Yiqi Cai
With the increasing overseas investment and cross-border transactions, it has become common that Chinese enterprises are demanded by foreign governmental authorities to cooperate and provide their corporate business information when they are involved in litigation in foreign countries. To meet the investigation needs, corporate business information that the enterprises might be required to collect and provide by the foreign governmental authorities generally includes emails, customer information and orders, contracts, invoices, payment vouchers, accounting books and other transaction-related records and data that might be in connection with the cases. In consideration of future business development in the foreign countries, generally most Chinese enterprises will choose to cooperate with the investigations, collect and provide the corporate business information required by the foreign governmental authorities. During this process, the way of information collection and delivery, the scope of information disclosure and compliance with the Chinese laws and regulations require special attention from the enterprises.
This article, in combination
of the relevant Chinese laws and regulations, will provide explanations and
reminders of legal risks that might be involved in the enterprises’ provision of
corporate business information to foreign governmental authorities to cooperate
in overseas litigation investigations in the following aspects: (i) disclosure
of state secrets, (ii) violation of confidentiality for business information and
(iii) infringement of individual privacy, and will also provide the relevant
operational recommendations.
I.Disclosure of State Secrets
1.Legal
Risks
(1)Disclosure of State Secrets
According to the Law of the People's
Republic of China on Protecting State Secrets, where disclosure of any
information involving national security and interests matters may cause harm to
the national security and interests in the aspects of politics, economy,
national defense, foreign affairs and etc., such information shall be recognized
as State secrets. However, the relevant laws and regulations do not provide any
specific explanation for the term “harm”, or a clear definition for the form of
information that might be determined as State secrets. Theoretically speaking,
any information whose disclosure may cause harm to the State politics, economy,
national defense and foreign affairs, is likely to become State secrets as
determined by the State confidentiality administrative authority. Meanwhile,
holders of the confidential information are not limited to State’s institutions
and State-owned enterprises — ordinary private enterprises without State-owned
assets may also acquire confidential information during their business
interactions with governmental authorities, public institutions or state-owned
enterprises or through other approaches such as participation in a government
funded project. Key technologies developed by enterprises that are of
significance to the State can also be recognized as State secrets. In addition,
the governmental authorities’ discretion in determining State secrets also
increases the risk of disclosure of State secrets when providing business
information.
According to the Law of the People's Republic of China on
Protecting State Secrets, all of the following acts shall be illegal acts in
violation of the Law and are likely to be imposed of administrative penalties
and even be pursued of criminal liability: (i) transmit carriers of State
secrets via channels without any confidentiality measures, including ordinary
post, courier and etc.; (ii) transmit State secrets via the Internet or other
public information networks or via wire or wireless communications that are free
of any confidentiality measures; and (iii) conduct information exchange between
the secret-involved information system and the Internet and other public
information networks without taking any protection measures.
Consequently if an enterprise is associated with a governmental authority or public institution, or if the enterprise’s business involves the State’s key technology or technology that will be applied to sensitive fields such as military affairs, certain information included in its corporate business information might be determined as State secrets. When providing the foreign governmental authority with its corporate business information, if the enterprise fails to delete such information that might be determined as State secrets or if no approval has been obtained from the relevant confidentiality administrative authority and no confidentiality measure has been adopted, the enterprise is likely to face the risk of disclosing the State secrets and therefore be ordered to bear corresponding administrative or even criminal liability.
(2)Illegal Delivery
of Archives
According to the Archival Law of the People's Republic of China
and the Measures for the Implementation of the Archival Law of the People's
Republic of China, "archives" that should be protected under the law refer to
historical records in various forms, including, among others, written materials
in different languages, pictures, diagrams and audio-visual materials, whose
preservation is of value to the State and the society and which have been or are
being directly formed by State authorities, public organizations and by
individuals in their political, military, economic, scientific, technological,
cultural, religious and other activities. For collectively-owned or
individually-owned archives and photocopies thereof, whose preservation is of
value to the State and the society or which should be kept confidential, if any
enterprise or institution or any individual needs to carry, transport or post
them abroad, examination and approval from the relevant governmental archives
administrative department must be conducted and obtained and the customs will
release such archives or photocopies upon examining the approval documents;
otherwise, administrative penalties might be imposed on and criminal liability
might even be pursued against the enterprise, institution or individual. It is
clear from the foregoing provisions that the scope of archives that must be
examined and approved before they can be transmitted abroad is quite broad, and
the definition is even more ambiguous than the term “State secret”, since in
addition to history records that should be kept confidential, historical records
in various forms whose preservation is of value to the State and the society
might also be included.
