The coming into effect of the Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) on September 1 is expected to trigger a series of security assessments conducted by the Cyberspace Administration of China (the “CAC”).  Any “data processor” planning to transfer to another country “important data” or “personal information” collected and generated during its operations inside China is required to follow a process through which the CAC (together with relevant departments or specialized institutions, if necessary) decides whether the data processor has passed the security assessment. 

If the decision is negative, the data processor is allowed to apply to the CAC for a reassessment, the result of which is, according to the Measures, “final”.  Can the data processor still challenge the CAC’s reassessment decision in court?  As discussed below, the answer is “arguably, yes” and, further, this type of judicial review should be welcomed by Chinese policymakers.

Judicial Review of the CAC’s “Final” Reassessment Decisions?

Subject to a few exceptions, China’s Administrative Litigation Law generally authorizes the country’s courts to review the legality of “administrative acts” carried out by administrative organs.  The Administrative Litigation Law explicitly excludes from judicial review “administrative acts that are, as provided by law, to be finally decided by administrative organs” (emphasis added).   In a judicial interpretation, the Supreme People’s Court makes it clear that the word “law” in the preceding quoted phrase refers to “regulatory documents formulated and passed by the National People’s Congress and its Standing Committee”.  

Since the Measures was formulated and passed by the CAC, instead of the National People’s Congress or its Standing Committee, the statement in the Measures that the CAC’s reassessment decisions are “final” does not, by itself, exclude them from judicial review.  Other exclusions stated in the Administrative Litigation Law cover topics that are not relevant here.

Apart from stating explicitly what is excluded from judicial review, the Administrative Litigation Law has a separate article that provides a lengthy list of what judicial review lawsuits the courts are authorized to “accept”.  Among the listed types of lawsuits are, for example, those where legal persons claim that their “rights to operate autonomously” have been infringed or that administrative organs have abused their administrative power to exclude or restrict competition.  In light of this list, a data processor seeking to challenge the CAC’s reassessment decision must establish that the decision has infringed the data processor’s legal rights and interests in such a way that the lawsuit is of a type that a court is authorized to “accept”.

Courts & Key Concepts

While a data processor can arguably seek to have judicial review of the CAC’s reassessment decision if legal requirements for bringing such a lawsuit are met, a more important question is: should this type of judicial participation be welcomed by Chinese policymakers?  The answer is affirmative, considering how diligently Chinese policymakers have been exploring how to define key concepts related to data protection.  

• “Important Data”

Underlying the Measures is a key concept: “important data”.  Article 19 of the Measures defines the term as “data that may endanger national security, economic operation, social stability, public health and safety, etc. once it is tampered with, destroyed, leaked, illegally obtained, or illegally used”.  This rather unclear definition reflects Chinese policymakers’ effort to define the term “important data” is still a work in progress.  Since China’s Cybersecurity Law (which also contains the term “important data”) became effective in 2017, multiple documents have been issued by Chinese policymakers to solicit public opinions on how to define “important data”.  So far, the prevailing approach seems to be defining the term by focusing on specific industries and specific regions. 

The search for specificity, based on industries or regions involved, suggests that the courts’ expertise in incrementally sharpening the definitions of abstract terms through individual cases with highly specific fact patterns could help.  It is for this reason that judicial review of the CAC’s reassessment decisions should be welcomed.  The courts may then draw on a wealth of cases and related sources such as judicial interpretations to deepen understanding of such terms as “economic operation”, “social stability”, and “public health and safety” in the context of data security.

• “Relevant Market”

If Chinese policymakers still have doubts about the role of courts in helping search for a clearer definition of the term “important data”, they should not forget that when it was unclear how the term “relevant market”—a key concept in China’s Antimonopoly Law—should be defined in the context of Internet business, Guiding Case No. 78 (Beijing Qihu Technology Co., Ltd. v. Tencent Technology (Shenzhen) Company Limited and Shenzhen Tencent Computer Systems Company Limited, A Dispute over Abusing Dominant Market Positions) was able to offer clarification.  

I invited Judge John M. Walker, Jr. (Senior Circuit Judge, and former Chief Judge (2000–2006), of the United States Court of Appeals for the Second Circuit) to comment on Guiding Case No. 78.  In a commentary titled In Qihu v. Tencent, the Chinese Supreme People’s Court Offers Antitrust Insight for the Digital Age, Judge Walker wrote:

[…] the decision illuminates the [Supreme People’s Court’s] carefully considered approach to questions of market definition and market dominance in the technology field.  Jurists inside and outside China will find this approach useful.

Qihu v. Tencent was a prime example of a situation where a degree of uncertainty resulted from a key term in newly passed legislation and how the court filled the legislative gap.  The enforcement of the provisions of the Antimonopoly Law depended heavily on how the term “relevant market” was defined.  The law itself did not define this term clearly, let alone its application in a new type of business.  This case illustrates that courts in China are able to make this type of fact-specific inquiry regarding the appropriate interpretation of legal terms and concepts.  For this reason, judicial review cases involving terms such as “important data” can likewise play a constructive role in helping implement China’s new measures on data security.  

---

^† The citation of this article is: Dr. Mei Gechlik, Security, “Important Data”, & Courts in China, SINOTALKS.COM, In Brief No. 20, Aug. 31, 2022, https://sinotalks.com/inbrief/data-security. 

The original, English version of this article was edited by Nathan Harpainter.  The information and views set out in this article are the responsibility of the author and do not necessarily reflect the work or views of SINOTALKS.COM.