4 Tips for an Effective E-discovery Plan in China

Shanghai. Photo: shanghainese/Shutterstock.com

Collecting data in China for cross-border litigation or investigations can pose challenging legal and regulatory issues for multinational companies. Whether conducting internal investigations, responding to litigation or U.S. regulatory inquiries, or supporting audits or due diligence reviews, the process of collecting, preserving and transferring data has been complicated by a web of recent enforcement actions, new laws and regulations, as well as geopolitical uncertainties.

Given this dynamic regulatory environment, to ensure that any data collection in China is conducted successfully and without regulatory scrutiny, it is critical to map out a timely and well-documented e-discovery plan that comprehensively addresses compliance with local laws. Having such a process in place can also go a long way to address potential post-collection inquiries.

Below we set out a number of recommendations for mapping out a China e-discovery plan in light of these considerations.

1. Determine the scope of the discovery exercise

Having a clear grasp of the scope of the exercise is fundamental before you consider the legal and regulatory issues that may affect your collection. This includes understanding and identifying the different types of data involved, including:

• Whether the data resides on company premises or elsewhere (eg, third-party data centers);
• Whether the data-containing devices are company or employee-owned;
• Whether the data is encrypted; and
• The specific file types involved.

Additionally, with the widespread adoption of smartphones and social media apps (including a very popular messaging app in China called WeChat), a new set of potentially in-scope data has emerged, which includes business communications residing outside of traditional desktop email collections as well as machine data (eg, metadata, smart and connected devices). This has become increasingly relevant in litigation involving the transfer of intellectual property, financial fraud and other business disputes.

After considering what types of data are involved, you will need to better understand how that data will be used including determining whether the data would need to be transferred to third parties (e.g. professional advisers, group headquarters or a regulator), transferred abroad, or reviewed for internal purposes only.

2. Understand the use of personal data and other regulated data in China

Data protection is becoming more complex in China. As a result of more stringent laws and regulations, many companies have had to revisit their China data policies and obtain consent prior to the collection, use, or disclosure of personal data. Collection in China is further complicated by recent trends towards “data localization”—ie, certain data having to remain in mainland China. Given the rapidly-evolving regulatory environment, it is important to keep abreast of recent developments, plan ahead and understand your data.

Will you need to consider personal data?

In China, personal data is defined as including all kinds of information, recorded electronically or through other means, that, whether taken alone or combined with other information, is sufficient to identify a natural person's information. This includes but is not limited to a person's name, contact details, photographs, health information, personnel file, and banking/payment information.

Sensitive personal data has a very different meaning in China than in most other countries. It means personal data which, if disclosed or abused, will lead to an adverse impact on the data subject. Examples of sensitive personal data in China include mobile phone numbers, login information and web browsing data.

Individuals must be properly notified and provide their express consent prior to any attempt to collect, use or disclose their personal data. Explicit consent is required for sensitive personal data and overseas data transfers. In China, the requirement to obtain consent can be very difficult to manage in practice at the time an investigation arises since China's data protection laws and regulations, unlike those in other jurisdictions, do not contain comprehensive exemptions to the consent requirement in the context of investigations, litigation or due diligence.

Additional compliance hurdles, such as impact assessments, may also need to be addressed in parallel with the investigation if external advisers or overseas data transfers are to be involved.

Other regulated data

Some other (non-personal) categories of data are also heavily regulated in China. Such data should only be collected, transferred, exported overseas and/or reviewed with careful consideration and planning.

Some of the key data categories include:

• “State secrets” as outlined under the PRC Guarding State Secrets Law;
• “Important data” as outlined under the PRC Cybersecurity Law; and
• Data in certain regulated sectors such as banking, healthcare, securities, scientific and insurance.

If your data scope contains any of the above types of data, caution must be exercised to ensure that the data collection process can either exclude the data or address the legal concerns in an appropriate and compliant manner. Failure to do so could result in civil or criminal liability, including fines, sanctions, revocation of license, detention and/or imprisonment.

3. Plan your review process

The next key step is to determine the most effective process to collect and review the data. The review process should be conducted in an efficient and cost-effective manner, and in compliance with applicable laws. Common factors to consider may include:

• Where the review would take place;
• The type of platform to host the review; and
• Whether to use local or global resources.

For bilingual and Chinese documents, it may be prudent to bring in bilingual attorneys and translators to address review tasks. You may also consider engaging an experienced forensic technology professional to assist with the data collection and hosting. This becomes increasingly important for larger and/or more complex data sets.

4. Other issues

When investigations or inquiries relate to foreign regulatory bodies residing outside of China, there is a heightened risk of miscommunication and misinformation. This may impede the collection process, or even cause further legal or discovery complications. An experienced counsel who has seen it all would be invaluable in helping map out strategy, avoid common pitfalls and mitigate risks.