Consequently if an enterprise engages in business
activities in fields of significant influences to the State or the society, such
as political, military, economic, scientific and technological activities, its
information and data records (including transaction contracts, financial data
and correspondences) are likely to include archives that are of preservation
value to the State or that should be protected. When providing corporate
business information to a foreign governmental authority, if said business
information is not deleted or if such information and photocopies thereof are
transmitted abroad by various means without obtaining the approval from the
relevant archive administrative department, the enterprise is likely to face the
legal risk of an illegal delivery of archives and therefore be demanded to bear
the corresponding administrative or even criminal liability.
2.Operational
Recommendations
Since disclosure of State secrets or illegal delivery of
protected archives might subject enterprises to serious consequences including
administrative or even criminal penalties, when collecting and reorganizing
corporate business information to be provided to any foreign governmental
authority, enterprises should first pay attention to disposal of information
that might involve confidentiality.
The enterprises should reorganize
documents, information and data that have been legally determined as State
secrets and exclude them from information to be provided. Considering the
ambiguous statutory scope and boundary of State secrets, in addition to the
foregoing information which has already been defined as State secrets, the
enterprises should also refer to explanations published by the State ministries
in the relevant fields regarding State secrets in practice and the specific
confidentiality levels (if any) and nail down potential information from the
corporate business information that should be kept confidential by means of
searches using certain key words. When determining whether or not the
information involves confidentiality, the enterprises should always be cautious.
The enterprises should take the initiative to communicate with the relevant
confidentiality or archive administrative department in case they believe the
information is highly risky. They can also, if necessary, request the
governmental departments to set a confidentiality level for such information or
issue written opinions to explain to the foreign governmental authorities why
such information cannot be provided.
II.Violation of Confidentiality for
Business Information
1.Legal Risks
According to the P.R.C. Anti-Unfair
Competition Law and the Several Provisions of the State Administration for
Industry and Commerce on Prohibiting Infringement of Trade Secrets, enterprises
shall not violate any agreement or any request of the rights owner on keeping
confidential any trade secret and thereby disclose, use or permit others to use
any trade secret under their control. Trade secrets refer to any of the
following technical information and operational information that 1) is not known
to the public; 2) can bring economic profits to the rights owner; 3) contains
practicability; and 4) is under confidentiality measures of the rights owner,
including without limitation designs, programs, product formulas, manufacturing
techniques and process, management know-how, customer list, supply resources,
production and distribution strategies, base amount and plan in bidding. The
administrative departments for industry and commerce are entitled to impose a
monetary fine in an amount between RMB10,000 and RMB200,000 upon the foregoing
acts of illegally disclosing trade secrets based on the actual circumstance.
Moreover, if an enterprise has signed any confidentiality terms or contract
concerning such information with its customer, and prescribed the information
that should be kept confidential in the contract, it shall also be obligated to
keep confidential such information. If it discloses any such information to any
third party without consent from the customer, it shall be liable for breach of
the contract.
Consequently if an enterprise acquires through business
activities its customer’s trade secret or other information that should be kept
confidential based on an agreement between the parties, it shall bear the
obligation of confidentiality and not disclose any such information without
consent from the customer. When providing its corporate business information to
a foreign governmental authority, if the enterprise fails to delete the
foregoing confidential information or if it fails to obtain the customer’s prior
understanding and consent, it shall be faced with the legal risk of violating
confidentiality concerning the business information and therefore be demanded to
bear the corresponding civil and/or administrative liability.
2.Operational
Recommendations
The enterprises should go through the contents and the
performance conditions of contracts concluded with its customers during
transactions which are subject to the investigation, so as to determine whether
there is any confidentiality obligation and the scope of confidential
information.
