On 9 September 2016, the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security jointly issued the New Rules on Electronic Data Collection, Extraction and Review in Criminal Cases, which will take effect on 1 October 2016.
Previously, regulations regarding electronic data collection and review were considered scattered and high-level, often causing confusion and uncertainty to the authorities, as well as target companies under investigation. Among other things, the new rules define the scope of electronic data, specify the powers of the investigation authorities and set out detailed requirements on collection, extraction and transfer, including the consequences for failure to observe these requirements.
With a broader definition of electronic data, the new rules allow PRC authorities to collect almost any piece of digital information, including mobile phone records and messages, social media communications and any data retained on a computer or server. This will enable Chinese investigation authorities to locate, identify and secure “smoking guns” or traces of crime in a more efficient and effective way.
The new rules will also, for the first time, explicitly allow Chinese authorities to retrieve and extract electronic data where the original storage medium is located outside China, or on a remote computer information system, through online extraction. In other words, in addition to having access to onshore data in China, authorities will be allowed to access data stored in offshore systems.
This is a significant development as it means that offshore data kept by foreign affiliates of PRC businesses, or belonging to multinational companies doing business in China, could potentially be subject to collection and review from China.
Scope of electronic data. The new rules provide a non-exhaustive list of electronic data that are potentially subject to collection and review by the authorities in the following categories:
- Information on web pages, blogs, micro-blogs, WeChat Moments, and network drives;
- Mobile phone text messages, e-mails, instant messages, chat groups and other information via network application services;
- User registration information, identity verification information, electronic transaction records, communication records, and log-in logs; and
- Documents, images, audio-visual, digital certificates, computer programs and other electronic files.
Power of investigation authorities. The new rules specify that PRC courts, procuratorates (the Chinese term for prosecutor) and the Public Security Bureau (i.e., the police) have the legal power and authority to collect electronic data from companies and individuals in China as potential evidence in criminal proceedings. All companies and individuals have a general obligation to co-operate and produce the required data.
Data collection process. The key procedural requirements for collecting and retrieving electronic data are summarized as follows:
- Data collection and extraction must be conducted by at least two investigators;
- When collecting or extracting electronic data, the original storage media must be seized and sealed to secure the integrity of the data, subject to limited exceptions (e.g., the original storage medium is located overseas, or the data is saved on a remote computer information system);
- The investigators must prepare a written transcript recording the cause(s) of action, target, content (of collected data), and the time, location, method, and process of data collection and extraction, and attach a list of the electronic data stating the category and file format of the collected data. The investigators and the data holder (i.e., provider) must sign or stamp the transcript. If the data holder refuses to sign, the transcript should state this and be signed by the investigators and a witness;
- The investigators must appoint a witness to certify the data collection process or video-record the process if possible;
- Data should not be changed or tampered with during the collection and transfer process. The investigators must document each step of seizure, transportation and storage of digital evidence, and make the documentation available for review.
If the data collection process has procedural defects (e.g., the original storage medium is not sealed, the investigators, data holder or witness fail to sign the transcript, the transcript fails to specify clearly the name, category and format of the electronic data, etc.) that cannot be cured, the collected or extracted data will not be admissible as evidence in a criminal case.
Business Law Digest is compiled with the assistance of Baker & McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker & McKenzie by e-mailing Danian Zhang (Shanghai) at: [email protected]