With the increasing overseas investment and cross-border transactions, it has become common that Chinese enterprises are demanded by foreign governmental authorities to cooperate and provide their corporate business information when they are involved in litigation in foreign countries. To meet the investigation needs, corporate business information that the enterprises might be required to collect and provide by the foreign governmental authorities generally includes emails, customer information and orders, contracts, invoices, payment vouchers, accounting books and other transaction-related records and data that might be in connection with the cases. In consideration of future business development in the foreign countries, generally most Chinese enterprises will choose to cooperate with the investigations, collect and provide the corporate business information required by the foreign governmental authorities. During this process, the way of information collection and delivery, the scope of information disclosure and compliance with the Chinese laws and regulations require special attention from the enterprises.
This article, in combination of the relevant Chinese laws and regulations, will provide explanations and reminders of legal risks that might be involved in the enterprises’ provision of corporate business information to foreign governmental authorities to cooperate in overseas litigation investigations in the following aspects: (i) disclosure of state secrets, (ii) violation of confidentiality for business information and (iii) infringement of individual privacy, and will also provide the relevant operational recommendations.
I.Disclosure of State Secrets
(1)Disclosure of State Secrets
According to the Law of the People's Republic of China on Protecting State Secrets, where disclosure of any information involving national security and interests matters may cause harm to the national security and interests in the aspects of politics, economy, national defense, foreign affairs and etc., such information shall be recognized as State secrets. However, the relevant laws and regulations do not provide any specific explanation for the term “harm”, or a clear definition for the form of information that might be determined as State secrets. Theoretically speaking, any information whose disclosure may cause harm to the State politics, economy, national defense and foreign affairs, is likely to become State secrets as determined by the State confidentiality administrative authority. Meanwhile, holders of the confidential information are not limited to State’s institutions and State-owned enterprises — ordinary private enterprises without State-owned assets may also acquire confidential information during their business interactions with governmental authorities, public institutions or state-owned enterprises or through other approaches such as participation in a government funded project. Key technologies developed by enterprises that are of significance to the State can also be recognized as State secrets. In addition, the governmental authorities’ discretion in determining State secrets also increases the risk of disclosure of State secrets when providing business information.
According to the Law of the People's Republic of China on Protecting State Secrets, all of the following acts shall be illegal acts in violation of the Law and are likely to be imposed of administrative penalties and even be pursued of criminal liability: (i) transmit carriers of State secrets via channels without any confidentiality measures, including ordinary post, courier and etc.; (ii) transmit State secrets via the Internet or other public information networks or via wire or wireless communications that are free of any confidentiality measures; and (iii) conduct information exchange between the secret-involved information system and the Internet and other public information networks without taking any protection measures.
Consequently if an enterprise is associated with a governmental authority or public institution, or if the enterprise’s business involves the State’s key technology or technology that will be applied to sensitive fields such as military affairs, certain information included in its corporate business information might be determined as State secrets. When providing the foreign governmental authority with its corporate business information, if the enterprise fails to delete such information that might be determined as State secrets or if no approval has been obtained from the relevant confidentiality administrative authority and no confidentiality measure has been adopted, the enterprise is likely to face the risk of disclosing the State secrets and therefore be ordered to bear corresponding administrative or even criminal liability.
(2)Illegal Delivery of Archives
According to the Archival Law of the People's Republic of China and the Measures for the Implementation of the Archival Law of the People's Republic of China, "archives" that should be protected under the law refer to historical records in various forms, including, among others, written materials in different languages, pictures, diagrams and audio-visual materials, whose preservation is of value to the State and the society and which have been or are being directly formed by State authorities, public organizations and by individuals in their political, military, economic, scientific, technological, cultural, religious and other activities. For collectively-owned or individually-owned archives and photocopies thereof, whose preservation is of value to the State and the society or which should be kept confidential, if any enterprise or institution or any individual needs to carry, transport or post them abroad, examination and approval from the relevant governmental archives administrative department must be conducted and obtained and the customs will release such archives or photocopies upon examining the approval documents; otherwise, administrative penalties might be imposed on and criminal liability might even be pursued against the enterprise, institution or individual. It is clear from the foregoing provisions that the scope of archives that must be examined and approved before they can be transmitted abroad is quite broad, and the definition is even more ambiguous than the term “State secret”, since in addition to history records that should be kept confidential, historical records in various forms whose preservation is of value to the State and the society might also be included.
Consequently if an enterprise engages in business activities in fields of significant influences to the State or the society, such as political, military, economic, scientific and technological activities, its information and data records (including transaction contracts, financial data and correspondences) are likely to include archives that are of preservation value to the State or that should be protected. When providing corporate business information to a foreign governmental authority, if said business information is not deleted or if such information and photocopies thereof are transmitted abroad by various means without obtaining the approval from the relevant archive administrative department, the enterprise is likely to face the legal risk of an illegal delivery of archives and therefore be demanded to bear the corresponding administrative or even criminal liability.
