DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
Back
§ 013 · CROSS-BORDER

Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense

When a foreign authority wants data stored in China — or vice versa — three doctrines compete. The U.S. uses a 'data controller standard' (CLOUD Act) that reaches globally on offense and shields domestically through ECPA blocking on defense. The EU uses 'market access' leverage (GDPR Article 3 jurisdictional reach plus Article 48 blocking). China uses a 'data location standard' (territorial sovereignty plus the MLA Law, DSL, and PIPL blocking clauses). Wang Qinglan maps the four discovery paths, the three jurisdictional doctrines, and what compliance teams should build to survive the squeeze.

DCC Editorial SOURCE · ZH .MD ↓

Editor’s Note — DCC.

The cross-border data discovery question — when a foreign government demands data stored in China, what happens? — is one of the highest- stakes uncertainties for multinational compliance teams. Wang Qinglan’s framing is the cleanest taxonomy DCC has seen in Chinese-language commentary on this question. Four discovery paths; three jurisdictional doctrines; one set of operational implications for foreign-invested entities operating across the squeeze. We summarize her piece for overseas counsel and note where the picture has continued to shift in 2026.

Four cross-border discovery paths

When an authority wants data sitting in another country, Wang frames the question as: what’s the path? Four paths cover the field:

Path 1 — Traditional Mutual Legal Assistance (MLA, 司法协助)

The classic public-to-public path. Country A’s government sends a formal MLA request to Country B’s government; Country B’s competent authority obtains the data from the holder under Country B’s domestic procedures and transmits it back. The entire process is government-to-government.

This is the sovereignty-respecting model. China has signed MLA treaties with 91 countries. The cost is speed: MLA requests to the United States average a 10-month turnaround, which is incompatible with most cybercrime investigations where evidence is volatile.

Path 2 — Unilateral Public-to-Private (单边公对私)

A foreign authority bypasses the data-location government and demands the data directly from the company holding it. Two sub-modes:

  • Voluntary cooperation. The authority issues a request; the company complies or doesn’t, with no legal compulsion. Pre-CLOUD-Act U.S. and EU member-state practice often took this form, with notoriously variable response rates: Microsoft historically responded to 78% of non-U.S. requests; Twitter only 21%.
  • Compulsory production. The authority issues a production order with the force of law; the company must comply or face sanctions. The U.S. CLOUD Act (2018) is the archetype.

China’s position on this path: firmly opposed. Article 41 of China’s International Criminal Judicial Assistance Law (国际刑事司法协助法), Article 36 of the Data Security Law, and Article 41 of the Personal Information Protection Law all prohibit Chinese entities from transferring data to foreign authorities without Chinese government approval. The doctrinal framing: a foreign authority approaching a Chinese company directly is a sovereignty violation, regardless of whether the company is willing to cooperate.

Path 3 — Bilateral / Multilateral Public-to-Private (双边或多边公对私)

A negotiated middle ground. Countries sign bilateral or multilateral treaties that mutually recognize each other’s production orders as legally effective in the partner country. The U.S. has executive agreements with the UK and Australia under the CLOUD Act. The EU has the European Production Order and Preservation Order Regulation (2023), under which any member-state authority can issue an EU-wide production order reaching any company with an EU presence, regardless of where the data sits. The Budapest Convention on Cybercrime is the older regional precedent — China has not joined.

The pattern: production orders with bilateral legitimation, no longer a unilateral overreach into another sovereign’s territory.

Path 4 — Multilateral Public-to-Public (多边公对公)

The newest path: global multilateral treaties standardizing discovery. The UN Convention against Cybercrime (December 2024) is the leading instrument. China and Russia were active proponents. The Convention preserves sovereignty as the default (Article 5) but also permits states to issue production orders to companies in their own territory for “subscriber information” (Article 27) — a calibrated middle path between speed and sovereignty.

The three jurisdictional doctrines

Each major player uses a different doctrine for when its own law reaches data. Wang’s framing:

United States — Data Controller Standard

The CLOUD Act (2018) made the rule explicit: whoever controls the data, U.S. law reaches. The data’s geographic location is irrelevant. The Act applies to any communications-service provider that is U.S.-incorporated, has substantial U.S. presence, or has “sufficient contact” with the U.S. — including merely providing services to U.S. users.

The Microsoft Ireland case illustrates: the Justice Department demanded data stored in Microsoft’s Dublin data center; Microsoft litigated to the Supreme Court; the CLOUD Act passed mid-case and ended the dispute. Microsoft was required to produce the Irish-stored data because Microsoft (a U.S. company) controlled it.

The U.S. defensive posture is the mirror image — and Wang frames it as a double standard:

  • The 1986 Electronic Communications Privacy Act (ECPA) blocks U.S. providers from disclosing electronic data to foreign governments.
  • The CLOUD Act creates a narrow exemption track: a U.S. court can quash a foreign production order if the data is not about U.S. persons and compliance would violate the law of a “qualifying foreign government.” But “qualifying” is a high bar — only the UK and Australia have executive agreements granting that status.

In substance: the U.S. reaches globally on offense; everything else hits an ECPA wall on defense, with narrow escape valves for U.S. treaty partners.

European Union — Market Access Standard

The EU’s strength is its single market. Its doctrine: whoever wants to sell to our 500M consumers must follow our rules. GDPR Article 3 reaches any controller or processor anywhere in the world that offers goods or services to data subjects in the EU or monitors data subjects’ behavior in the EU. Court of Justice case law has expanded the reach further — a controller with an EU establishment whose activities relate to the foreign processing is subject to EU jurisdiction.

