Skip to content

Mainland China

New data protection and data security laws in Mainland China add considerably to the complexity of conducting cross border investigations with a nexus to Mainland China, and meeting information requests from foreign regulators. A new ‘anti-sanctions’ regime is aimed at counteracting foreign sanctions and trade controls, and multinational companies doing business in Mainland China are expected to follow it. 

The ABAC regime continues to develop with a greater focus on enforcement against private company offerors of bribes. The real estate and construction industries have been the primary focus of criminal actions in 2021, and the life sciences industry remains the primary focus of administrative penalties. We expect to see more enforcement actions in these areas in 2022.

Investigations trends/developments

Continuing efforts in the anti-bribery and anti-corruption (ABAC) campaign

2021 saw a substantial decline in the number of published criminal bribery cases, while the number of administrative penalty decisions increased slightly. China Judgments Online reported 104 first-instance bribery convictions through the end of October 2021, as compared to 492 convictions in the same period in 2020. The real estate and construction industries have accounted for nearly one-third of the cases in 2021. 

The number of administrative penalty decisions for commercial bribery increased from 62 to 64 cases, with more than one-third of cases involving the life sciences industry.

Despite the fall in bribery prosecutions, the government has explicitly committed to expanding its anti-corruption campaign. Multiple authorities of the Communist Party of China (CPC) and the central government issued the Opinions on Furthering Concurrent Investigations of Active and Passive Bribery in September 2021. They are designed to foster inter-departmental cooperation, and reduce the traditional lack of coordination in handling passive and active bribery cases.

The opinions stated that more focus will be given to bribery that is:

  • repetitive
  • high value
  • to multiple recipients
  • in key national projects
  • in the following areas:
    • organisation and personnel matters
    • law enforcement and judicial
    • environmental protection
    • finance
    • food
    • pharmaceutical
    • charity
    • social security
    • education
    • medical.

For multinational companies, an additional regulator must now be considered. The National Supervisory Commission (NSC), which previously had jurisdiction primarily over passive bribery cases, now has derivative jurisdiction over private-sector bribe offerors. The investigative procedures of the NSC are usually considered more rigorous than the normal criminal procedures. While normal criminal procedures allow a suspect to access an attorney after initial questioning, there is no access to an attorney in investigations by the NSC.

The consolidation and coordination of regulatory enforcement of bribery offences are likely to increase the number of corruption prosecutions, such that next year may well see a reversal in the significant drop in cases that we saw in 2021.

Increased liability for independent directors of listed companies

Listed companies in the PRC must have a board with more than one-third independent directors. Though independent directors are commonly less involved in the day-to-day business operations of a listed company, their liability is similar to those of other directors. Up until now, independent directors have rarely been held directly responsible, or only incurred supplementary liability for corporate misconduct, paying only insubstantial amounts after the persons with primary liability have settled their claims. The position of an independent director is in practice often perceived as “honorary” rather than that of a gatekeeper as intended by the legislator.

A recent ruling concerning the legal liability of independent directors has shone the spotlight on their exposure. On 12 November 2021, the Guangzhou Intermediate People’s Court ruled that five independent directors of a PRC‑listed company, Kangmei, should be jointly liable for a combined RMB370 million, accounting for around 15% of the total losses suffered by investors due to financial fraud by some Kangmei executives and external accountants. For context, the remuneration for each of those independent directors is only around RMB100,000 per annum.

The strengthened scrutiny of independent director liability accords with PRC regulators’ campaign in recent years to combat misrepresentation by issuers and due diligence failures by intermediaries. Directors and Officers Liability Insurance products in Mainland China are very limited so independent directors of PRC‑listed companies will be in an increasingly delicate position. Since the Kangmei ruling, more than 20 PRC‑listed companies have announced the resignation of their independent directors, with more likely to come. We expect that the liability of independent directors will become one of the many issues that must be considered in any future investigation of corporate misconduct.

