On the first day of Hong Kong Arbitration Week 2022, Morrison & Foerster hosted a hybrid panel on “Implications of PRC’s Evolving Data Protection Laws on Disclosure and Participation of PRC Parties in International Arbitration.” The panel introduced the latest developments in the data protection legal regime of the People’s Republic of China (“PRC”) and explored the challenges it posed to international arbitration proceedings.
Panelists included Ms. Sarah Thomas (Morrison & Foerster, Hong Kong), Mr. Samuel Yang (Anjie Law Firm, Beijing), Ms. Fanghan Chen (Hong Kong International Arbitration Centre, Hong Kong), and Ms. Kathleen Paisley (AMBOS Lawyers, Brussels). The panel discussion was moderated by Ms. Cheryl Zhu (Morrison & Foerster, Hong Kong).
Overview on PRC Data Protection Laws
Mr. Yang provided a brief introduction to the three pillars of the PRC’s data protection legal regime, namely the Cybersecurity Law (“CSL”), Personal Information Protection Law (“PIPL”), and Data Security Law (“DSL”), as well as the restrictions on cross-border data transfer imposed by PRC data protection laws. Viewed as being more restrictive than the EU General Data Protection Regulation (“GDPR”), PRC data protection laws first require the exporting entity to carry out a self-assessment, including whether it is legal, necessary, and appropriate to transfer the data abroad and what impacts the data transfer may have on the PRC’s national security and public interests, and produce a self-assessment report. Then, depending on the volume and nature of the data and whether a critical information operator is involved, the exporting entity faces three potential legal options: sign a standard contract clause (in the form issued by the Cyberspace Administration of China (“CAC”)) with the overseas data recipient; obtain a personal information protection certification from a CAC-recognized professional institution; or pass a security assessment by the CAC. Finally, the exporting entity needs to obtain the consent of the data subjects in every instance of data export and provide a detailed notification to data subjects of, inter alia, the name and contact information of the overseas recipient, as well as the purpose and method of the data processing.
Mr. Yang specifically discussed the application of DSL Article 36 and PIPL Article 41 in international arbitration. These two provisions contain special restrictions on data export to “foreign judicial or law enforcement authorities.” However, the government has not published any clear guidance on their application in the arbitration context. Mr. Yang explained that per unofficial inquiries with the Ministry of Justice (“MOJ”), data export to arbitral tribunals or institutions currently requires approval by the MOJ (which usually takes one month) or at least a security assessment by the CAC.
Impact of the PRC’s Data Protection Laws on the Arbitral Process
Ms. Thomas highlighted that conflicts pertaining to data protection law issues often materialized in the disclosure process in arbitrations. PRC parties are increasingly relying on the PRC’s data protection laws to resist a counterparty’s production requests or to substantially delay the proceedings by citing a need to conduct a self-assessment and/or obtain approval from the relevant PRC authorities.
Ms. Chen concurred and noted that the HKIAC had recently seen several cases in which the legislative gaps in DSL Article 36 and PIPL Article 41 led to challenges in arbitral proceedings. Parties have raised different interpretations of DSL Article 36 and PIPL Article 41 before tribunals, occasionally even adopting double standards to produce documents in their favor but decline other production requests citing data protection concerns.
Both Ms. Thomas and Ms. Chen observed that the issues were further complicated by the lack of consistency in the PRC authorities’ approach toward data export in international arbitration. Ms. Thomas shared that, in Morrison & Foerster’s experience, the MOJ had in some cases concluded that approval on data export in arbitration proceedings was needed. Yet, in other cases, the MOJ concluded that such approval was not necessary. Ms. Chen also shared that in one arbitration, the PRC party conducted a self-assessment and submitted an approval request for the export of data to five different PRC authorities. In response, some of the authorities provided only high-level feedback (orally) on the circumstances in which submissions in an arbitration could be transferred across the border, whereas others declined to review the party’s request on the basis that arbitration affairs were outside the scope of their responsibilities.
Given the present uncertainties, Ms. Thomas proposed that where a PRC party cited PRC data protection laws and was unable and/or unwilling to provide disclosure in an arbitration, potential solutions available to a tribunal included drawing adverse inferences and/or imposing cost consequences on the non-disclosing party pursuant to Articles 9.6 and 9.8 of the IBA Rules on the Taking of Evidence in International Arbitration (2020) or releasing both parties from document production obligations to level the playing field. However, Ms. Thomas highlighted that dealing with such issues at the disclosure stage would inevitably result in delays to the proceedings and urged parties and tribunals to consider data protection issues in advance to minimize delays in the arbitration process.
Best Practices in Dealing with Data Protection Issues in Arbitration
As the co-chair of the IBA-ICCA Joint Task Force on Data Protection in International Arbitration Proceedings, Ms. Paisley shared her insights on the interplay between data protection issues and international arbitration based on her experience with the GDPR. Ms. Paisley echoed Ms. Thomas’ views that parties should consider data protection issues at the outset of the arbitral proceedings. She suggested that parties map out all data points when the dispute initially surfaces, e.g., applicable data protection regulations, governing authorities, data subjects, processors, recipients, and potential data export routes. Given the foreseeable delay caused by government review and approval, it is essential that a party timely manage the expectations of the counterparty, tribunal, and arbitral institution with regard to the procedural timetable. It will be too late if parties only start considering these issues at the disclosure phase of the proceedings.
The panel discussion was very enlightening and provided abundant insights into PRC data protection laws as well as the arbitration community’s response to the evolving data protection regime. By addressing data protection issues at the outset of arbitral proceedings and actively engaging with PRC government authorities on the interplay between data protection issues and international arbitration, parties will not only be able to minimize delays in arbitration (especially in the disclosure process), but also potentially assist the PRC government authorities with developing a consistent approach to dealing with data protection issues in international arbitration.
More coverage from Hong Kong Arbitration Week is available here.