Skip to content

Mainland China

China’s data laws add substantial complexity to the cross-border transfer of documents and evidence for investigations, particularly in the context of requests from foreign government authorities, and for internal investigations. This will impact how a company can respond to direct requests from non-Chinese authorities in any investigation concerning China-based conduct. Data enforcement activity is also increasing rapidly, and has confirmed that foreign-registered entities are captured squarely by the PRC data regime, if processing activities under their direction are carried out in China.

A dip in ABAC enforcement activity against companies in 2022, due to competing governmental priorities (notably Covid), is expected to be temporary, with the government regularly restating its commitment to combat both active and passive bribery.

China’s approach to the regulation of non-fungible tokens (NFTs) is evolving, and it is expected that regulation will include ensuring that NFTs are not commoditised, in line with China’s approach to cryptocurrencies.

Investigations trends/developments 

A low ebb in anti-bribery and anti-corruption (ABAC) enforcement actions

Following a trend that started in 2021, the number of published ABAC-related enforcement cases continued to decline in 2022. China Judgments Online reported 34 first-instance bribery convictions as of late October 2022, as compared to 158 in 2021. The real estate and construction industries continued to account for around one‑third of these cases in 2022. Similarly, according to a Wolters Kluwer database, the number of published administrative penalty decisions for commercial bribery dropped from 100, in 2021, to 40 in the first ten months of 2022.

While China continues to crack down on passive bribery and graft by removing and sentencing high-level public officials, including (as of August 2022) four ministerial-level officials, 21 vice-ministerial-level officials, and several senior executives of centrally state-owned enterprises, there have been no high-profile enforcement actions against companies committing active bribery. This is particularly noteworthy as the government declared in the last year that it would be more active in punishing active bribery, and in pursuing further “concurrent investigations” of active and passive bribery.

This decline in commercial enforcement action may be due to a shift in the government’s priorities towards more urgent threats, including international political pressures, and COVID and its associated preventive measures.

During the pandemic, there was a significant expansion of government power at both the central and local levels. At the same time, the “emergency” nature of this more expansive government reach has complicated the ABAC environment in China, as parties balance their compliance obligations with the need for urgency in dealing with the government’s epidemic controls.

We expect this trend of lessened enforcement action to be temporary, with the government regularly reaffirming its commitment to the “anti-corruption” campaign. The critical and unanswered question is when the government will turn its attention back to ABAC as a policy priority. It is interesting to note that, on 22 November, the State Administration for Market Regulation (SAMR) released a new draft amended version of the Anti-Unfair Competition Law (the AUCL) for comment. The new draft proposes reinstating a previously-abandoned, controversial approach to punishing active bribery directed not only at the personnel of transaction counterparties, but also at transaction counterparties themselves (if not properly accounted for). It also proposes reinstating punishment for passive bribery, and strengthening the administrative penalty for violations.

A giant leap in data law enforcement

China’s regulators have been far more active in enforcement of its new data protection laws. The new data regime saw its most high-profile enforcement action to date in July 2022, when the Cyberspace Administration of China (CAC) announced a fine of RMB 8.026 billion against Didi Global Co., Ltd., for various data-related violations including: (i) unlawful or excessive collection of personal information; (ii) processing of personal information without adequate notification; (iii) frequent requests for permission from data subjects without justification; (iv) inaccurate and unclear description of purposes for processing personal information; and (v) carrying out data processing activities that harm national security and the security of China’s critical information infrastructure. This case has also highlighted CAC as another significant regulator in China’s regulatory regime that requires special attention.

