近年來,隨著業務的不斷擴大,國內企業在海外開展業務時,不可避免地會因各種商業糾紛而捲入海外訴訟。 來自國外法律的繁瑣訴訟程式(例如,證據開示,這在普通法體系中更為常見)和中國資料跨境傳輸的合規要求,往往給國內企業應對訴訟帶來巨大壓力。
in recent years, chinese domestic enterprises conducting business overseas are commonly known to be involved in foreign lawsuits raised by various commercial disputes due to the continuous expansion of their businesses. the complicated litigation procedures such as the discovery of documents in common law jurisdictions, plus the data compliance requirements on evidence cross-border transfer according to prc laws and regulations make chinese enterprises face overwhelming pressures in responding to their potential lawsuits.
我們最近的乙個跨境訴訟案件涉及證據轉移的資料合規性問題。 在專案期間,我們協助客戶向外國司法機關提供參與訴訟的資料。 考慮到這一點,我們寫了這篇文章來分析過程和注意事項,詳見下文。
we recently handled an international litigation case involving the cross-border transfer of evidence/data. when handling this case, we assisted our client in successfully transferring their electronic documents as case evidence to foreign judicial authorities for litigation purposes. in this article, we will share our insights on the procedures of cross-border data transfer and some matters that may require special attention in the international litigation/arbitration procedures of a chinese company.
一、案情背景。
i.background setting
A科技股份有限公司(以下簡稱“A公司”)是一家在中國註冊成立的公司,主要負責計算機軟體的研發。 由於產品的受歡迎程度,A公司開始拓展海外市場。 然而,不久前,一家在開曼群島註冊成立的公司B因商業糾紛向開曼法院起訴A公司。 根據開曼法律,對於在中國發生的所有案件,A公司必須參與檔案的發現,並向開曼法院提交所有相關證據。
company a is a tech company incorporated under prc laws, with its primary business scope of researching and developing computer software. thanks to its widely renowned products, company a began to expand its business in overseas markets. company a received a claim as the defendant a few months ago, with the plaintiff being company b, a tech company incorporated under the law of cayman island. according to the civil procedure laws of cayman, company a was required to participate in the process of discovery of documents and submit the evidence related to the case to the grand court of cayman in its entirety.
二、證據如何跨境傳遞?
ii.how to transfer the case evidence abroad?
在上述案件中,境內企業A公司需要向境外法院提交其境內經營過程中產生的資訊,作為域外**的證據。 根據中國法律和行業慣例,國內企業向外國法院移交證據主要有兩種情況:1境內實體自願服從境外執法和司法機關; 2.應海外執法和司法機關的要求被動提供。
in view of the case above, company a needs to submit a giant amount of its domestically generated data to the court of cayman for litigation purposes. according to prc laws and general practices, there are mainly two scenarios for chinese domestic entities to submit their electronic documents/case evidence to foreign judicial and law enforcement authorities: (1) the entity voluntarily submits the evidence to the authorities, and (2) the entity submits the evidence to the authorities upon requests.
1.國內企業主動向外國司法機關提供資訊。
1. voluntary submission
主動提供,即資料處理者自願向境外提供資料。 在本案中,如果A公司根據《開曼程式法》的規定,自願向開曼法院提供在中國產生的用於證據開示的資料,則屬於境內企業向外國司法機關自願提供資料。
voluntary submission means the data processors submit the domestically generated data at their own will without any passive demands. in our case, it would be assumed as a voluntary submission if company a transfers its data to the court of cayman spontaneously for the discovery of documents according to the civil procedure laws of cayman.