Since disclosure of State secrets or illegal delivery of protected archives might subject enterprises to serious consequences including administrative or even criminal penalties, when collecting and reorganizing corporate business information to be provided to any foreign governmental authority, enterprises should first pay attention to disposal of information that might involve confidentiality.
The enterprises should reorganize documents, information and data that have been legally determined as State secrets and exclude them from information to be provided. Considering the ambiguous statutory scope and boundary of State secrets, in addition to the foregoing information which has already been defined as State secrets, the enterprises should also refer to explanations published by the State ministries in the relevant fields regarding State secrets in practice and the specific confidentiality levels (if any) and nail down potential information from the corporate business information that should be kept confidential by means of searches using certain key words. When determining whether or not the information involves confidentiality, the enterprises should always be cautious. The enterprises should take the initiative to communicate with the relevant confidentiality or archive administrative department in case they believe the information is highly risky. They can also, if necessary, request the governmental departments to set a confidentiality level for such information or issue written opinions to explain to the foreign governmental authorities why such information cannot be provided.
II.Violation of Confidentiality for Business Information
According to the P.R.C. Anti-Unfair Competition Law and the Several Provisions of the State Administration for Industry and Commerce on Prohibiting Infringement of Trade Secrets, enterprises shall not violate any agreement or any request of the rights owner on keeping confidential any trade secret and thereby disclose, use or permit others to use any trade secret under their control. Trade secrets refer to any of the following technical information and operational information that 1) is not known to the public; 2) can bring economic profits to the rights owner; 3) contains practicability; and 4) is under confidentiality measures of the rights owner, including without limitation designs, programs, product formulas, manufacturing techniques and process, management know-how, customer list, supply resources, production and distribution strategies, base amount and plan in bidding. The administrative departments for industry and commerce are entitled to impose a monetary fine in an amount between RMB10,000 and RMB200,000 upon the foregoing acts of illegally disclosing trade secrets based on the actual circumstance. Moreover, if an enterprise has signed any confidentiality terms or contract concerning such information with its customer, and prescribed the information that should be kept confidential in the contract, it shall also be obligated to keep confidential such information. If it discloses any such information to any third party without consent from the customer, it shall be liable for breach of the contract.
Consequently if an enterprise acquires through business activities its customer’s trade secret or other information that should be kept confidential based on an agreement between the parties, it shall bear the obligation of confidentiality and not disclose any such information without consent from the customer. When providing its corporate business information to a foreign governmental authority, if the enterprise fails to delete the foregoing confidential information or if it fails to obtain the customer’s prior understanding and consent, it shall be faced with the legal risk of violating confidentiality concerning the business information and therefore be demanded to bear the corresponding civil and/or administrative liability.
The enterprises should go through the contents and the performance conditions of contracts concluded with its customers during transactions which are subject to the investigation, so as to determine whether there is any confidentiality obligation and the scope of confidential information.
In practice, it is usually provided in a standard confidentiality contract or standard confidentiality terms that the recipient’s disclosure of confidential information at a request of a governmental authority will not constitute a breach of contract. In fact, foreign governmental authorities not only directly issue an official subpoena duces tecum to demand the enterprises’ provision of the relevant business information, but also may request the enterprises through non-official means to cooperate and assist in the investigations in the early stage of the cases. Consequently, when the enterprises receive official subpoena duces tecums or other official investigation orders from the foreign governmental authorities, they can directly provide the customers’ confidential information in accordance with the foregoing provision, provided however that they should promptly inform the customers after the provision. Nevertheless, if the foreign governmental authorities do not require the enterprises to cooperate through official means, the foregoing provision will not be applicable and the enterprises should exclude the customers’ confidential information from the corporate business information they intend to provide. If, according to the investigation requirements, it is indeed necessary to provide any confidential information, the enterprises should contact the customers and cannot disclose any relevant information to the foreign governmental authorities before obtaining the customers’ understanding and written consent.
Furthermore, it is worth noting that standard confidentiality contracts or terms are likely to define information that should be kept confidential as all information related to the relevant transaction. Therefore in addition to the manufacturing techniques and processes, designs and technologies, the contracts by themselves and the correspondences, faxes and emails between the enterprises and their customers are also likely to fall within the scope of confidential information. Consequently, enterprises should pay special attention to this issue so as to avoid being held liable for breach of the contracts in the future.
III.Infringement of Individual Privacy
Although currently China has not promulgated any special law to protect personal information, provisions for protecting personal information are available in laws, administrative regulations and local rules such as the General Principles of the Civil Law, the Criminal Law and the Law on Protection of the Rights and Interests of Consumers. Particularly, the Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection promulgated at the end of December 2012 and the amended Law on Protection of the Rights and Interests of Consumers coming into effect in March 2014 provide in detail the statutory obligations of personal information protection for business operators.