In addition to the gravity of the penalty, this case has raised several issues worth noting:

  • Didi Global Co., Ltd. was found to be the offender even though it is the offshore parent company of the onshore operational entities of the Didi Group. It is therefore confirmed that foreign-registered entities are captured squarely by the PRC data regime, if processing activities under their direction are carried out in China.
  • CAC adopted strict criteria in determining whether certain of the processing activities were “necessary” and “minimal.” We note that the collection of certain personal information, eg  access to phone numbers of the passengers using the  service) was not without business justification, but was nonetheless determined to be “excessive”.
  • It remains unclear how the fine was calculated, and, in particular, if the fine included confiscation of illegal income. Additionally, while the amount of the fine was high, the regulators actually did not resort to the more disruptive penalties in their toolbox, such as suspension of business, revocation of the business licence, negative entry in the social credit records, disqualifying the responsible individuals from certain senior roles in the company, and pursuit of criminal liability, presumably due to the importance of Didi’s services in the Chinese market. That is not the case in other enforcement actions, however, with the CAC issuing a public announcement, on 3 November 2022, that it had recently terminated the operation of 55 mobile applications and ordered timely rectification by another 80 mobile applications, for various data violations.

For more information about the Didi case, please refer to our previous article published at

De-commoditisation of NFTs

The market for non-fungible tokens (NFTs) has expanded significantly in China since 2021, as it has in many other places around the world. NFT market players in China are not limited to private sector enterprises, with many players having a government background. The former includes tech giants such as Tencent, Alibaba, and Baidu, which have all launched NFT marketplaces. The latter includes Xinhua News Agency and China Central Television, which have developed and issued their own NFT products, and government-sponsored cultural artwork exchanges seeking to set up online trading platforms for NFT-based digital artworks.

It is unsurprising that China has taken a dim view of attempts to commoditise or securitise cryptocurrencies, through initial offerings, trading, and speculation. NFTs, which often rely on blockchain technology and are often associated with cryptocurrencies, are likely to be regulated under the same principles.

Other than the general regulation on “blockchain-based information service providers,” NFTs have not been subject to any special regulations so far. However, industrial associations including the National Internet Finance Association of China, the China Banking Association, and the Securities Association of China jointly issued the Proposals on Preventing NFT-related Financial Risks in April 2022, which set forth basic principles for NFT-related businesses, with a focus on rebuffing the attempts to commoditise or securitise NFTs. While these industrial associations are not government regulators, and the Proposals have no legal effect, the Proposals may be viewed as “testing the waters”, and may shed light on future legislative direction.

Many key onshore market players have adopted the following measures to minimise the financial attributes of NFTs, in order not to be considered as engaging in illegal securities issuance, fundraising or exchange of business, or violating the cryptocurrency and Initial Coin Offering ban in general:

  • tokenising artworks on the consortium blockchain rather than the public blockchain
  • referring to NFT products as “virtual collectibles” instead of “tokens” to avoid the apparent association with cryptocurrencies
  • prohibiting the use of cryptocurrencies for transactions of NFT products
  • suspending secondary trading of NFT products for the time being
  • prohibiting any fractionisation of NFT products.

Some of the measures (such as the ban on secondary trading) may be relaxed or lifted as the regulatory framework on NFTs evolves. However, many others are expected to stay as standard industry practices.

Foreign market players are advised to adopt similar measures to the extent possible when providing NFT-related services to Chinese residents, or otherwise engaging in NFT businesses in China, to avoid the attention of PRC regulators.

The Chinese government is also wary of the money-laundering risk arising from NFTs. In the Chinese onshore NFT market, this risk is controlled indirectly from the efforts to decommoditise NFTs, especially by limiting payments to be made through banks or licensed third party payment companies that are AML-obligated persons. The risk is further reduced by the market practice of making NFTs analogous to “collectibles” as opposed to financial assets. However, foreign market players that intend to provide NFT-related services to Chinese residents on a cross-border basis should also be aware of the potential extraterritorial effect of the PRC anti‑money laundering laws, particularly the criminal laws. For the sake of prudence, foreign market players that intend to provide NFT-related services to Chinese residents are advised to follow the same approach adopted in relation to the Chinese domestic market when doing so.

