Did China Quietly Authorize Law Enforcement to Access Data Anywhere in the World?

President Trump is scheduled to meet with Chinese president Xi Jinping next month. The White House may want to use the two-day summit to seek a point of clarification: Is Chinese law enforcement authorized to remotely access data located outside its jurisdiction?

On September 20, 2016 the Supreme People’s Court, Supreme People’s Procuratorate (China’s prosecutor), and the Public Security Bureau jointly released 30 regulations governing the collection and examination of digital data in criminal investigations. Unsurprisingly, the regulations were primarily only of interest to Chinese judges, lawyers, and public security officials.

Tucked in among the relatively mundane provisions, however, was a potentially rather alarming development that has thus far escaped much public notice in the United States. The regulations seem to authorize the unilateral extraction of data concerning anyone (or any company) being investigated under Chinese criminal law from servers and hard drives located outside of China.

Article 9 of the 2016 regulations provides that the police or prosecutors may extract digital data from original storage media (e.g., servers, hard drives) that are located outside of mainland China (i.e., including servers in Hong Kong, Macau, and Taiwan) “through the Internet” and may perform “remote network inspections” of such computer information systems. Remote network inspections are helpfully defined, in Article 29, as “investigation, discovery, and collection of electronic data from remote computer information systems related to crime through the Internet.” The only caveat to this grant of authority is a requirement that investigations be subject to “strict standards.” No guidance is provided as to what “strict” means.

On its face, the regulation indicates that Chinese officials have authorization to remotely search or extract data anywhere in the world, subject only to the limitations of domestic law. This is a dramatic departure from the US view that the ordinary prohibitions on law enforcement operating in a foreign territory without permission apply to the remote search of electronic evidence.

The Department of Justice Manual, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (2009) notes:

When United States authorities investigating a crime believe electronic evidence is stored by an Internet service provider on a computer located abroad (in “Country A”), U.S. law enforcement usually must seek assistance from law enforcement authorities in Country A. Because, in general, law enforcement officers exercise their functions in the territory of another country only with the consent of that country, U.S. law enforcement should only make direct contact with an ISP located in Country A with (1) prior permission of the foreign government; (2) approval of DOJ’s Office of International Affairs (“OIA”) (which would know of particular sensitivities and accepted practices); or (3) other clear indicia that such practice would not be objectionable in Country A. The U.S. view (and that of some other countries) is that prior consultation is not required to (1) access publicly available materials in Country A, such as those posted to a public website, and (2) access materials in Country A with the voluntary consent of a person who has lawful authority to disclose the materials.

While the United States and other countries have struggled to address technological developments that make it difficult or impossible to know where a computer is located prior to a search—and thus to seek permission from the foreign country—this is a distinct claim from asserting jurisdiction to search a computer located in another country. The DOJ Manual directs law enforcement to “immediately” consult the appropriate departments “[i]n the event that United States law enforcement inadvertently accesses a computer located in another country . . . as issues such as sovereignty and comity may be implicated.”

It is difficult to square this view with that expressed in the new Chinese regulations, which contemplates Chinese law enforcement’s direct access to extraterritorial data.

By way of context, these jointly released regulations are supplemental to processes established in China’s 2012 Criminal Procedure Law. In particular, they appear to be promulgated pursuant to Article 52 of the Criminal Procedure Law, which authorizes the People’s Courts, People’s Procuratorates, and public security agencies to collect and obtain electronic evidence from work units (companies, roughly speaking) and individuals. Neither the Criminal Procedure Law nor the 2016 regulations define substantive crimes. For that, we must look to China’s 2011 Criminal Law and, more specifically, the 2016 Cybersecurity Law. Most of the activities subject to criminal investigation are unsurprising (e.g., treason, subverting national sovereignty). Others have fewer corollaries in American criminal law (e.g., organizing or scheming to overthrow the socialist system, requiring that companies verify an individual’s real identity before providing internet services).

From a policy perspective, protecting China’s “cyber sovereignty” (网络空间主权) has been a key priority for Xi Jinping’s administration. In 2015 he asserted that the Internet “is by no means a land beyond law.” Since then, official news outlets have reaffirmed that “any state must be able to decide what measures to take when it comes to defending their national interests in cyberspace.”

The September 2016 regulations are in keeping with this understanding of China’s sovereignty in cyberspace. They apply to a huge variety of data, including but not limited to information from any online platforms, text messages, emails, and instant messages, as well as e-commerce records, username information, log-in records and any other computer files, pictures, a/v recordings, and digital certificates (Article 1). The regulations stipulate that courts, prosecutors, and police can collect and examine digital data from individuals as well as companies and NGOs (Article 3). There are no provisions for contesting requests for digital data, though the Criminal Procedure Law provides that evidence “not collected according to statutory procedures” likely to “materially damage” justice “shall be subject to correction or reasonable explanations, and shall be excluded” if such a correction or explanation cannot be made (Article 54).

While these regulations do not depart from China’s understanding of cyber sovereignty, they may prove especially problematic given the breadth of political crimes under Chinese law, as well as the expanding number of multinational corporations potentially subject to criminal investigation by Chinese authorities. It is unsurprising—though still concerning—that Chinese law enforcement is granted sweeping powers in the digital domain with few procedures for protecting private or sensitive information. But this domestic legal authority to extract information from extraterritorial devices may set China on a collision course with the interests of States sovereign over where the data is located.

As the United States works to establish norms in cyberspace, President Trump would be wise to seek specific explanation regarding the meaning of this authority and the extent to which Chinese authorities plan to exercise it.