(1)Infringement of Customer’s Privacy
According to the amended Law on Protection of the Rights and Interests of Consumers, personal information such as consumers’ privacy should be protected by the law. Enterprises should strictly keep confidential their consumers’ personal information they collect and not disclose or illegally provide such information to others. In the event of an infringement upon consumers’ privacy, in addition to the corresponding civil liability, the infringer may also be subject to administrative penalties such as a warning and monetary fine under the relevant laws and regulations. Although the Law on Protection of the Rights and Interests of Consumers does not provide a clear definition for the term “personal information”, according to local consumer protection rules such as the Regulations of Shanghai Municipality on the Protection of Consumers' Rights and Interests, personal information should include the names, sex, occupations, education, contact, marital status, income and property, finger prints, blood types, medical history and other information that is closely related to the consumers themselves and their families.
Consequently if an enterprise has business connections with natural person customers who purchase and use its products or receive its services for living consumption needs, and possesses or collects personal information such as the customers’ names and contact during transactions, it should strictly keep confidential such personal information and cannot disclose it to any third party without consent. When providing corporate business information to a foreign governmental authority, if the enterprise fails to delete the foregoing personal information or obtain the customers’ prior consent, it will face with the risk of infringing the customers’ privacy and therefore be demanded to bear the corresponding civil and administrative liability.
(2)Infringement of Employee’s Privacy
According to the Regulations on Employment Service and Employment Management, employers shall keep the employees’ personal data confidential. Any disclosure of the employees’ personal data shall be made with written consent of the employees. Meanwhile, according to the Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection, electronic information that can identify the citizens’ personal identities and that involves privacy of citizens should be protected by the law. Enterprises and institutions must strictly keep confidential any electronic personal information of the citizens that they collect during the business activities, and cannot disclose or illegally provide any such information to any third party; otherwise, in addition to the civil liability for infringing individual privacy, they may also be subject to administrative penalties such as a warning, monetary fine and/or confiscation of illegal income. Moreover, when collecting and using electronic personal information of citizens in business activities, enterprises must comply with the principles of legality, justification and necessity by clarifying the purpose, method and scope of collection and use of the information, and obtain the relevant citizens’ consent. The collection and use of the information must conform to both the laws and regulations and the agreement between the parties and the rules for the collection and use must be published.
Since the enterprises’ business activities are completed by their employees, when cooperating with investigations and collecting the relevant corporate business information, it is usually necessary to collect employees’ emails and archived information from the enterprises’ computers or the employees’ personal computers. Based on the foregoing provisions of laws and regulations, although the enterprises are entitled to supervise, examine and use information and data in connection with the employees’ work, if such information and data also involve electronic information concerning the employees’ identities and privacy, the enterprises must still strictly keep confidential such electronic information. Meanwhile when collecting information and data that may involve the employees’ electronic personal information, the enterprises must obtain the employees’ consent and clearly identify the purpose, method and scope of the collection and use of the information.
Consequently when collecting, using and transmitting data and information such as personal emails of the employees during the provision of corporate business information to any foreign governmental authority, the enterprises are likely to face the legal risk of infringing the employees’ privacy and therefore be demanded to bear the relevant civil and administrative liability, if they do not adopt legitimate collection methods or fail to obtain the employees’ consent to the use of their personal information.
When providing corporate business information to foreign governmental authorities, if it is necessary to lock up employees’ work-computers and collect their work-emails, since such acts may involve collection and use of the employees’ personal information, the enterprises must perform the statutory obligation of informing the employees and obtain their consent beforehand. In practice, the enterprises may consider asking the employees to sign a confirmation letter, which should indicate that the employees completely understand and are clearly aware of the purpose, method, scope and the rules of the collection and use and agree that the enterprises may disclose the relevant personal information if necessary.
When reorganizing corporate business information to be submitted, enterprises should exclude the portion that involves their employees’ or customers’ personal information, or edit the relevant information to conceal personal information irrelevant to the investigation (e.g. names, sex, occupations, education, contact, etc.). In case any personal information cannot be excluded or edited but needs to be submitted indeed, the enterprises must obtain the relevant persons’ written consent before providing such information to the foreign governmental authorities.
IV.Other Risks and Recommendations
During the provision of corporate business information to foreign governmental authorities, in addition to the legal risks of disclosing State secrets, violating confidentiality for business information and infringing individual privacy, such provision may also involve the risk of disclosing trade secrets since the corporate business information usually includes the enterprises’ own important secret know-how and information.
Moreover, when determining the content of information to be submitted, the enterprises should also consider whether such information will cause any unfavorable influences on pending or potential legal actions in foreign countries. In the event of criminal cases or civil cases with significant influences in foreign countries, the enterprises may consider engaging local attorneys at law to provide risk alerts and suggestions regarding the information to be submitted based on the key points and the developments in the cases, so as to avoid submission of any information that might be unfavorable to them in the future.
If any corporate business information falls into the scope of the investigation but is considered inappropriate to submit after the enterprises’ risk analysis, to respond to the foreign governmental authorities’ requirements for cooperation, the enterprises may consider engaging Chinese lawyers to offer expert opinions based on the nature of the information and applicable provisions under Chinese law, draft legal briefs and present the same to the foreign governmental authorities to provide reasonable explanation as to why the information cannot be submitted.