Organisations in China are prohibited from providing foreign judicial and law enforcement bodies with data stored in China without prior approval of the competent Chinese authority. 

China has released a series of such blocker laws over the last few years at national level – principally the Data Security Law (DSL) in respect of all data types and, to the extent personal information is involved, the Personal Information Protection Law (PIPL); while many industry-level authorities are imposing similar restrictions on their regulated entities.

For a multinational organisation required by its home jurisdiction to produce information from its China operations, these data export controls can give rise to a compliance impasse within a group if there is not an established channel for information exchange between China’s and the counterpart market’s authorities. 

Almost three years since the implementation of the DSL and the PIPL, we are seeing increasing numbers of judicial cases and administrative enforcement where these disclosure restrictions have been tested by non-PRC regulators and judiciaries, such as the US courts. This legal dilemma has recently been underscored in a case between the European Commission (Commission) and the Nuctech group.

Below we set out details of the Nuctech case and some practical steps for multinationals to consider in response to these conflicting requirements.

Facts

In April, the Commission conducted inspections of Nuctech in the Netherlands and Poland, a business specialising in security inspection equipment ultimately owned by a partly Chinese state-owned enterprise.

During the inspection, the Commission requested the content of several employees’ email accounts. The requested data is stored on the servers owned by Nuctech’s parent in China, and relates to correspondence of employees who are Chinese citizens.

Nuctech applied to the General Court of the EU for relief, seeking to resist the Commission's request by arguing that compliance would force Nuctech to breach Chinese law.

The Court has now rejected Nuctech’s application for an interim injunction, upholding the Commission’s right to request the data for its investigation into suspected breaches of EU law, regardless of where the data is stored.

Arguments and rulings

To challenge and seek a suspension of the Commission’s request, Nuctech raised several arguments that touch upon the differences between the laws of the different jurisdictions. These arguments were rejected by the Court.  

• Extraterritorial application of EU law:
  Nuctech argued that the Commission had infringed EU law and public international law by compelling it to produce documents stored on servers located in China. It contended that the Commission could not extend its investigatory powers to territories or individuals outside its EU jurisdiction. However, the Commission cited its authority under EU competition law to apply its extraterritorial investigatory powers to companies whose operations have direct and substantial effects within the EU market, regardless of their geographical location. The Court recognised this power, noting that it aims to prevent conduct that, while not occurring within the EU, impacts the EU market.
• Applicability of the PRC law in EU proceedings: 
  Nuctech also argued that the request was unlawful as it would compel Nuctech to breach Chinese law, risking fines and criminal liability. In particular, Nuctech asserted that complying with the Commission’s requests would force it to violate Chinese law, potentially making it liable to criminal sanction under Articles 31 and 36 of the DSL, Article 41 of the PIPL, and Article 28 of the PRC Law on Safeguarding State Secrets. On the other hand, Nuctech claimed that not providing the requested information would risk EU sanctions.

The Court regarded Nuctech’s arguments as overly general and lacking sufficient detail. The Court emphasised that the lawfulness of the Commission's decision and its implementation measures were assessed solely in light of EU law, not Chinese law. Further, the Court noted that violation of the Chinese law provisions cited by Nuctech would only occur if the data were disclosed without prior authorisation from the Chinese authorities. However, Nuctech had not shown attempts to secure this authorisation, nor had it proposed alternative compliance methods.

Implications

This case underscores the complex and conflicting legal scenarios presented for Chinese-headquartered multinationals, where compliance with domestic data security laws may result in non-compliance with foreign laws in the EU (or other markets) in which they operate.

To mitigate these risks, Chinese companies operating in the EU should consider the following strategies:

• Understand the legal landscape: This case is a warning. Chinese companies need to understand the applicable cross-border transfer rules in the EU and China and plan now.
• Prepare your case fully: The Court identified several gaps in Nuctech’s arguments, including:
  • Failure to explain why Nuctech had no access to the requested information;
  • How Chinese law could prevent Nuctech’s entities established in the EU from responding to the Commission’s requests or why the provisions of Chinese law are relevant to them;
  • Whether Chinese criminal sanctions apply to the requested information in this case;
  • Whether Nuctech had sought the necessary authorisations in China to transfer the data to the Commission; and
  • Whether alternative methods could enable compliance with the Commission’s request without infringing Chinese law.

  There are views in the market that if Nuctech had provided sufficient information on the above points, the Court might have been more sympathetic to it. This highlights the importance of thorough preparation when seeking legal relief.

• Engage specialists in unfamiliar and complex procedures: Given the complex legal procedures in administrative investigations and litigation, special attention should be paid each time information is to be conveyed to the authorities or courts. For example, in the current case, the Court did not have to hear oral arguments from the parties, which may have limited the opportunity for Nuctech to give more substantive detail to its arguments. Engaging an EU law expert (like our teams across Europe) will likely help reduce the pitfalls in this regard. 
• Communicate proactively with regulators: Engage with regulatory authorities in all relevant jurisdictions as early as possible to seek clarifications, exemptions, and/or necessary authorisations to prevent unfavourable legal action. Authorisation procedures tend to be vague and elongated so assess your timetable for production. 
• Limit production of data from with China: Scrutinise and seek to limit the data that has to be produced to satisfy the request. Also remember that data is fungible and can be in two places at once – consider whether the requested data is already outside of mainland China and can be provided without risk of breaching Chinese rules.  

Take action

Before international conventions or domestic implementation rules in either jurisdiction are enacted, the challenge for companies facing conflicting legal requirements will keep rising, creating a precarious situation where compliance with one set of laws necessitates breaching another.

To navigate these intertwined legal landscapes, Chinese companies need meticulous preparation, strategic communication, and robust IT infrastructure and data management strategies to mitigate the risks resulting from their global footprints. The hardened stance of the EU judiciary shown by this case, in the context of broader geopolitical tensions, should be a call-to-action for legal and compliance teams.

Our international Investigations practice is familiar with handling cross-border disputes and data requests, as well as planning ahead to set internal policies and protocols for your personnel to follow to avoid inadvertent breaches of law in either hemisphere. Please drop us an email to find out more!