Significant 2021 law reforms impacting corporate criminal liability

Mainland China’s “Anti-sanctions” regime

In the context of increasing geopolitical tensions, Mainland China has introduced two significant tools into its regulatory toolbox:

  • Measures for Counteracting the Unjustified Extraterritorial Application of Foreign Laws and Measures (Blocking Rules), a Ministry of Commerce regulation that took effect on 9 January.
  • PRC Anti-foreign Sanctions Law (the AFSL), a law passed on 10 June.

Along with the Unreliable Entity List Regulation adopted in September 2020, the Blocking Rules and the AFSL more directly target foreign sanctions. They allow the Chinese government to nullify foreign sanctions, export controls and other perceived “discriminatory restrictive measures” (DRMs) that are considered harmful to Mainland China’s sovereignty, security, or development interests, at least within the territory of Mainland China. The AFSL also provides the government with the legal basis for establishing a retaliatory sanctions programme targeting individuals and organisations responsible for such DRMs.

The Blocking Rules apply to foreign laws with extraterritorial application or measures that unjustifiably prohibit or restrict Chinese parties from engaging in normal economic, trade, and related activities with a third country (or region) or parties from that country, in breach of international law and the basic principles of international relations. Penalties for violating the Blocking Rules are, however, relatively limited, consisting mostly of administrative penalties for Chinese violating parties, and civil liability (i.e. monetary damages) for foreign violating parties. 

The AFSL is far broader in scope. Pre-AFSL, the Ministry of Foreign Affairs (MOF) had announced a number of “ad hoc” sanctions against foreign individuals and organisations perceived to be hostile to Chinese interests. The AFSL now provides a clearer legal basis for such sanctions (called “countermeasures” in the law) and the mechanisms supporting their enforcement. Parties in the territory of Mainland China who breach the countermeasures may be subject to a restriction or prohibition of activities. Breaching parties outside of Mainland China face unspecified consequences (“shall be held liable according to law”).

Similar to the Blocking Rules, the AFSL allows aggrieved Chinese parties to bring suits before Chinese courts against individuals or organisations that implement or assist the implementation of DRMs. The remedies include both damages and injunctive relief. 

Mainland China’s deployment of its new anti-sanctions regime, to date, has been relatively narrow in focus. At the same time, the new regime poses a range of challenges for multinational companies doing business in Mainland China, including how they negotiate contracts, how they audit or monitor their customers or supply chains, and how they engage generally with their Chinese counterparties.

Substantial expansion of Mainland China’s data protection regime

Mainland China’s nascent data protection regime has been substantially reshaped by the PRC Data Security Law (the DSL) and the PRC Personal Information Protection Law (PIPL), both of which were introduced in 2021.

Before the enactment of the two laws, the primary foundational data legislation in Mainland China was the PRC Cybersecurity Law (Cybersecurity Law). The Cybersecurity Law applies to the construction, operation, maintenance, and use of “networks”, and the supervision and administration of cybersecurity within the territory of Mainland China. It requires “network operators” to: (1) establish and maintain sufficient processes and infrastructure to protect the security of their networks; (2) follow certain rules on their network activities, including in particular the collection and use of personal information; and (3) supervise the activities of users of their networks.

The DSL and the PIPL have changed the regulatory landscape of Mainland China’s data regime. While there are still some disputes on the relationship between DSL, PIPL and the Cybersecurity Law, the legal community tends to agree that the DSL and the PIPL either supplement or supersede the Cybersecurity Law, and provide more onerous requirements in certain areas, particularly security preservation, cross-border data transfer and personal information protection.

The DSL applies to all “data processors” (undefined), and processors of “important data” and “core data” are subject to heightened requirements. The PIPL applies to all “personal information processors”, including those foreign processors processing personal information for the purpose of providing products or services to individuals in Mainland China, or analysing and evaluating the activities of the same. After the enactment of the two laws, we have observed an acceleration in the promulgation of the supporting regulations.

Internal investigations – key developments

The DSL and the PIPL (see above) greatly add to the complexity of internal investigations, particularly where cross-border transfer of documents, evidence, and findings is involved. 