The EU defensive posture also uses double-standard mechanics. GDPR Article 48 prohibits transfer of personal data to a foreign authority in response to a foreign court or administrative order unless there is an MLA treaty or the transfer satisfies GDPR’s strict transfer-safeguard requirements. The narrow exception paths — public interest, vital interest — require additional safeguards, non-repeated transfers, limited data subjects, security assessment, regulator notification, and individual notification. In practice, almost no foreign discovery order satisfies the bar.

In substance: the EU reaches via market access on offense; everything else hits the GDPR Article 48 wall on defense.

China — Data Location Standard

China’s doctrine: whoever holds data in our territory is subject to our jurisdiction; data outside our territory belongs to that territory’s regime. This is the most sovereignty-respecting of the three doctrines and the closest to traditional international-law norms.

China’s offensive posture is correspondingly constrained — and Wang frames this as a deliberate policy choice:

  • Discovery from overseas data is conducted through MLA — 91 treaties with peer countries.
  • China does not assert extraterritorial production-order authority over foreign companies.
  • Multilateral instruments (the UN Cybercrime Convention) are the preferred vehicle for any cross-border discovery beyond bilateral MLA.

China’s defensive posture has three layers Wang labels the “three-axe defense” (三板斧):

  • Legal blocking — DSL Article 36, PIPL Article 41, and the International Criminal Judicial Assistance Law all bar Chinese entities from providing data to foreign authorities without Chinese government approval. The block applies to both unilateral production orders (Path 2) and to voluntary cooperation in response to foreign authority requests.
  • Data localization — CSL requires CIIO-collected PI and important data to be stored in China. The localization requirement removes the data from the foreign-discovery target set.
  • Market access — foreign cloud service providers entering China (with limited FTZ pilot exceptions) cannot directly control Chinese data. The structural arrangement is a Chinese partner controlling the data and the foreign vendor providing technology. From the foreign-discovery perspective: the foreign cloud provider doesn’t have the data to produce, even under a CLOUD Act order.

The three layers are designed to compound. A foreign production order targeting a Chinese-stored dataset must clear all three: the company holding it can’t lawfully cooperate (legal blocking), the data may be localized in any case (localization), and the foreign cloud provider lawfully present in China may not control it (market-access structuring).

The 2026 picture

Wang’s piece was written in January 2026, and the picture has continued to evolve. Three updates DCC has tracked since:

  • The MPS Electronic Data Evidence Rules draft (May 2026) added Article 30 — the most explicit Chinese-side statement of how Chinese law enforcement can reach overseas-stored data: via credentials provided by the suspect or violator. The architecture is suspect-credentials-based, not MLA-based. (See DCC’s brief on the MPS draft — coverage in our regulatory-update queue.)
  • The 2026 PI Special Action (CAC + MIIT + MPS) signaled cross-sector enforcement tightening including on cross-border vectors.
  • The UN Cybercrime Convention (December 2024) is heading into ratification. China was a leading proponent. If it enters force broadly, Path 4 (multilateral public-to-public) gains operational weight.

What this means for multinational compliance teams

For foreign-invested entities operating across the squeeze, four operational takeaways:

  • Map every cross-border discovery vector to which jurisdictional doctrine applies. A discovery demand from U.S. law enforcement under the CLOUD Act sits in Path 2 / unilateral public-to-private. A demand from EU enforcement under GDPR Article 48 sits in Path 2 also. A demand from China’s MPS under the Electronic Data Evidence Rules sits in Path 2 / suspect-credentials variant. The blocking statutes you encounter from the data-location side will vary by which doctrine the demanding authority is using.
  • Document the blocking statute conflict. When a Chinese-stored dataset is the target of a foreign production order, your in-China entity should expressly invoke the DSL Article 36 / PIPL Article 41 blocking provisions and seek Chinese government approval before producing. The blocking statutes provide a defensible position under the qualifying foreign government analysis (in the CLOUD Act context) and under GDPR Article 48 (in the EU context). Build the documentary record on the China side.
  • Architect for the three-axe defense. For data that may be the target of foreign discovery in future, the three China defensive layers compound. Where possible: route the data through a Chinese entity that controls it; locate the storage domestically; structure the foreign-vendor relationship to give the Chinese counterpart control. This narrows the foreign authority’s enforceable reach.
  • Watch the UN Cybercrime Convention and the U.S. executive agreement track. If China negotiates a CLOUD Act executive agreement with major U.S. trading partners — or, more practically, if the UN Convention reaches widespread ratification — the regime architecture changes. Multilateral public-to-public would become the primary path, narrowing the unilateral conflicts that currently force multinationals into impossible compliance positions.

The deeper observation in Wang’s piece is that the three doctrines are not converging. The U.S. data-controller approach, the EU market-access approach, and the China data-location approach reflect three different theories of digital sovereignty. Multinationals operating across the three will continue to face squeezes; the operational answer is not to bet on one doctrine prevailing, but to build compliance architecture that can survive when authorities under different doctrines disagree.

— Wang Qinglan (王青兰), 跨境数据调取”三国杀”:美欧中各出啥招? (The Cross-Border Data Discovery “Three Kingdoms War” — What Moves Are the U.S., EU, and China Each Making?), 青兰数据观察 WeChat Official Account, January 8, 2026. Original article (Chinese).

Not legal advice. The above is DCC’s structured summary of Wang’s commentary; not a verbatim translation. The author’s views are her own and do not represent her employer.

FILED UNDER

— Not legal advice.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.