為了更好地理解資料處理者跨境資料傳輸申報的工作流程,我們以A公司為例。 根據《開曼群島訴訟法》的規定,A公司應訴後,需要在證據開示過程中向本案原告(即B公司)提交與其案件有關的所有證據。 作為一家在中國成立並涉足即時通訊軟體開發的新興科技型企業,A公司的日常業務將涉及大量資料和個人資訊的處理,由於本次訴訟的根本原因也與資料處理有關,因此A公司必須將部分儲存在中國的資料用於本次訴訟。
to understand the process of cross-border data transfer more vividly and concretely, we elaborate on the procedures through our case mentioned above. according to the law of cayman, company a would be obliged to disclose the relevant electronic documents and evidence to the counterparty (company b) in the course of discovery of documents should it wish to attend the lawsuit. as a prc law-incorporated new-tech company developing an instant messaging platform, company a needs to handle an abundant amount of personal even sensitive personal information. more importantly, as the litigation was to some degree related to data processing, company a has the duty to disclose certain parts of its data generated domestically.
有鑑於此,A公司應按照《資料出境安全評估辦法》(以下簡稱“《評估辦法》”)的規定完成風險自評估,並完成風險自評估報告。 在評估過程中,A公司需要特別注意訴訟中使用的資料的內容、型別和數量是否達到法律規定的門檻,即自上一年1月1日起,在境外提供了10萬人的個人資訊或1萬人的敏感個人資訊, 或者它涉及重要資料。
in that case, according to measures for the security assessment of outbound data transfer (“the measures”),company a would be obliged to complete a two-step assessment—the "security self-assessment" and the "regulatory authority assessment" before transferring the evidence to its counterparty in cayman island. during the assessment, it would require company a special attention to note whether the document to be transferred abroad reaches the assessment threshold, specifically, transferring “personal information” abroad of over 1 million people, or “sensitive personal information” of over 10,000 people cumulatively since january 1 of the previous year, or information containing “important data”, etc.
如果評估認為符合上述條件,A公司必須在完成風險自評估後,將評估報告和法律要求的其他檔案提交當地網信管理部門進行第二次評估和監管部門審查。 只有在獲得國家網信辦的批准後,A公司才能將涉案資料提交B公司提起訴訟。
if the abovementioned threshold is reached, company a should draft a self-assessment report concerning the risks of transferring data abroad based on its assessment result, and submit the report, together with other required **work to local cyberspace administration authorities (“cac”) for regulatory authority assessment. company a is only allowed to transfer its documents abroad once it has obtained permission from cac.
如A公司對評審結果有異議,A公司可向部門申請重新評審。 但需要注意的是,根據《評估辦法》的規定,重新評估結果僅為最終結果,沒有其他補救措施。 由於複評終局性,根據《行政訴訟法》的規定,A公司提起的行政復議和行政訴訟不予受理。
if company a has any objection to the assessment result provided by cac, it may apply for a reassessment to the same authority. but note that the result of the reassessment is determined to be final and no further remedies are currently **ailable according to the measures. it therefore suggests that the finality of reassessment bans the applicant from further applying for administrative reconsideration even administrative litigation according to the administrative litigation law of the prc.
2.應海外執法和司法機關的要求被動提供。
2. submission upon requests by foreign authorities
如果A公司在訴訟過程中收到開曼群島法院的檔案,並要求其按照特定程式直接向開曼群島法院提交在中國產生的資料,則視為應境外司法機關的要求被動提供資料。
conversely, if company a receives court documents demanding a direct submission of its documents straightly to the court of cayman rather than to company b, it would then constitute a submission upon requests by a foreign judicial or law enforcement authority.
與主動提供不同,被動提供類似於司法協助程式,涉及國家司法主權等一系列問題,因此將受到更嚴格的監管規則的約束。
differentiating from voluntary submission, submission upon request is more akin to international judicial assistance. submission upon requests by foreign law enforcement or judicial authorities may involve a range of issues such as the judicial sovereignty of a country and thus subject to stricter regulatory rules.
