Authors: Carolyn Bigg, Amanda Ge, Venus Cheung, Gwyneth To

China’s amended Anti-Espionage Law will take effect from 1 July 2023. However, its effects have already been felt by some international businesses. So what should international businesses do to respond to these new risks?

The new law broadens the scope of espionage activities, as well as the power for authorities to carry out anti-espionage investigations by gaining access to data and property.

Following the observation of increased enforcement to target anti-espionage activities, organisations are advised to focus on adopting internal governance mechanisms to ensure compliance with the relevant laws, as well as being ready to react to any potential enforcement action in a responsive manner.

Applicability and extra-territorial effect

The new law applies to a widened scope of espionage activities, and can potentially impact different types of data and activities.

In particular, those organisations dealing with state secrets should be aware of the far-reaching applicability of the new law. Given the uncertainty in what constitutes state secrets, organisations should constantly review, assess risks, and be attentive to the types of data that is processed as part of their business operations.

With this in mind, organisations which deal with more sensitive types of data such as defence and advanced technology should take extra care in remaining compliant with the law (including keeping such data within Mainland China unless relevant approvals are obtained). Additionally, organisations which have contact with national security authorities should ensure all communications and interactions are kept confidential within the organisation.

Notably, the new law does not limit espionage activities to those carried out within China. This said, the focus appears to be on activities that may, in any way, impact national security and public interests of China.

The new law also applies to espionage activities against third countries that are carried out by espionage organisations and their agents within the territory of China or otherwise involve Chinese citizens, organisations, or other conditions, so long such activities endanger the national security of China. Thus, activities not specifically targeting China may also fall into the regulatory scope.

Managing data risks

Both local and foreign organisations should be mindful of the significance of this new law if they have China-related business activities or connections.

One of the key internal data governance actions that an organisation should prioritise in connection with compliance with this new law is to conduct data mapping and classification in order to maintain an accurate data inventory and to ensure there is clear understanding of its data flows and processing activities. As noted above, this is particularly important with regard state secrets and “important data”. Data compliance programmes should extend beyond just personal data to cover these other China data categories; and should include education on such restrictions and sensitivities beyond just China personnel.

Authorities’ powers

During the course of carrying out anti-espionage investigations, national security authorities are now granted the power to access official buildings and factories, requisition transportation and communication tools, check personal IDs and belongings, examine and seal up electronic devices, review and obtain documents and materials, summon and interview relevant stakeholders, freeze and seize properties, impose border entry and exit restrictions, and shut down websites and networks.

What to do in the event of regulatory investigations / dawn raid

In the event of regulatory investigations, representatives of organisations should:

  • first ensure investigators have due authority and due procedures are followed;
  • refer to internal investigation/dawn raid guidelines, and follow the detailed step-by-step guidance on dealing with authorities’ enquiries or investigations. In particular, follow proper internal reporting and escalation procedures in case of dawn raids; and
  • keep records of the data and information provided to regulators as part of the dawn raid.