China’s new counter-espionage law and recent enforcement raise data security compliance bar
+ 2 other expertsOn 1 July 2023, the newly revised Counter-Espionage Law came into effect in China. The amendments significantly expand the scope of activities that can be considered espionage by adding a catch-all provision, and codify the enforcement powers of relevant authorities. The revised law was first introduced in April 2023 amid a surge in Chinese enforcement activity against US-linked consultancy and due diligence firms, including a raid that was nationally broadcast in China.
These recent developments appear to be part of a larger effort by the Chinese government to safeguard data and information security. This effort, which started as late as 2017 with the introduction of the Data Security Law, indicates that data security has been taken to a level closely linked with national security and “judicial sovereignty”, a Chinese legal concept to prevent any external influence on the country's judiciary. This will impact multinational companies (MNCs) in China that unavoidably have to deal with the collection and cross-border transfer of local data. More than ever, MNCs in China will need to pay attention to regular data compliance in their daily operations as well as the source and destination of all information collected, while keeping a broad definition of national security in mind.
Recent enforcements
In March 2023, the Beijing office of the US consultancy firm, the Mintz Group, was raided by local police. The police visited the firm's premises and detained five Chinese employees for further questioning. Subsequently, business operations were shut down and remain closed to date. In a similar move, in April 2023, the Shanghai local police carried out inspections at the Shanghai office of US management consultancy firm Bain & Co.
Finally, in May 2023, local national security agencies in several cities across China, acting with other local authorities, raided multiple local offices of Capvision, another consultancy firm headquartered in Shanghai. Unlike the raids at Mintz Group and Bain, which were only publicised in foreign media outlets, this latest known enforcement action was widely televised on Chinese local and state media in real time. The company allegedly helped foreign entities illegally acquire national secrets and sensitive information in relation to key industries in China.
The specific reasons behind and legal basis for the enforcement actions were not made public. Still, the three enforcement instances appear to signal intensified scrutiny over companies that collect information which the Chinese authorities may deem a matter of national security, even if the information is of a commercial nature. The overseas transfer of such information would consequently seem to be considered a potential threat to national security, requiring enforcement actions.
Key legislative developments
Revised Counter-Espionage Law
In parallel with the enforcement actions, in April 2023, China also introduced amendments to the existing Counter-Espionage Law (CEL), for the first time since the law's enactment in 2014. Among other changes, the revisions most notably: (1) expand the definition of punishable espionage activities, and (2) enhance the investigative powers of the relevant authorities. We briefly explain this below.
The revised CEL provides a broader definition of espionage activities by adding a new subset of activities that may constitute espionage. In the old CEL, stealing, spying, buying or illegally providing state secrets and intelligence were punishable activities. The amendments now add a broader category of "other documents, data, materials or articles relating to national security and interests" (art. 4(3)) to the scope of espionage activities. This addition could potentially bring a slew of information into scope that did not previously rise to the level of state secrets and intelligence in the traditional sense, such as trade secrets or market data in strategic industries.
Further, activities such as cyberattacks, intrusions, disruptions, control or destructions targeting state bodies, entities handling classified information or critical information infrastructure are also considered espionage under the revised CEL.
As to enhanced administrative investigative power, the revised CEL codifies and details the powers of authorities in carrying out enforcement actions. In addition to the already extensive enforcement measures under the old CEL, national security authorities can now also access the target's electronic devices (art. 25), relevant personal data and documents (art. 26) and assets information (art. 29) during their enforcement. Notably, the revised CEL also provides a legal basis for summoning individuals on suspicion of CEL violations (art. 27) – verbally onsite or by written order.
In addition, the initiation of investigative measures is subject to a seemingly simple approval process with a low threshold: an internal green light given by the national security authority's responsible person at the districted city level or higher.
Legislation around data security and judicial sovereignty
The enforcement actions and the revised CEL are the latest iterations of the Chinese government's increasing emphasis on data security as a matter of national security. Data compliance has been a high priority on the Chinese legislative agenda since 2017, as seen with the enactment of the Cybersecurity Law (CSL) on 1 June 2017, the Data Security Law (DSL) on 1 September 2021, and the Personal Information Protection Law (PIPL) on 1 November 2021.
While the effect of general data compliance requirements needs to be further detailed in future implementing legislation, the overall tightened oversight of data security will have direct implications on the day-to-day operations MNCs in China. For example, the collection, processing and outbound transferring of data for R&D purposes may be impacted if dealing with potentially sensitive data such as medical data, geological data, population data, etc. Due diligence activities will also come under stricter scrutiny, not only in the context of M&A, but also in the engagement of third-party agents and other service providers. Other activities in Legal and Compliance departments in their normal course of business will also be impacted, such as the sharing of information in cross-border commercial disputes and internal investigations.
Beyond data security protection, another theme observed in recent legislation is the safeguarding of Chinese judicial sovereignty. For example, both the DSL (art. 36) and the PIPL (art. 41) spell out that all organisations and individuals in China are prohibited from supplying personal information or data stored in China to foreign judicial or enforcement authorities without explicit approval from relevant Chinese authorities. A similar restriction exists under the Chinese Securities Law in relation to the collection and submission of relevant materials to foreign securities regulators.
This emphasis on Chinese judicial sovereignty is most prominently pronounced in the International Criminal Judicial Assistance Law (ICJAL) of China, effective since 26 October 2018. The ICJAL prohibits entities, organisations and individuals in PRC territory from providing evidentiary materials or assistance to a foreign state.
Key takeaways and recommendations
Since 2017, the legal system for safeguarding data security in China has developed into a comprehensive legal framework encompassing data privacy, national security and judicial sovereignty. The enforcement risks - and legal as well as reputational consequences - of possibly contravening and compromising national security and judicial sovereignty in China can be significant. At the same time, it bears noting that the underlying aims do not appear to be to curtail foreign companies' legitimate business activities and participation in the economy. Rather, the focus seems to be on the collection of certain types of data with potential national security implications, the means employed to collect or transfer the data, and the intended use of such data. The restrictions imposed by these recent pieces of legislation will require companies to critically re-examine all areas of their business operations that deal with the collecting, processing and transferring of data located in China, and ensure that the relevant procedures are in compliance with law. Areas of attention include:
- Ensure that all data is gathered from legitimate sources: When collecting data for any purpose—from market research, due diligence, R&D to internal investigations—companies should make sure to verify that the data has been legally acquired and can be traced back to legitimate sources. If working with information provided by third parties, contractual safeguards should be considered to make sure their collection of data are compliant with laws, transparent and protected.
- Strengthen third-party due diligence: Companies should carefully assess the external parties that they engage with throughout their supply chain, with particular attention to any state affiliations or other exposures.
- Establish internal guidelines and an effective reporting channel: Companies should design effective guidelines in response to possible future incidents relating to sensitive information data breaches. They should make clear to employees what the reporting avenues and corresponding mitigation actions are if such a breach occurs.
- Reassess internal investigation protocols: When conducting internal investigations, extra caution may be needed if overseas transfer of data is involved. This could include communication with external parties (for example, forensic firms or e-data platform suppliers located overseas) as well as foreign headquarters. Measures such as data anonymisation, redaction and aggregation may be advisable depending on the type of data and sensitivity level.