1. Recap of the revised Anti-Espionage Law
The revised PRC Anti-Espionage Law (revised AEL) was adopted on 26 April and will take effect on 1 July 2023 (see here for our detailed analysis on the key legislative changes and potential implications).
Among other things, the revised AEL expands the definition of “espionage” to cover illegal collection or provision of any “documents, data, materials or items related to national security and interests” by an overseas person directly or in collusion with a domestic person. This means:
- Greater uncertainties for domestic- or foreign-owned companies doing business in China. The revised AEL does not set specific parameters or procedures to define information “related to national security and interests”. This leaves significant discretionary power to the PRC authorities on issues including whether to initiate an investigative proceeding and to exercise search and seizure powers on persons deemed a security risk by the PRC authorities.
- Increased challenges for multinationals in relation to their data collection and processing activities in China. Under the expanded definition of espionage, MNCs, given their cross-border operations, may face increased risks of implication under the revised AEL, if the data collected or processed by their PRC businesses falls under the broad scope of “data related to national security and interests”. This similarly has implications for quants and other data-driven investors that rely on locally-sourced data for their analytics. If an investigation is initiated, multiple government authorities, including the state security administration and other sector-specific authorities, would be involved. This presents enhanced complexities and challenges for businesses seeking to respond to the investigation.
2. Heightened scrutiny on international consultancy firms
Soon after the promulgation of the revised AEL, a state media press release dated 8 May 2023 reported that the state security administration, in collaboration with other relevant authorities, had initiated a joint and public raid against the subsidiaries of Capvision located in multiple cities in China. The reports stated that the enforcement against the US-headquartered expert network service provider was due to its failure to implement precautionary measures to counter espionage under the (2014) Anti-Espionage Law.
The news reports and other announcements released in subsequent days have revealed the following details on the enforcement proceeding:
- Cause of the enforcement proceeding: Capvision provides a platform for its PRC and overseas clients to be connected with experts for consultations (whether by telephone or in person) sourced by Capvision. Some of the experts were reported to be “influential in key areas such as domestic policy research, military and national defence, finance and monetary policies, high technology, energy and resources, healthcare and medicine”. Two of the experts were reported to have been criminally sentenced for stealing, spying or illegally providing state secrets and/or state intelligence to overseas persons, prior to the enforcement against Capvision. In addition, some of Capvision’s clients were found to have a close relationship with “foreign governments, military and intelligence agencies”.
- Investigative measures adopted: It was reported that the PRC authorities “inquired certain staff members, inspected and checked relevant items” without disclosing further details.
- Legal consequences: On 10 May 2023, Capvision announced that it had established a compliance committee consisting of its senior management to implement rectification measures and to improve its compliance program, as requested by the state security administration. It is unclear from publicly available information as to what penalties have been imposed on Capvision, and whether employees of Capvision have been held personally liable.
Prior to the Capvision investigation, between March and April, it was reported that the police initiated investigation against two other US-headquartered consultancy firms. In one case, the police searched the Mintz Group’s office and detained five of its employees for suspected offences of illegal business operation. In the other case, the police conducted onsite inquiries of certain employees of Bain & Company and seized the employees’ laptops and mobile phones, without detaining any individuals. There are no further details available for these two cases.
3. Potential precautionary measures
To mitigate risks of implication under the PRC law, including the revised AEL and data protection laws, businesses in China should consider adopting precautionary measures such as the following:
- Exercise precaution in vendor engagement. Conduct and document due diligence and security background checks on external parties, including clients, vendors, service or data providers, and target companies. Avoid engaging data providers who are constrained from providing information due to confidentiality obligations under their employment terms with institutions such as the military, government agencies, state-controlled entities or publicly-funded research institutes. Even if the terms of engagement contains an exemption clause which requires the data provider not to provide any confidential information obtained from his/her employment relationship, this clause would not be sufficient to protect from potential prosecution an organisation that engages the data provider.
- Formulate and implement data compliance policies including data classification. Although the revised AEL does not set specific parameters to define information “related to national security and interests”, companies may refer to the list of “important data” under Information Security Technology - Rules for Identification of Important Data (Draft) for potential illustrations. Indicative examples of important data proposed in these draft rules, include, data revealing the security protection of critical information infrastructure that can be used to carry out cyberattacks on it; undisclosed governmental, intelligence, law enforcement or judicial data, such as unpublished statistics; or source codes, technical solutions, or test results relating to national scientific and technological strengths or affecting international competitiveness (read more). Companies should consider establishing a protocol managed by its legal and compliance team to ensure that personnel are aware of sensitive data categories and screen inflows. Given the discretion left to the PRC authorities to determine what is sufficiently sensitive at any one time, a dynamic review practice should be implemented.
- Demonstrate top-level commitment on monitor, review and effect implementation of compliance policies and programs. This is especially important because the revised AEL now imposes statutory obligations on PRC businesses to undertake organisational obligations to counter espionage, including (1) implementing precautionary measures, (2) educating their staff members to maintain national security, and (3) mobilising and organising their staff members to prevent and counter espionage. In case of non-compliance, the state security authority may order rectification or request interviews with the relevant person in-charge and may impose administrative penalties including warning or public reprimand on the organisation. This change aligns with the rectification announcement made by Capvision.
Please reach out to us if you have any questions. We are working with a number of investors and MNCs on these issues.
Stay tuned for further updates as we see them.
Thank Tim Su for the support in drafting this article.
An unnamed police officer interviewed by the broadcaster accused firms such as Capvision of routinely hiring "highly-paid consulting experts" with close ties to Chinese authorities to "illegally obtain various types of sensitive data", which he said posed "major risks to China's national security".