On 9 September 2016, the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security of the People’s Republic of China (“PRC”) jointly issued the New Rules on Electronic Data Collection, Extraction and Review in Criminal Cases (“New Rules”), which will take effect on 1 October 2016.
Previously, PRC regulations regarding electronic data collection and review were considered scattered and high-level, often causing confusion and uncertainty to the authorities as well as target companies under investigation. Among other things, the New Rules define the scope of electronic data, specify the powers of the investigation authorities and set out detailed requirements on collection, extraction and transfer, including the consequences for failure to observe these requirements. Our alert discusses the implications of the New Rules.
With a broader definition of electronic data, the New Rules allow PRC authorities to collect almost any piece of digital information, including mobile phone records and messages, social media communications and any data retained on a computer or server. This will enable Chinese investigation authorities to locate, identify and secure “smoking gun” or traces of crime in a more efficient and effective way.
The New Rules will also, for the first time, explicitly allow Chinese authorities to retrieve and extract electronic data which original storage medium is located outside China or on a remote computer information system, through online extraction. In other words, in addition to having access to onshore data in China, authorities will be allowed to access data stored in offshore systems. This is a significant development as it means that offshore data kept by foreign affiliates of PRC businesses or belonging to multinational companies doing business in China could potentially be subject to collection and review from China.
Key features of the New Rules
Scope of Electronic Data
The New Rules provide a non-exhaustive list of electronic data that are potentially subject to collection and review by the authorities in the following categories:
- Information on web pages, blogs, micro-blogs, WeChat Moments, and network drives;
- Mobile phone text messages, e-mails, instant messages, chat groups and other information via network application services;
- User registration information, identity verification information, electronic transaction records, communication records, and log-in logs; and
- Documents, images, audio visual, digital certificates, computer programs, and other electronic files.
Power of Investigation Authorities
The New Rules specify that PRC courts, PRC Procuratorates (the Chinese term for prosecutor) and the Public Security Bureau (i.e., the police) have the legal power and authority to collect electronic data from companies and individuals in China as potential evidence in criminal proceedings. All companies and individuals have a general obligation to cooperate and produce the required data.
Data Collection Process
The key procedural requirements for collecting and retrieving electronic data are summarized as follows:
- Data collection and extraction must be conducted by at least two investigators.
- When collecting or extracting electronic data, the original storage media must be seized and sealed to secure the integrity of the data, subject to limited exceptions (e.g., the original storage medium is located overseas or the data is saved on a remote computer information system).
- The investigators shall prepare a written transcript recording the cause(s) of action, target, content (of collected data), and the time, location, method, and process of data collection and extraction, and attach a list of the electronic data stating the category and file format of the collected data. The investigators and the data holder (i.e., provider) must sign or stamp the transcript. If the data holder refuses to sign, the transcript should state this and be signed by the investigators and a witness.
- The investigators must appoint a witness to certify the data collection process or video-record the process if possible.
- Data should not be changed or tampered with during the collection and transfer process. The investigators must document each step of seizure, transportation, and storage of digital evidence and make the documentation available for review.
Failure to Observe Procedural Requirements
If the data collection process has procedural defects (e.g. the original storage medium is not sealed, the investigators, data holder or witness fail to sign the transcript, the transcript fails to specify clearly the name, category and format of the electronic data, etc.), which cannot be cured, the collected or extracted data will not be admissible as evidence in a criminal case.
Actions to consider
Given these new developments, companies doing business in China (especially local subsidiaries of multinational corporations) should consider the following actions:
- Educate relevant personnel (e.g., data privacy/security function) on the new developments and requirements under the New Rules.
- Review existing IT systems and assess potential implications and ramifications under the New Rules.
- Formulate or strengthen relevant policies and procedures in relation to the handling and retention of electronic data and computer systems (e.g., IT and dawn raid policies).
Review existing data storage practices and the use of remote systems, platforms and applications, including protocols for securing onshore and offshore data and access to necessary personnel.
- Develop company policy on and provide training to employees for posting or publishing information on social media, emails, mobile phones and other electronic devices.
- Seek legal advice and provide training to employees on responding to requests by investigators, including protocols for the onsite response team in relation to requests for the production of data potentially not relevant to China and/or the target of the investigation.
- When facing criminal investigations, companies should closely monitor the investigator’s data collection activities to ensure that due process is observed in accordance with the requirements under the New Rules.
With the development of the internet and extensive use of technology in business operations, digital data has become an increasingly important form of evidence. However, the fragile nature of digital evidence, which can be easily altered, damaged, or destroyed, means that proper procedures and processes for the handling of data are just as important as the evidence itself.
It remains to be seen how the authorities will apply the New Rules in practice, in particular in relation to the collection of offshore data belonging to foreign companies doing business in China. Nevertheless, companies doing business in China must continue to be vigilant and adopt robust internal controls and policies to ensure that data is properly retained and managed.