《個人資訊保護法》第41條、《資料安全法》第36條規定,中華人民共和國主管機關應當依照有關法律和中國締結或者加入的國際條約、協定,或者按照平等互惠原則,處理外國司法機關、執法機關要求提供儲存在中國境內的資料或者個人資訊的請求。 未經主管機關批准,機構或者個人資訊處理者不得向境外司法機關、執法機關提供儲存在中國境內的資料或者個人資訊。 不難看出,中國法律對境外執法和司法機關收集國內證據有嚴格的限制。
article 41 of the personal information protection law of china (“pipl”) and article 36 of the data security law of china (“data security law”) both provide that the competent authority of the prc shall process a request for data from a foreign judicial or law enforcement authority in accordance with relevant laws and international treaties and agreements entered into or acceded to by china, or under the principle of equality and reciprocity. without the approval of the competent authority, a domestic entity shall not provide data stored in the territory of china to any foreign judicial or law enforcement authority. as indicated, prc laws impose strict restrictions on foreign law enforcement and judicial authorities accessing domestically generated evidence.
2023年3月30日,司法部發布關於民商事國際司法協助的進一步說明,明確境外司法機關在中國境內取證的,應當按照《海牙民商事案件境外取證公約》(《海牙公約》)規定的渠道向有關部門提出請求, 法院經批准後予以執行[1]。由此也可以推斷,國內企業不得應境外司法機關的要求直接向境外司法機關提供儲存在中國境內的資料,而應通過指定渠道完成證據移送。
the ministry of justice made an additional clarification regarding international civil and commercial judicial assistance on 30 march 2023, stating that a foreign judicial or law enforcement authority is not allowed to obtain domestically generated or stored data unless requested through channels stipulated in convention on the taking of evidence abroad in civil or commercial matters (“the hague convention”).the transfer of the evidence shall be executed by the competent court upon permission granted. given these points above, we can also deduce that domestic entities are not allowed to transfer documents directly to foreign law enforcement or judicial authorities unless following the designated channels upon permission.
此外,司法部在問答中對境外執法和司法機關在中國取證時可能遇到的一些問題進行了詳細解釋,例如:
besides, the clarification provided by the ministry of justice detailly elaborates on some potential scenarios that may be encountered by foreign authorities, for example:
境外司法機關或者司法人員在中國境內取證的,需要由具有資格的外國司法機關或者個人按照《海牙公約》規定的渠道向司法部提出調查取證請求。 未與中國締結相關條約的國家或地區,需向***提交申請。 請求獲得批准後,由法院執行,結果由請求方由收到請求的部門答覆。
foreign judicial authorities must follow the procedures specified in the hague convention should they seek to obtain evidence in china. the qualified requesting party needs to submit an evidence investigation and collection request to the ministry of justice. for countries or regions with which china has yet to enter into treaties, requests should be submitted to the ministry of foreign affairs and executed by the competent court upon approval. the results of the collection request will be provided by the receiving authority.
由於中國在加入《海牙公約》時對除第十五條以外的第二章有所保留,因此外國司法機關和個人不得直接(包括通過技術手段)詢問位於中國的證人,只能通過條約規定的渠道通過外交途徑向司法部或司法部提出取證請求。 該請求將在批准後由法院執行。
due to china’s reservation made upon acceding to the hague convention on chapter ii in its entirety except for article 15, foreign judicial authorities or relevant personnel are prohibited from directly questioning witnesses located within the territory of china, including technological methods such as phone calls or video. the only permissible method would be through the channels mentioned above.
根據《民事訴訟法》的規定,除中國律師外,外國司法機關或者有關人員不得委託中國境內的其他人協助取證或者詢問證人,指定律師必須經法院批准後方可執行。
according to the civil procedure law of china, except for qualified chinese lawyers, foreign judicial authorities or relevant personnel are not allowed to engage any individuals within china to assist in obtaining evidence or questioning witnesses. approval from the court is required before engaging the services of a chinese lawyer for such purposes.
