July 11, 2023

China Enacts Updated Counterespionage Law, Increasing Risks for Multinationals Operating in China

At a Glance

  • The 2023 Amendment broadens the definition of “espionage activities” and further empowers Chinese law enforcement authorities to inspect and seal or seize IT infrastructure (including software).
  • The amendment also authorizes the reading or collection of relevant documents, data, materials and items by the Chinese authorities, if approved by the State Security Authority at the districted-city level or above.
  • Multinationals should exercise increased caution and adopt new protocols in their business dealings in China.

On July 1, 2023, an amendment to the Counterespionage Law of the People’s Republic of China (2014) (2023 Amendment) took effect, following adoption by the Standing Committee of the 14th National People’s Congress of the People’s Republic of China in April. The 2023 Amendment will likely have major implications for multinationals doing business in China. Already exercising expanded powers granted them under a set of 2017 implementing regulations, Chinese law enforcement authorities have raided the offices of three companies over the last few months: consulting firms Capvision and Bain & Company, and corporate investigation firm Mintz Group. Several employees of Capvision and Mintz Group were also detained in connection with those raids.

Most critically, the 2023 Amendment broadens the definition of “espionage activities” and further empowers Chinese law enforcement authorities to inspect and seal or seize IT infrastructure (including software). The Counterespionage Law of the People’s Republic of China (2014) (2014 Law) provided Chinese law enforcement authorities some power to inspect IT infrastructure and access documents and materials, but the 2023 Amendment provides more detail on the authorities’ investigative powers and institutes certain procedural rules for investigations. The expanded scope of the 2023 Amendment and the recent uptick in enforcement activity significantly raises the risk for multinationals operating in China as well as the confidentiality of data and digital assets located in China.

Key Updates to China’s Counterespionage Law

The 2023 Amendment extensively updates the 2014 Law. In particular, multinationals should be aware of the following key changes:

  • Expanded Definition of “Espionage Activities”: Under the 2014 Law, “espionage activities” included activities in which individuals or entities collude to steal, pry into, purchase or illegally provide “state secrets or intelligence.” The 2023 Amendment expands the definition of “espionage activities” to now include, in addition to state secrets or intelligence, “other documents, data, materials, or items related to national security interests.” The 2023 Amendment does not define “items related to national security interests,” leaving interpretation open to the discretion of the Chinese authorities.

    Stealing, purchasing or illegally providing any documents, data, materials or other items relating to sectors or activities that the Chinese government may deem “related to national security interests” may be covered by this new definition of “espionage activities,” potentially exposing multinationals operating in China to questioning and detainment of employees and seizures and inspections of documents, computers, phones and other items. 

  • Chinese Authorities Can Inspect IT Infrastructure (Including Software): Under the 2023 Amendment, “espionage activities” also include network attacks or disruptions targeting state organs or critical information infrastructure.

    If Chinese authorities deem an activity to endanger national security, they will be empowered to inspect the electronic equipment, facilities, programs and tools of relevant individuals and organizations and employ “immediate corrective measures.” Failure to cooperate with the investigation could result in sealing or seizure of the electronic equipment, facilities and programs. Further, the 2023 Amendment authorizes the reading or collection of relevant documents, data, materials and items by the Chinese authorities, if approved by the State Security Authority at the districted-city level or above.

Precautions for Multinationals Operating in China

Multinationals should exercise increased caution and adopt new protocols in their business dealings in China.

  • Review the Types and Nature of Data Collected and Stored in China: As a critical first step, multinationals should carefully review whether they collect and store any data in China and whether that data may potentially be construed as implicating national security interests. This will be industry-specific, but data concerning prospective Chinese M&A targets, critical infrastructure, construction, defense articles, military installations, energy facilities, agricultural products, public telecommunications, health care, water conservancy, finance and state-owned enterprises, among others, may all pose some potential risk.
  • Refrain from, or Limit, Collection, Analysis and Storage of Data in China: Multinationals should refrain from collecting, analyzing or storing data in China that relates to anything likely to be a strategic area of concern for the Chinese government. If data is already collected, analyzed or stored in China, multinationals should refrain from mentioning those activities when communicating with employees in China and should not allow any access outside of China (i.e., no transmission to employees located in other countries, including the U.S.).
  • Require NDAs (or Amend Existing NDAs): Before entering into any business relationship with a Chinese counterparty, multinationals operating in China should enter into nondisclosure agreements containing a provision under which the Chinese party represents and warrants all of the following:
    • None of the information provided to the multinational contains state secrets or information relating to national security or the national interest of China.
    • The Chinese party has fulfilled all of its compliance obligations for transferring any such data across borders to the multinational outside of China.
    • For any personal information transferred to the multinational, the Chinese party has secured written consent from the relevant individual(s) and fulfilled all of its compliance obligations for transferring such personal information across borders.

We will continue to closely monitor this situation and provide timely updates, as warranted.