Important 2022 law reforms impacting corporate criminal liability

As in 2021, 2022 witnessed continuing, significant developments in laws governing the cross-border transfer of data. In general, the PRC data legislation requires, among other things, that data processors shall: (i) pass mandatory government security assessments; (ii) obtain security certifications issued by a government‑accredited agency; or (iii) execute standard agreements (using the government-issued template) with foreign recipients, before transferring personal information and/or important data abroad. Failure to comply with these rules when transferring personal information and certain other data abroad may lead to administrative liability and, in extreme cases, criminal liability.

CAC released, on 7 July 2022, the long-awaited Measures on Security Assessment for the Cross-border Transfer of Data (the Security Assessment Measures) in order to flesh out the security assessment process briefly referred to in the data laws. The Security Assessment Measures articulate the conditions under which a security assessment is required, the procedures for security assessment, and the factors that the authorities will consider when conducting a security assessment.

Around the same time, the Secretariat of the National Information Security Standardisation Technical Committee issued the Security Certification Specification for Cross‑border Processing of Personal Information (TC260-PG-20222A) (the Specification), which sets forth principles, rules, and basic requirements for the security certification process. The Specification was updated on 8 November, and the Rules for the Implementation of Personal Information Protection Certification jointly released by CAC and SAMR on 4 November specifically require compliance with the Specification for the security certification process.

CAC also released for public comment the draft Provisions on Standard Contracts for Cross-border Transfers of Personal Information (the Standard Contracts Provisions), which forecast the conditions where cross‑border transfer of personal information may be based on standard conditions, and what the government‑issued template agreement will look like.

With the Security Assessment Measures and the Security Certification Specification now in place, and the Standard Contract Provisions in the pipeline, the main regulatory framework on the cross-border transfer of personal information and important data is in place. After the grace periods, data processors will need to follow the applicable rules and procedures before transferring personal information or important data abroad, and they can no longer avoid compliance while “waiting” for implementation rules.

That said, these cross-border data transfer rules do introduce new questions that will require clarification in the future. For instance:

  • it is unclear what the relationship between these general cross-border transfer rules and the pre-existing data transfer review and approval processes developed by industrial regulators is
  • the requisite level of detail of the submission materials for security assessment and security certification remains an area of know-how to be developed by practitioners, based on their first-hand interactions with the regulators
  • the legal community is still eager to understand the extent to which data protection agreements between data processors and their foreign recipients that are multinationals will be allowed to deviate from the government template, as there are many issues that will likely arise with execution of the template as it is, particularly with multi-jurisdictional commercial and regulatory considerations in mind.

Internal investigations – key developments

The development of the cross-border transfer rules will complicate internal investigations carried out by multinationals on a cross-border basis, eg the transfer of findings, evidence, and data from local subsidiaries to global headquarters. China has not provided any exception for cross-border transfer of human resources data or data related to internal investigations, and there is no indication that there will be any such exception, although the government may adopt more streamlined procedures for the transfer of the data based on security assessments and the other requisite processes. The other possibility is a state-to-state agreement between Chinese and foreign regulators for the transfer of such data, although there is no indication that any such agreements are anticipated in the near future.

We and our clients continue to follow these developments closely, as they will directly impact how to conduct both internal and regulator-facing investigations, and how we can cooperate with foreign regulators examining China-based conduct.

Sectors targeted by law reforms or enforcement action

The developments in the data law regime will disproportionally affect industries that are data-intensive, such as finance, e-commerce, social media, smart electronics/terminals, and travel and hotels. That being said, the data regime is far-reaching, and has already had a demonstrable impact on nearly all sectors  doing business in China.

This article is part of the Allen & Overy Cross-border White collar Crime and Investigations Review. Please visit the review homepage for our overviews and insights in other jurisdictions. 


Download the Cross-Border White Collar Crime and Investigations Review

Person using laptop

The 'Cross-Border White Collar Crime and Investigations Review' analyses the latest developments and trends, and highlights the most significant among the current and emerging issues that white collar crime and investigations in-house counsel should prioritise in the year ahead.