While the Biden’s administration’s recent corporate enforcement actions and initiatives have garnered significant press attention, China has engaged in recent months in a series of less-publicized corporate enforcement actions and initiatives against non-Chinese companies (mostly, but not exclusively, U.S.-based) operating in the country, including through new investigations, raids of China-based offices, and even detention of employees. China has taken many of these actions based on alleged violations of laws established or updated in the last five years, some of which were issued in response to actions taken by the United States in the ongoing U.S.-China Strategic Competition.
Most recently, on April 26, 2023, China updated its Counterespionage Law, expanding its definition of espionage to cover a much wider swath of activity and providing additional authority to search individuals and businesses suspected of espionage. This revised law poses a risk that traditional business activities may fall under the new definition of espionage when it takes effect on July 1, 2023, and raises additional risks and considerations for U.S. and multinational firms operating in or considering expanding to China.
The Updated Counterespionage Law
As part of the update, the scope of the Counterespionage Law, which was initially implemented in 2014, now covers “all documents, data, materials and articles concerning to national security and interests included for protection.” The definition lacks further clarification, but it is apparent that its coverage is considerably more expansive than the previous definition of “state secrets and intelligence.”
The revised law also now respectively defines espionage and espionage activities as “collaborating with spy organisations and their agents” and “conducting cyber-attacks against state entities, confidential-related units, or critical information infrastructure.” Particularly troubling, according to an article by authors from the U.S.-based Institute for the Study of War, is the revised law’s broad definition of “agents,” which may offer an avenue to justify gathering data from foreign firms and their employees while they conduct business in China. According to the note, this may grant the Chinese authorities access to sensitive company data or trade secrets under the guise of preventing foreign cyber espionage.
Further, the updated law now permits security authorities to inspect the baggage and electronic devices and facilities of individuals suspected of espionage, and obliges logistics and telecommunications companies in China to provide “technical support” to fight espionage. U.S. Ambassador to China Nicholas Burns has already expressed concern that the law “potentially could make illegal in China the mundane activities that a business would have to do” such as diligence prior to an investment or economic research to understand market conditions.
Other Chinese Laws Create Similar Risks for U.S. and Multinational Firms
The update to the Counterespionage Law is not the only Chinese law that may pose a risk to non-Chinese companies operating in China. In recent months, the application of these laws has led to multinational companies and their employees being the subject of cybersecurity reviews, investigations by the Chinese authorities, confiscation of office equipment, arrests and detentions, suspension of China-related activities, and the imposition of fines.
Below is a brief summary of some of the key risks presented by similar laws that U.S. and multinational firms should be mindful of:
- China’s Countersanctions Laws: China’s Anti-Foreign Sanctions Law and Blocking Statute are both intended to counter the implementation of non-Chinese economic sanctions. Both regimes create a private right of action for instances where interests of Chinese citizens and organizations are infringed due to another entity’s compliance with non-Chinese sanctions. A Chinese court can require the payment of damages and/or require completion of the activity.
- China’s Sanctions: China can impose its own sanctions through a designation on the Unreliable Entities List, which will limit how an entity can operate in China, and if it continues to do so, make any day-to-day interactions (e.g., such as receiving financing) difficult.
- The Personal Information Protection Law: China’s recent Personal Information Protection Law requires companies to implement specific data transfer mechanisms if any personal information will be transferred outside China. Companies risk heavy administrative penalties or even criminal liability for non-compliance.
- The Data Security Law: China’s Data Security Law requires that any data identified as “core” and “important” is subject to limitations. In turn, that data may require government approval before being exported from China and companies could be required to retain a compliance officer to manage this data. Additionally, this law limits the provision of data to non-Chinese law enforcement or judicial agencies, which, in some cases, has been interpreted to include requirements from administrative agencies.
- The Cybersecurity Review Measures: The Cybersecurity Review Measures regulate critical information infrastructure operators (e.g., operators that purchase certain identified products that impact Chinese national security) and network platform operators (i.e., operators that conduct certain data processing activities that impact national security, or hold over a million persons personal information and plan to export it outside of China).
Risks to U.S. Companies and Private Equity Investors
These recent actions by Chinese authorities and the expansion of Chinese restrictions, most recently evidenced by the revisions to the Counterespionage Law, are a signal that U.S. and multinational companies and investors operating in China face growing compliance and security risks. These actions have not gone without notice. In a recent statement, Secretary of the Treasury Janet L. Yellen noted that the Department is “concerned about a recent uptick in coercive actions targeting U.S. firms, which comes at the same moment that China states that it is re-opening for foreign investment.”
In light of these developments, U.S. and other multinational companies and investors with Chinese operations should take additional precautions to ensure compliance with Chinese laws related to espionage, trade, data security, and cybersecurity. This may mean adjusting compliance programs to account for both Chinese and U.S. law, as well as understanding how Chinese and/or U.S. operations may affect the other.
Moreover, companies need to understand the types of matters that aggravate China risk, such as compliance with the U.S. Uyghur Forced Labor Prevention Act (“UFLPA”) as well as global export controls and sanctions related to advanced semiconductor technology targeted at China or Chinese companies. In addition, multinational companies with civilian and military business units must pay special attention to the impact of rising geo-political tensions and dueling regulatory regimes on their operations in China.
Finally, while these are all legal regimes, given each law is being implemented and enforced in the context of a larger U.S.-China Strategic Competition, companies should ensure that their legal and compliance functions closely coordinate with their operations, government affairs, and public relations teams.
- Understand Your China Law Risk Exposure: With the development and use of the new Chinese legal regimes, U.S. and multinational companies with operations in China should assess their risks and exposure to potential violations of Chinese law, as well as any aggravating factors (e.g. activities related to compliance with UFLPA, U.S. export controls, or involving Taiwan), since there is little precedent and some legal regimes can be quite broad with limited checks provided by local administrative law.
- Know Your Data Systems: China has complex and wide-reaching data laws. Companies should maintain awareness of their data systems, specifically understanding if any data is stored in China, what that data includes, and whether any Chinese data or cybersecurity law requirements apply that could limit its movement, particularly out of China.
- Compliance Programs and Crisis Management Plans: U.S. and multinational companies with operations in China should ensure they have robust compliance programs that limit potential conflicts of Chinese and U.S. laws and a crisis management plan to respond to law enforcement activities. These compliance programs and crisis management plans require coordination between legal, operational, government relations, and press teams; establishment (or enhancement) of an incident response plan; and engaging in table top exercises for various scenarios.
- Private Equity Sponsors and Strategic Investors Should Analyze Investment Strategy: These developments in China, coupled with pending U.S. restrictions on outbound investment, should lead private equity investors and strategic investors to examine their holding arrangements and investment positions in current targets and portfolio companies, as well as revisit the manner in which such investors evaluate and execute plans with prospective targets that have operations in, or other exposure to, China.