This update summarizes the latest in Chinese law, with a particular focus on elements relevant to business decision makers. The content here is tailored to what we recommend that all directors/board members of international companies be aware of these new oversight laws. These pose risks to any company doing business in China, including those selling to the Chinese market as well as those manufacturing or purchasing supplies from China-based partners.
According to the National Counterintelligence Security Center (NCSC, part of the U.S. intelligence community), the Chinese government views information leaks from China as a national security risk, as well as access to and control of data held by China. It is said that there is also a need to utilize International companies located in China for surveillance purposes. A new law grants the Chinese government access to data.
U.S. and other global companies and individuals in China could face penalties for conventional business activities that the Chinese government deems to be espionage or for actions that the Chinese government deems supportive of foreign sanctions against China. be. The law could also force Chinese nationals employed locally by US companies to cooperate with China’s intelligence activities (note: these laws now apply to operations in Hong Kong).
The latest laws have just come into force. This is an amendment to anti-espionage laws that redefines the scope of what is considered espionage to be any information they want to call espionage-related.
To put this latest law into context, here is a summary of the key laws passed in China since 2015 that affect the operations of US and other international companies in China.
National Security Act 2015
The law stipulates that Chinese citizens and private organizations must assist the Chinese government and intelligence agencies in security matters upon command. This includes secretly coercing PRC nationals of locally employed companies to cooperate with investigations.
National Intelligence Act 2017
The law builds on the National Security Law of 2015 to emphasize that China’s intelligence services must be complied with at all times.
Cybersecurity Act 2017
The law requires all critical infrastructure companies (including foreign companies involved in critical infrastructure, although not defined in the law) to store data within China’s borders and make all data available to intelligence agencies. is required.
Data Security Act 2021
The law adds new restrictions on data, including the introduction of a phased system according to the Chinese government’s interpretation of the data’s importance to national security. This will result in stricter action and more severe penalties for non-compliance.
Foreign Sanctions Act 2021
This law provides a basis for China to take countermeasures against foreign sanctions and authorizes China’s actions against foreign individuals or entities that enforce or support foreign sanctions against China. This means China can retaliate against companies it determines have cooperated in enforcing foreign sanctions. In this regard, some companies may have to choose between following US or Chinese guidance on sanctions and laws.
Personal Data Protection Act 2021
Some have called it similar to the GDPR, as it ostensibly claims to codify the privacy rights of Chinese citizens. But in reality, no Chinese citizen has a so-called right to privacy. At least, no privacy from government or CCP surveillance. All domestic and foreign companies must follow reviews to ensure that data is properly managed. It limits the ability of companies to collect and retain data about Chinese people, and also empowers the Chinese government to take whatever data it wants if it deems it in the public interest.
Cyber Vulnerability Reporting Act of 2021
This law puts everyone using IT at risk. It requires all companies with stakes based in China to report to Chinese authorities any cyber vulnerabilities found in their systems or software, leaving the vulnerabilities open until Chinese authorities complete their assessment. may not be published or shared abroad. This gives Chinese authorities an opportunity to exploit flaws in their systems before the vulnerability becomes known to others.
2023 Anti-Espionage Act Update
This is the latest in a long string of laws affecting US and other foreign companies operating in China, including those that sell to the market. The bill broadens the scope of China’s counter-espionage laws by expanding the definition of espionage from state secrets and intelligence activities to any documents, data, materials, and other items related to national security interests. It will expand significantly. And we are doing this without further defining these terms, implying that anything the Chinese government or the Chinese Communist Party wants to consider subject to this law can be treated in this way. still valid.
The law builds on all other laws and creates new legal risks and uncertainties for companies doing business in or with China. All documents, data and materials are considered relevant to China’s national security.
What do these mean for you and your business?
Corporate directors, executives, strategists, financial planners and policy makers should assess the current legal environment. To aid in the planning process, here is a list of recommendations to evaluate.
- Perhaps our biggest and most important recommendation for your business is that you should make a net assessment of the risks and benefits of doing business in China. Every company is different, so the scenarios you plan should be tailored to your company’s situation. We help you plan by keeping your team informed of the latest developments and the nature of the risks in your area. Please contact us if we can be of any assistance.
- Stay aware of the geopolitical situation in the region and the most relevant aspects of ongoing trade and technology tensions. Make sure you and all team members are distributing his free OODA Daily Pulse. Members of the OODA Loop also have access to several strategic reports created to provide insights on China and help set the level for the entire team (starting with our special report on the China threat).
- This topic of geopolitical risk, including this particular topic of potential scenarios and actions by China, is frequently raised at the OODA Network’s monthly meetings and influences our recommendations. These sessions are intended for OODA Expert level members only. Sign up here to participate directly in discussions with your colleagues on these topics.
- Continuously consider your cybersecurity governance procedures. Don’t wait for the SEC to mandate boards to address these topics. See OODA’s Cyberboard Advisory Service for a starting point to consider. Cyberattacks will almost certainly continue to change. Some adversaries may decide to launch direct attacks against U.S. organizations to slow down and disrupt production. So keep your agility on defense. Make sure your team follows cybersecurity best practices. Fortify your defenses with a red team. Deception is used in defense. Protect management communications.
- We also analyze technology dependencies and supply chain dependencies. What is Dependence on China? What is their legal exposure? Are you selling to the Chinese market? What data are these laws applicable to? Where is it stored? Is your network segmented?
- Review current M&A or divestiture intent. Are there any deals that affect your business with companies based in China?
As an OODA member, we also ask that you keep yourself up-to-date on how the OODA network can best serve your interests. Please reply to our newsletter or contact us here.
Resources and additional information:
NCSC on Safeguarding Our Future: A brief overview of the above-referenced legislation by the National Counterintelligence Security Center.
OODA C-suite Report: The latest strategic intelligence for corporate directors and executives providing insight into geopolitical risks, technological developments and cyber conflicts.
The China Threat Brief provides strategic information about China, the People’s Republic of China, and their global intentions.
Global Risks and Geopolitical Sensemaking: A dynamic resource for OODA Network members seeking insight into the geopolitical dynamics driving global risks.