In practice, it is usually provided in a standard
confidentiality contract or standard confidentiality terms that the recipient’s
disclosure of confidential information at a request of a governmental authority
will not constitute a breach of contract. In fact, foreign governmental
authorities not only directly issue an official subpoena duces tecum to demand
the enterprises’ provision of the relevant business information, but also may
request the enterprises through non-official means to cooperate and assist in
the investigations in the early stage of the cases. Consequently, when the
enterprises receive official subpoena duces tecums or other official
investigation orders from the foreign governmental authorities, they can
directly provide the customers’ confidential information in accordance with the
foregoing provision, provided however that they should promptly inform the
customers after the provision. Nevertheless, if the foreign governmental
authorities do not require the enterprises to cooperate through official means,
the foregoing provision will not be applicable and the enterprises should
exclude the customers’ confidential information from the corporate business
information they intend to provide. If, according to the investigation
requirements, it is indeed necessary to provide any confidential information,
the enterprises should contact the customers and cannot disclose any relevant
information to the foreign governmental authorities before obtaining the
customers’ understanding and written consent.
Furthermore, it is worth noting
that standard confidentiality contracts or terms are likely to define
information that should be kept confidential as all information related to the
relevant transaction. Therefore in addition to the manufacturing techniques and
processes, designs and technologies, the contracts by themselves and the
correspondences, faxes and emails between the enterprises and their customers
are also likely to fall within the scope of confidential information.
Consequently, enterprises should pay special attention to this issue so as to
avoid being held liable for breach of the contracts in the
future.
III.Infringement of Individual Privacy
1.Legal Risks
Although
currently China has not promulgated any special law to protect personal
information, provisions for protecting personal information are available in
laws, administrative regulations and local rules such as the General Principles
of the Civil Law, the Criminal Law and the Law on Protection of the Rights and
Interests of Consumers. Particularly, the Decision of the Standing Committee of
the National People's Congress on Strengthening Network Information Protection
promulgated at the end of December 2012 and the amended Law on Protection of the
Rights and Interests of Consumers coming into effect in March 2014 provide in
detail the statutory obligations of personal information protection for business
operators.
(1)Infringement of Customer’s Privacy
According to the amended
Law on Protection of the Rights and Interests of Consumers, personal information
such as consumers’ privacy should be protected by the law. Enterprises should
strictly keep confidential their consumers’ personal information they collect
and not disclose or illegally provide such information to others. In the event
of an infringement upon consumers’ privacy, in addition to the corresponding
civil liability, the infringer may also be subject to administrative penalties
such as a warning and monetary fine under the relevant laws and regulations.
Although the Law on Protection of the Rights and Interests of Consumers does not
provide a clear definition for the term “personal information”, according to
local consumer protection rules such as the Regulations of Shanghai Municipality
on the Protection of Consumers' Rights and Interests, personal information
should include the names, sex, occupations, education, contact, marital status,
income and property, finger prints, blood types, medical history and other
information that is closely related to the consumers themselves and their
families.
Consequently if an enterprise has business connections with natural
person customers who purchase and use its products or receive its services for
living consumption needs, and possesses or collects personal information such as
the customers’ names and contact during transactions, it should strictly keep
confidential such personal information and cannot disclose it to any third party
without consent. When providing corporate business information to a foreign
governmental authority, if the enterprise fails to delete the foregoing personal
information or obtain the customers’ prior consent, it will face with the risk
of infringing the customers’ privacy and therefore be demanded to bear the
corresponding civil and administrative liability.
(2)Infringement of
Employee’s Privacy
According to the Regulations on Employment Service and
Employment Management, employers shall keep the employees’ personal data
confidential. Any disclosure of the employees’ personal data shall be made with
written consent of the employees. Meanwhile, according to the Decision of the
Standing Committee of the National People's Congress on Strengthening Network
Information Protection, electronic information that can identify the citizens’
personal identities and that involves privacy of citizens should be protected by
the law. Enterprises and institutions must strictly keep confidential any
electronic personal information of the citizens that they collect during the
business activities, and cannot disclose or illegally provide any such
information to any third party; otherwise, in addition to the civil liability
for infringing individual privacy, they may also be subject to administrative
penalties such as a warning, monetary fine and/or confiscation of illegal
income. Moreover, when collecting and using electronic personal information of
citizens in business activities, enterprises must comply with the principles of
legality, justification and necessity by clarifying the purpose, method and
scope of collection and use of the information, and obtain the relevant
citizens’ consent. The collection and use of the information must conform to
both the laws and regulations and the agreement between the parties and the
rules for the collection and use must be published.