我們理解,由於涉及國家司法主權,立法者通常會為外國當局直接收集國內證據設定更嚴格的程式。 任意允許外國機關收集證據,不僅會損害一國的司法主權,還可能涉及洩露國家秘密,可能危害******因此,《國情法》對未經法律程式向外國司法機關提供國內資料的行為,如警告、停業整改等行政處罰、 吊銷營業執照,並處以最高百萬元的罰款[2]。國內企業不得無視上述規定,依法向境外提供資料,否則將面臨沉重的法律責任。
we understand that legislators are purposefully imposing strict procedures on foreign judicial authorities obtaining domestically generated evidence because it may relate to the judicial sovereignty of a country. arbitrarily allowing foreign authorities to obtain evidence not only undermines judicial sovereignty but also threatens national security. therefore, data security law imposes he**y legal responsibilities for straightly providing domestically generated data to foreign authorities without following the prescribed legal procedures such as warning, suspension of business for overhaul, revocation of business license, or fines up to millions of cny. thus, it is crucial that chinese entities do need to comply with designated procedures before transferring their data abroad, especially to judicial or law enforcement authorities. otherwise, a he**y legal burden may be imposed if disobeying the law.
3.實用建議。
iii.recommendations on general practices
企業在經營過程中,不可避免地會產生敏感資訊,這無疑使企業難以應對境外的訴訟。 有鑑於此,為幫助國內企業維護自身合法權益,我們提出以下建議。
it is almost inevitable for enterprises to generate sensitive information while operating, and such information would no doubt impose burdens on responding to lawsuits. in view of the above and for the sake of helping domestic enterprises safeguard their legitimate rights and interests, we would make the following suggestions.
1.對資訊進行匿名化處理。
1. information redaction
根據《個人資訊保護法》第4條,匿名資訊不屬於該法中“個人資訊”的定義。 因此,在自願境外提供的情況下,企業可以根據實際情況對資料進行評估,如果情況允許,可以對部分資訊進行匿名化處理,以避免網信辦的審查。
article 4 of pipl provides that information being redacted and anonymized does not belong to the “personal information” defined under pipl. therefore, under the circumstance of voluntary submission, domestic entities can redact their documents, depending on the actual situation if permissible, to circumvent the requirement of cac assessment.
2.如實向有關部門報告。
2. truthful declaration
在自願提供的情況下,如涉及重要資料或個人資訊和實踐中不允許匿名化的重要資料等個人資訊和重要資料,我們建議企業嚴格依法完成網路安全自評估和網信辦安全評估,並在跨境傳輸前徵得監管部門許可。 收到被動請求的,資料處理者應當盡快向當地有關部門報告,並按照規定程式完成國內證據的收集工作,以免錯過期限,損害自身權益。
under the circumstances of voluntary submission, if the documents to be transferred abroad contain data such as unredacted personal information and important data, we recommend domestic entities strictly abide by prc laws on performing security self-assessment and regulatory authority assessment duly. the evidence can be transferred abroad only when permission is granted from regulatory authorities. under the circumstances of submission upon requests, we recommend the domestic entities contact relevant local authorities immediately after receiving foreign court orders and transfer the evidence following the prescribed channels.
資料的跨境傳輸不是一件小事。 隨著對外開放的不斷擴大,中國企業參與的境外訴訟或仲裁數量只會增加,涉及的跨境資料傳輸也將增加。 為保障企業合法權益,保障訴訟程式如期進行,建議企業依法約定完成對跨境資料的必要風險評估,並履行相關備案申報程式,確保跨境資料合法合規。
as chinese enterprises are continuously expanding their involvement in international trading, the number of overseas litigations or arbitrations is expected to be increasing in the following years. consequently, the volume of cross-border data transfer associated with the cases is likely to grow as well. to safeguard legitimate rights and ensure the smooth progress of litigation procedures, it is suggested that prc companies should conduct necessary risk assessments for cross-border data transfer as per legal requirements. prc companies are also advised to fulfill relevant declaration obligations to ensure that data transfer is conducted in a legal and compliant manner to **oid its potential legal responsibilities.
特別宣告:大成嚴格遵守保護客戶資訊的義務,本文涉及的客戶專案內容均取自公開資訊或已徵得客戶同意。 本文所表達的內容和意見僅供參考,並不代表大成的任何立場,也不應被視為發布任何形式的法律意見或建議。 如需**或引用文章的任何內容,請私信傳達授權並在文章開頭註明**。 未經授權,您不得**或使用此類文章中的任何內容。