With the enormously increasing popularity of social media tools and widely used e-communication in contemporary life and business activities, the demand for regulating electronic data becomes significant. On 1 October 2016, Provisions Concerning the Collection, Extraction, Review, and Judgment of Electronic Data in the Handling of Criminal Cases (‘New Legislation’) jointly issued by the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security of the People’s Republic of China (‘PRC’) took effect. This is the first time that a piece of comprehensive and systematic legislation on electronic data as a specific type of evidence has been introduced in China. Previously, electronic data collection, extraction and review were mainly governed by PRC Criminal Procedure Law and 7 major judicial interpretations which appear rather scattered and undetailed, often causing confusion to police, prosecutors and judges and as well as raising uncertainty for companies under investigation.
According to the New Legislation, although PRC authorities are now able to retrieve electronic data inside and outside China, it remains to be seen how feasible it will be in practice to access data stored overseas. It is also unclear at this stage how cooperation will be sought from local authorities in foreign countries. Locally, all entities and individuals have a general obligation to provide electronic data if required by PRC courts, procuratorates or police.
Scope of Electronic Data
In the New Legislation, electronic data is defined as data that can prove case facts and that was formed during the course of the criminal offence and stored, processed, or transmitted in digital form.
An open-ended list of electronic data is provided in the New Legislation and some of the most popular and extensively used social media apps and platforms in China are explicitly named, such as Weibo, WeChat moments and Post bar. Such a broad definition captures most of the common digital data which one can think of. Evidence recorded digitally, such as witness statements, victim statements confessions and excuse of the accused, are excluded from the scope and will only be treated as electronic data in exceptional cases.
In light of the New Legislation, electronic data includes but is not limited to the following categories:
- Information published on web pages, blogs, micro-blogs, WeChat moments, Post bar, cloud storage and other web platforms;
- Correspondence in the form of mobile phone text messages, e-mail, instant messages, chat groups, and other network application services;
- User registration information, identity verification information, electronic transaction records, communication records, login logs, and other such information; and
- Documents, images, audio/video, digital certificates, computer programs, and other electronic files.
Subject to procedural requirements set out in the PRC Criminal Procedure Law, the New Legislation establishes protocols for electronic data collection and extraction, transportation and display, as well as its review and judgement. Given that data can be easily altered or deleted, the provisions set out requirements to ensure a chain of custody as electronic evidence moves through the criminal procedure. It especially provides clear guideline to PRC authorities on how electronic data should be collected and stored in order to preserve the authenticity and integrity of the data. The procedural requirements worth noting include the following:
- Data collection and extraction must be carried out by at least two investigators.
- In addition to the existing approaches currently used to secure electronic data such as seizing and sealing, the New Legislation introduces a new method – “freezing”. Electronic data may be frozen upon the approval of head of public security or chief procurator at the county level or above.
- To ensure the integrity of the data, original storage media shall be sealed and seized subject to limited exceptions, such as the original storage medium not being convenient for seizing, the data being saved on a remote computer information system, or the original storage medium being located overseas.
- Online extraction is permitted to retrieve electronic data of which the original storage medium is located overseas or stored on a remote computer information system.
- When necessary to verify circumstances through further investigation, remote inquests may be conducted of remote computer information systems. Where it is necessary to employ technical investigation measures to conduct remote inquests, strict approval formalities must be carried out in accordance with law.
- The process of data collection and extraction is required to be video-recorded and investigators must prepare a written record of the process.
- A witness should be appointed to certify the process of electronic data collection and extraction.
Impact on Companies Relating to China
Foreign companies operating in China, as well as companies based in China and with presence overseas should take note of the implementation of the New Legislation and take actions to ensure their compliance.
Companies with a Chinese presence or association are advised to review existing online and mobile data storage on all devices and the use of cloud storage, remote platforms, applications and systems. Considering the current trend in China of using social media for marketing purpose, it is not uncommon for companies to run a couple of official social medial accounts. It is therefore important that companies develop protocols and controls which, for example, limit access to social media accounts to necessary personnel only. In general, companies should also ensure that all employees are educated and informed of the key information in the New Legislation and the nature and legal implications of the information sent and published via emails and social media tools on computers, mobile phones and other electronic devices. In addition, it may also become necessary to re-visit or even establish internal rules on IT usage both for cases where the hardware is offered to the employees by the company as well the bring-your-own-device cases. The same applies to internal rules & guidelines on how employees should respond in instances such as dawn raids, where companies might be faced with the New Legislation directly.