Internal investigations typically involve the processing of employees’ personal information. The PIPL requires, by default, that the processing of personal information be conditional upon a data subject’s informed consent, and it is unclear if the statutory exceptions apply in the context of internal investigations. Even if the employer has procured general consent from its employees to process personal information in the context of internal investigations, by means of employment contracts or compliance certifications, nothing forbids the employees from withdrawing their consent and requesting deletion of any personal information collected. It is unclear if the law permits subjecting such withdrawals and orders to disciplinary action for failure to comply with an investigation. Notifying data subjects of processing is an obligation separate from procuring consent, with even narrower exceptions. Therefore, the law on its face appears to pose substantial challenges to conducting early-stage stealth investigations.

Another major concern is cross-border transfer of data:

  • According to the DSL, export of “important data” collected or generated within the territory of Mainland China must be done in accordance with either the Cybersecurity Law (i.e. passing a security assessment) or state regulations. “Important data” is not defined in the DSL but there are some clues. Relevant factors include whether the data is important to economic and social development, and the degree of harm to national security or public interest if it were to get into the wrong hands. It is expected that regional and industrial regulators will establish catalogues of “important data”.
  • Under the PIPL, all cross-border transfer of personal information is subject to statutory restrictions, regardless of the importance or sensitivity of the information. The processor must procure “separate” informed consent from the data subject, and must take “necessary measures” to ensure that the activities of foreign recipients meet the protective standards prescribed in the PIPL. Certain “large‑scale personal information processors” must also pass government-organised security assessments. Other processors may have to: (1) obtain security certifications issued by government‑accredited agencies; (2) execute standard agreements (using government-issued templates) with foreign recipients; and (3) comply with other conditions in laws and regulations.

Restrictions on cross-border data transfer are even stricter where the transfer is in response to, or in the context of, data requests from foreign government authorities. The DSL provides, in summary, that no organisation or individual in Mainland China can give data stored in Mainland China to foreign judicial or law enforcement authorities without the approval of the competent authorities. A similar provision applies to personal information under PIPL. These new blocking rules are broader than similar restrictions in existing legislation and are accompanied by substantial penalty provisions to assist enforcement. 

At present, there are no detailed implementation regulations defining the procedures on the security assessment, security certification, or government approvals mentioned above, and the template data security agreement that a data processor may need to execute with foreign recipients has not been issued. However, it is not a stretch to say that these data blocking statutes pose significant new challenges in foreign regulator‑facing investigations or enforcement actions. 

Sectors targeted by law reforms or enforcement action

In the anti-bribery area, the real estate and construction industries have been the primary focus of criminal actions in 2021, and the life sciences industry remains the primary focus of administrative penalties.

Additionally, as discussed above, the Opinions expressly list a number of areas of focus, including the financial, food, pharmaceutical and healthcare, and education markets.

Cross‑border coordinated investigation or enforcement activity

Due to the pandemic and geopolitical conflicts, there has been no significant coordinated cross-border investigation or enforcement activity in 2021.

Financial crime predictions for 2022

In addition to existing blocking provisions, the DSL and the PIPL will add complexity to the cross‑border transfer of documents and evidence, particularly in the context of requests from foreign government authorities. The requirements for informed consent of data subjects impact how stealth internal investigations can practically be conducted in Mainland China.

The enhanced anti-sanctions measures introduced by the Chinese government pose challenges for multinationals doing business in Mainland China that must now cooperate with Chinese sanctions imposed on certain politicians and organisations within their home countries. Where foreign sanctions are impacted by the new Chinese laws, multinationals may also find themselves in a dilemma. While some efforts can be made to mitigate the risks from the conflict of laws, it can be difficult to forge a path which caters for compliance with all applicable laws concurrently. 

This article is part of the Allen & Overy Cross-border White collar Crime and Investigations Review. Please visit the review homepage for our overviews and insights in other jurisdictions. 


Download the Cross-Border White Collar Crime and Investigations Review

People working in office

The 'Cross-Border White Collar Crime and Investigations Review' analyses the latest developments and trends, and highlights the most significant among the current and emerging issues that white collar crime and investigations in-house counsel should prioritise in the year ahead.