Maximizing Opportunities, Minimizing Risks: Research Pitfalls for Multinationals in China

As part of the Chinese government’s efforts regarding regulatory enforcement against research and information collection activities, we have recently seen several actions taken by the government:

• Chinese security authorities investigated into a number of entities and individuals in recent months, including detaining a Japanese executive from Astellas Pharma Inc. for suspected “espionage” behaviors and raiding at least two consulting firms (Bain and Capvision) in Shanghai and Suzhou respectively for suspected obtaining sensitive information concerning state secret and defense intelligence.
• On April 26, 2023, China announced its latest amendment to the Counterespionage Law of the People’s Republic of China (“Counterespionage Law”), which will become operative as from July 1, 2023. This follows China’s promulgation/revision of a set of laws and regulations governing data export control.

The above actions clearly demonstrate Chinese policymaker’s increasingly prioritized agenda surrounding national security issues. Accordingly, multinational companies are recommended to assess its regulatory compliance exposure when conducting research or information collection activities in China to mitigate potential risks. In this article, we answer some of the most frequently asked questions from our clients.

What is the key legal framework?

Regardless of the nationality/domicile of an entity and whether it has links to an espionage organization, to the extent it conducts research and information collection activities in Chinese mainland and/or transfers collected/produced information outside Chinese mainland, it could be subject to the abovementioned laws. While these laws generally do not apply to Hong Kong, in exceptional circumstances where the relevant research activities constitute crime of “stealing, spying, buying, or illegally providing state secrets or intelligence involving national security for foreign or overseas organizations, institutions, or individuals”, organizations could also be subject to the jurisdiction of both China’s Criminal Law and Hong Kong’s Law of Safeguarding National Security.

What entity can become a subject?

Regardless of the nationality/domicile of an entity and whether it has links to an espionage organization, to the extent it conducts research and information collection activities in Chinese mainland and/or transfers collected/produced information outside Chinese mainland, it could be subject to the abovementioned laws. While these laws generally do not apply to Hong Kong, in exceptional circumstances where the relevant research activities constitute crime of “stealing, spying, buying, or illegally providing state secrets or intelligence involving national security for foreign or overseas organizations, institutions, or individuals”, organizations could also be subject to the jurisdiction of both China’s Criminal Law and Hong Kong’s Law of Safeguarding National Security.

What are the key points of the applicable laws?

• The Counterespionage Law is primarily designed to regulate (i) espionage activities, (ii) illegal acquisition of state secrets and their carriers, and (iii) the illegal use of specialized espionage equipment. Additionally, the newly amended 2023 Counterespionage Law: (i) expands the scope of application, broadens the definition of “espionage behavior”, and adds provisions for cyber-espionage, (ii) provides greater support for counterespionage work and proposes to establish a national coordination mechanism, and (iii) increases the authority and protection for national security agencies, and specifies the investigation and powers of national security agencies.
• One should note that the law does not only capture the activities relating to or carried out by espionage organizations, but also considers anyone involved in the illegal acquisition or possession of state secrets, intelligence, and other national security concerned information to also be in violation of the law, even if they have no links to espionage organizations. Based on our observations, engaging in activities involving illegally collection and cross-border transfer of information in areas including China’s cutting-edge technologies, defense information, and critical industry information, will likely be deemed as a violation under the applicable law.
• The Statistics Law, along with its implementing rules, set forth compliance obligations for “foreign-related surveys” in China. Foreign entities who wish to conduct statistical surveys in China must commission qualified agencies in China to do so. Additionally, private statistical survey agencies may not disclose private statistical survey data that duplicates state-important macroeconomic and social indicators of China. Furthermore, relevant regulations also stipulate several prohibited activities that may adversely impact China’s national interests.
• The Data Security Law and certain other regulations provide the relevant regulatory requirement on the cross-border data transfer activities. The transfer of different types of data entails different compliance obligations. For instance, “important data” and personal information can be exported, but relevant parties should take proper measures and/or conduct specific compliance procedures to ensure data security; furthermore, for personal information, the legitimate rights and interests of the data subject must be protected. In addition, certain industries (e.g. life science sector) have localization storage requirements or specific regulatory requirements for data export.

What are the typical problematic behaviors?

• Engaging in activities related to espionage organizations and their agents that endanger national security, illegally acquiring Chinese state secrets, intelligence, or other information.
• Illegally obtaining state secrets, intelligence, as well as other national security concerned information and providing them to overseas parties, absent any connection to espionage organizations and their agents.
• Illegally producing, selling, possessing, and/or using special espionage equipment required for espionage activities.
• Conducting statistical and survey activities in China without commissioning qualified enterprises and obtaining approval from the competent authorities.
• Disclosing privately conducted survey and statistical data that duplicates or contradicts important macroeconomic and social indicators specified by the state or disclosing information that does not meet regulatory requirements.
• Collecting, processing, and transmitting personal information to overseas parties without consent.
• Failing to follow legal procedures when transferring important data, personal information more than a certain specified amount, and specific industry data outside of China.

What are the possible legal consequences?

• Civil and administrative penalties: Civil and administrative penalties such as warnings, fines (including sanctions ranging from one to up to ten times the illegal gains), and administrative detention, will be imposed on those who violate the applicable laws.
• Criminal charges: In addition, if any of the misconduct is found to have violated China’s Criminal Law, the individuals and organizations involved may face criminal charges (carrying the possibility of a maximum sentence of life imprisonment).

Any practical recommendations?

For compliance purposes, we recommend multinationals take various measures to mitigate potential risk exposures. Such measures include:

• From the perspective of information collection: Be cautious about the information in question and settings, especially if it concerns China’s cutting-edge technologies, defense, or critical industry information. Avoid using illegal tools or methods, and refrain from accessing state secrets. Also, when collaborating with third-party institutions to collect information, compliance reviews should be conducted to identify any organizations suspected of espionage or their agents.
• From the perspective of information processing and transfer to any third party: Obtain consent from relevant personal information subjects in advance when processing or transferring an individuals’ personal information. In case that a company is transmitting information outside of China, not only personal information but also specified categories of non-personal information data, such as important data or specific industry data, must follow proper protocols in advance for compliance with the applicable laws and regulations.

Feel free to reach out for more information: Frank Jiang (jianghuikuang@zhonglun.com); Jason Jia (jiashen@zhonglun.com); Rachel Li (lirui@zhonglun.com); Scott Yu (scottyu@zhonglun.com)