Since the enterprises’
business activities are completed by their employees, when cooperating with
investigations and collecting the relevant corporate business information, it is
usually necessary to collect employees’ emails and archived information from the
enterprises’ computers or the employees’ personal computers. Based on the
foregoing provisions of laws and regulations, although the enterprises are
entitled to supervise, examine and use information and data in connection with
the employees’ work, if such information and data also involve electronic
information concerning the employees’ identities and privacy, the enterprises
must still strictly keep confidential such electronic information. Meanwhile
when collecting information and data that may involve the employees’ electronic
personal information, the enterprises must obtain the employees’ consent and
clearly identify the purpose, method and scope of the collection and use of the
information.
Consequently when collecting, using and transmitting data and
information such as personal emails of the employees during the provision of
corporate business information to any foreign governmental authority, the
enterprises are likely to face the legal risk of infringing the employees’
privacy and therefore be demanded to bear the relevant civil and administrative
liability, if they do not adopt legitimate collection methods or fail to obtain
the employees’ consent to the use of their personal
information.
2.Operational Recommendations
When providing corporate
business information to foreign governmental authorities, if it is necessary to
lock up employees’ work-computers and collect their work-emails, since such acts
may involve collection and use of the employees’ personal information, the
enterprises must perform the statutory obligation of informing the employees and
obtain their consent beforehand. In practice, the enterprises may consider
asking the employees to sign a confirmation letter, which should indicate that
the employees completely understand and are clearly aware of the purpose,
method, scope and the rules of the collection and use and agree that the
enterprises may disclose the relevant personal information if necessary.
When
reorganizing corporate business information to be submitted, enterprises should
exclude the portion that involves their employees’ or customers’ personal
information, or edit the relevant information to conceal personal information
irrelevant to the investigation (e.g. names, sex, occupations, education,
contact, etc.). In case any personal information cannot be excluded or edited
but needs to be submitted indeed, the enterprises must obtain the relevant
persons’ written consent before providing such information to the foreign
governmental authorities.
IV.Other Risks and Recommendations
During the
provision of corporate business information to foreign governmental authorities,
in addition to the legal risks of disclosing State secrets, violating
confidentiality for business information and infringing individual privacy, such
provision may also involve the risk of disclosing trade secrets since the
corporate business information usually includes the enterprises’ own important
secret know-how and information.
Moreover, when determining the content of
information to be submitted, the enterprises should also consider whether such
information will cause any unfavorable influences on pending or potential legal
actions in foreign countries. In the event of criminal cases or civil cases with
significant influences in foreign countries, the enterprises may consider
engaging local attorneys at law to provide risk alerts and suggestions regarding
the information to be submitted based on the key points and the developments in
the cases, so as to avoid submission of any information that might be
unfavorable to them in the future.
If any corporate business information
falls into the scope of the investigation but is considered inappropriate to
submit after the enterprises’ risk analysis, to respond to the foreign
governmental authorities’ requirements for cooperation, the enterprises may
consider engaging Chinese lawyers to offer expert opinions based on the nature
of the information and applicable provisions under Chinese law, draft legal
briefs and present the same to the foreign governmental authorities to provide
reasonable explanation as to why the information cannot be submitted.
The Watson & Band website is intended for informational purposes only. Nothing in this site is to be construed as creating an attorney-client relationship between the reader and Watson & Band or as offering legal advice on any specific matter. Since we are not providing legal advice through this website, you should not act upon any information that you might receive here without first seeking professional counsel. No client or other reader should act or refrain from acting on the basis of any information contained in the Watson & Band website without seeking appropriate legal or other professional advice based on the particular facts and circumstances at issue.