In the context of a dawn raid under the EU Foreign Subsidy Regulation (FSR), the EU General Court (GC) has refused to suspend the European Commission (EC)’s request to access employees’ mailboxes located in China.
The GC’s decision highlights the difficult situation of Chinese (and other non-EU) companies facing conflicting legal requirements in the EU and in their home jurisdictions. In particular, it suggests that such companies facing cross-border data transfer restrictions under Chinese law may need to seek exemptions from Chinese authorities, or risk sanctions under both EU and Chinese law.
The Issue: Accessing materials located in China
The case involves the EC’s first unannounced on-site inspection (“dawn raid”) conducted under the FSR. As we explained in our previous alerts, the FSR aims to address distortions in the internal market resulting from subsidies granted by non-EU countries. The EC has extensive investigatory powers under this regulation, including to conduct dawn raids at the premises of companies suspected of benefiting from such subsidies.
In April 2024, the EC carried out dawn raids at Nuctech Warsaw Company Limited sp. z o.o., based in Poland, and Nuctech Netherlands BV, based in the Netherlands. Both entities are wholly owned subsidiaries of Nuctech Hong Kong Co. Ltd, which is ultimately controlled by Tsinghua Tongfang Co. Limited, a company registered in China and listed on the Shanghai Stock Exchange.
During the raid, the EC sought access to the mailboxes of certain employees who are Chinese citizens. These mailboxes were stored on servers located in China and managed by a Chinese parent company. The EC requested that Nuctech place a legal hold on these mailboxes and make the data available for inspection.
Only Nuctech’s Polish and Dutch entities were addressees of the EC’s dawn raid and legal hold request. These entities made two applications to the GC: (i) to annul the EC’s decision ordering the dawn raid and any subsequent requests, including the legal hold requests; and (ii) for interim measures, to immediately suspend the EC’s request for the mailboxes, until the GC rules on the annulment of the EC’s decision.
Nuctech’s key argument: Chinese law restricts cross-border data transfer
Nuctech argued that giving the EC access to employees’ mailboxes stored in China would infringe Chinese law.
Specifically, Nuctech argued that Article 31 and Article 36 of the Data Security Law, Article 41 of the Personal Information Protection Law and Article 28 of the Law on Safeguarding State Secrets impose strict data transfer restrictions and potential criminal sanctions for unauthorized disclosure of data stored in China.
The General Court is unconvinced
In August 2024, the GC denied Nuctech’s application for interim measures and rejected Nuctech’s arguments that possible conflicts with Chinese laws should justify suspending the EC’s requests.
First, the GC rejected claims that Nuctech’s Polish and Dutch entities had no access to the servers located in China. The court highlighted that this does not mean they did not have access to the requested information, in particular, from laptops located within the EU and connected to servers located in China.
Second, the GC rejected the arguments of Nuctech’s Polish and Dutch entities that, since the information was stored in China, it was for their parent company to respond to any request for disclosure of that information. The Nuctech entities also claimed it was their parent company, established in China, which took the view that it had to take account of Chinese law in determining whether to provide the requested information to the EC. However, the GC held that the Polish and Dutch Nuctech entities were established in the EU, and the arguments raised did not substantiate why Chinese law prevented them (as opposed to their Chinese parent) from responding to the EC’s requests.
Third, the GC rejected Nuctech’s arguments that Chinese administrative and criminal sanctions could serve as a legal basis to suspend the EC’s requests. It gave two key reasons:
- Concerning applicable administrative penalties, the GC pointed out that according to Nuctech’s explanations, these were generally pecuniary in nature. Under settled case law, any financial damage can only justify the suspension of an EC decision if it threatens to result in serious and irreparable harm that imperils the applicant’s financial viability before final judgment is given. The GC held that Nuctech failed to establish this, because it did not provide supporting documentation that would have produced an accurate overall picture of its financial situation.
- Concerning criminal penalties, the GC found that Nuctech relied on specific provisions of Chinese law that could be infringed only if the data requested by the EC were disclosed without the necessary prior authorisations granted by the competent Chinese authorities. However, the GC found that Nuctech failed to seek such authorisations from the Chinese authorities and therefore did not demonstrate that any such requests had been refused. The GC therefore held that Nuctech failed to show why the EC’s requests compelled it to commit a criminal offence.
A high burden for non-EU companies to resist EU data requests
While the GC has not issued a final decision on Nuctech’s request to annul the EC’s decision, its reasoning implies it is likely to also reject that request. The case highlights the complex dilemma faced by non-EU companies operating within the EU when faced with data disclosure requests, as well as conflicting cross-border data transfer restrictions under non-EU laws. The general rule is that EU law applies to any activity taking place or having an impact within the EU. This principle is firmly established, and exceptions are very narrow.
To resist a data request by the EC, it is not sufficient to show that providing the data would breach non-EU laws, even if they are criminal in nature. Instead, the GC implies that Nuctech could have resisted the EC’s legal hold request only if it had requested exemptions from Chinese authorities and such requests were denied.
The GC also criticized Nuctech for not proposing "other methods which would enable them to provide the information without infringing Chinese law." This suggests that companies could be subject to an obligation even broader than the requirement to seek authorisations—to proactively seek alternative ways to provide the requested data despite local law restrictions. While the GC did not discuss this requirement further in Nuctech’s case, it signals that companies face a high bar if they seek to use non-EU regulations as a ground to resist the EC’s data requests.
The EC has only just started enforcing the FSR. Non-EU companies should expect further investigations, including dawn raids, and similar conflicts are likely to arise.
This case serves as a reminder to non-EU companies that they should review and carefully adjust their data flows and compliance policies, to ensure that they are in a position to comply with both EU investigatory requests and non-EU regulations on cross-border data transfers.
[View source.]
