined under the law.

Moreover, under current PRC laws and regulations, the definition of personal information itself is broad and often vague. For example, under the cybersecurity law, personal information is defined as all kinds of information recorded in electronic or other forms, which can be used, independently or in combination with other information, to identify a natural person's personal identity, including but not limited to the natural person's name, date of birth, identity certificate number, biology-identified personal information, address and telephone number. As a result, it may be difficult for lawyers and investigators to determine whether or not relevant information is personal in nature.

In light of the strict protections and broad definition of personal information provided under PRC law, obtaining informed consent—which would need to sufficiently cover the information sought and the purpose for the request—may be an indispensable step before collection of any information from such persons.

  • Risks related to transferring and exporting data from mainland China.

Transferring data internationally from China as part of an investigation, or even having a platform for remote cross-border review on data stored in China, could be problematic due to strict limitations under PRC law for such data transfers.

First, under the Law on Protection of State Secrets, unauthorized transfer of state secrets beyond Chinese borders is prohibited and is subject to criminal liabilities. A "state secret" is broadly defined as any information in connection with national security and interests and whose leakage may damage the national security and interests in the field of politics, economy, national defense, foreign affairs, etc. As a result, it may be difficult for lawyers and investigators to judge whether or not, on its face, relevant information constitutes a "state secret." For example, in 2009, in the ordinary course of his work, an engineer working for a U.S. consulting company was convicted for the illegal acquisition of state secrets after having purchased a database containing the location of more than 3,000 oil wells in mainland China. There, the court rejected the engineer's argument that this kind of information is commonly treated as mere business information in many other countries. Adding to the complexity and risk is that in the PRC courts' practice, information can be retroactively classified as a state secret even if the information at issue was not so classified at the time of disclosure.

Second, the PRC cybersecurity law also prohibits the export of certain personal information from mainland China. According to the law, personal information and important data collected and produced by "critical information infrastructure operators" during their operations in China shall be stored within and not transferred outside of the country. The term "critical information infrastructure" nebulously includes information infrastructure in important industries and fields such as public communications and information services, energy, transport, water conservancy, finance, public services and e-government affairs as well as any information infrastructure whose destruction would result in serious damage to state security, the national economy, the people's livelihood, or public interest. The breadth of the term poses interpretive challenges for operators who are unsure of whether or not they fall within its scope.

In light of the above, one conservative approach would be to store and review in mainland China any information collected within its borders. Law firms and forensic consulting firms may address this issue by using their local resources to conduct relevant work, for example, having local reviewers in China prepare a summary on important information found during the review, and then transfer the summary, rather than the underlying information itself, out to the team members abroad.

If transferring and exporting information from mainland China is necessary, a best practice would be conducting a detailed review of the would-be-transferred information and obtaining legal advice on PRC law prior to any transfer. It may also be necessary to obtain an indemnification warranty from the client against liabilities may arise due to the transfer.

A potential workflow for a managed document review could involve first utilizing a specialist forensic technology firm, or law firm with such in-house capabilities, to conduct in China the data collection and processing prior to relevant documents being placed in a document review platform; then having a managed document review team assess relevance; and finally having external Chinese counsel conduct a state secret and PII review before allowing for data transfer from the PRC. Of note, the review work does not typically need to be conducted by a state-sponsored forensic firm.

  • Privilege considerations.

Another precarious distinction for investigative work conducted in mainland China versus that in common law jurisdictions is that PRC law does not recognize legal professional privilege, such as attorney-client privilege or work product protection. This means that communications between a lawyer or forensic consultant and the client, as well as their work product and preparations for litigation, may not enjoy conventional protections and their disclosure to Chinese government or judicial authorities may be compelled. But the lack of privilege is tempered, to some extent, by the general lack of fact discovery in PRC courts.

Nonetheless, before initiating an internal investigation in mainland China, companies and their outside counsel should be aware that any document generated during the investigation, such as a report drafted by outside counsel, may have to be turned over in subsequent proceedings e.g., criminal investigations.

  • Evidence collection for foreign litigation.

Under the PRC civil procedure law, foreign authorities and individuals shall not conduct evidence collection in mainland China without permission from Chinese authorities. Attorneys in foreign jurisdictions should seek advice and support from PRC-qualified lawyers before collecting evidence or conducting service of process in mainland China in support of foreign lawsuits. The law requires that, where evidence located in China needs to be collected by a foreign authority for a judicial proceeding such as a U.S. litigation, the U.S. court must go through the procedure prescribed under the Hague Convention on the Taking of Evidence. This usually entails an application from the sitting foreign court to the Ministry of Justice in mainland China, with the overall, multi-step process taking six to 12 months to execute. First, the foreign court needs to submit a disclosure request to the Chinese Ministry of Justice. The request will be forwarded to the Supreme People's Court of China for review. After approval, the request will then be forwarded to the lower level People's Court for enforcement.

The use of a Chinese notary is recommended when collecting electronic evidence if there is a chance that the matter may end up in a foreign court. The notary will be present during the imaging of any computers, mobile devices or server-based data, and he will issue a report stating that the procedures were acceptable for the use of the data as evidence in court. Chinese notary reports are submitted and accepted into court for the judge's review. Notaries tend to be used in employment and fraud cases to preempt the other side from casting doubt over the data collection techniques used.

  • Conclusion

As can been seen above, by introducing stricter and more comprehensive requirements regarding collection, protection, storage, as well as the transfer of data, China's regulatory environment for conducting an internal investigation has evolved in recent years. In order to better understand these changes and make sure an internal investigation in China is conducted in compliance with all relevant regulatory requirements, it is important for multinational corporations to work with forensic consulting firms and outside counsel apprised of the latest developments and experience in conducting internal investigations in China.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.

Shannon Murphy is a partner at Winston & Strawn who handles investigations, litigation and counseling, focusing on matters with criminal implications or trade secret issues. Gino Cheng is a partner with the firm and a registered U.S. patent attorney whose practice focuses on intellectual property disputes and cross-border, adversarial licensing negotiations. He serves as a member of the firm's disruptive technologies team and on its cross-functional global privacy and data security task force. Based in the firm's Shanghai office, Ya'nan Zhao focuses his practice on international arbitration and cross-border litigation. Based in Hong Kong, Sandeep Jadav is a senior managing director and the co-regional lead for technology in Asia at FTI Consulting. Jadav has over 19 years of experience working in forensic technology alongside top global law firms, corporates, financial service institutions and investigatory agencies.