The amended and restated Anti-Espionage Law of the PRC takes effect on July 1, 2023 (the “New Law”). What are the changes in the New Law? What are the potential impacts of the New Law on foreign companies doing business in or with China? What are the proper compliance responses to allow resting at ease with the New Law? We are sharing more information about the New Law and our thoughts about it, and we hope that you can have your own answers to the above questions after reading this article.

The Changes

Newly Defined Focuses and Tailored Messages

In the General Provisions Section of the New Law, among some normal verbiage twists, a new principle of Total Security Concept stands out.

The Total Security Concept is a CCP ideology and was initially codified into the law in Article 3 of the National Security Law of the PRC. It sets its goal as the security of the Chinese people, the key to realize that goal is the security of the political regime that is built on the security of the economy, guaranteed by the security of the military, science, culture, and society, and dependent on the security of the international environment. The security of the Chinse people includes both the security of homeland (i.e., sovereignty) and the security of citizens.

With this new principle, the New Law defines that the focus of anti-espionage is to safeguard in priority the sovereignty and citizens of PRC, to protect the current political mechanism, to maintain the healthy growth of economy, to advance development in military, science, culture, and public interest and to promote friendly international environment. The focuses of the Anti-Espionage Law of the PRC are never clearer than this one since it was legislated in 2014.

While it sets the sovereignty of China on top of all anti-espionage focuses, it also indicates that PRC wants to have and maintain a friendly international environment for its total security. The aforesaid focus can also be deemed as the core and bottom-line consideration of PRC's anti-espionage work.

This Total Security Concept and, particularly the above two key items of security consideration, are helpful for foreign companies or foreign invested companies in PRC to assess the dynamic espionage risks in either their dealings in a specific event or the effectiveness of their overall compliance strategy, i.e. whether the company's expressed opinion is in conflict with the sovereignty of the country and whether the company's reaction and attitude are in alignment with most of the companies similarly situated.

Expanded Scope of Espionage

The punishable espionage under the New Law includes espionage associated with the espionage organizations, as well as their agents, and espionage associated with foreign entities, institutions, and individuals. Three types of activities are added to the espionage associated with the espionage organizations and their agents, which include: (1) becoming dependent of espionage organizations and their agents, (2) conducting cyber espionage, i.e. conducting cyber-attack, hacking, interference, control or sabotage against China national agencies, classified information possessing entities or the critical information infrastructures and (3) espionage against third countries: carrying out in the territory of the PRC or using Chinese citizens, entities or other conditions of the PRC to carry out espionage against a third country, which harms the national security of the PRC, by espionage organizations and their agents.

  • Becoming Dependents

    Under the law of the PRC, there is no published list of espionage organizations and their agents. They are all subject to determination by the national security agency. It can be foreign and local organizations. The agents of the espionage organizations are defined as individuals who are requested, engaged, sponsored by espionage organizations or their members to carry out or further cause to be carried out activities that harm the national security of the PRC. 

    Although the New Law does not elaborate the definition for “becoming dependents”, it is about individuals' involvement in the espionage. Therefore, foreign businesses and foreign invested companies in China could be less concerned about this expanded item, except that the foreign invested companies in China may want to ensure that their management members will not engage in such activities. Good internally circulated newsletter covering real cases with commentaries could be sufficient to address such a need.

  • Cyber Espionage

    This type of espionage has a technical threshold and cannot be conducted without personal skills and company facilities. To prevent from engaging in such type of espionage incidentally, foreign companies and foreign invested companies in China may want to: 
    1. Keep record of business counterparties who are governmental agencies, classified information possessors and critical information infrastructure operators;
    2. Conduct regular review of network connection or internet communication with the above business counterparties for potential security risks and keep proper records of such review; and
    3. Formulate policies to supervise the use of company network devices that are capable of cyber espionage and run audits from time to time against the use and use records of such equipment and device.

  • Espionage against Third Countries

    Foreign companies or foreign invested companies in China should be conscious about engaging in espionage against a third country using Chinese people, entities or other resources could also be punishable under the New Law. Foreign companies and foreign invested companies in China should refrain from using Chinese entities or individuals or other Chinese resources to conduct espionage against third countries, which may cause harm to the PRC national security.

In addition to the above newly added three types of espionage associated with the espionage organizations and their agents, there is another new one type of espionage which is not necessarily associated with espionage organizations and their agents:

  • Stealing, probing, bribing for, unlawfully providing national secrets, intelligence information and other documents, data, materials, and items relating to national security and interests as carried out by overseas agencies, organizations, and individuals, or by others who are requested or sponsored by them, or jointly carried out in collusion with China domestic agencies, organizations, and individuals.

Under the Chinese law, the “overseas agencies and organizations” include the branches established in PRC by agencies and organizations outside of China, and the “overseas individuals” include foreign aliens resides in the PRC. The “in collusion with” includes jointly planning or carrying out, accepting sponsorship and requests, or even establishing contacts, getting support and assistance.

The New Law does not elaborate the definition for the “other documents, data, materials and items relating to national security and interests”. However, it does not mean that such a term is without boundary. We believe that:

  1. first of all, such “other documents, data, materials and items”, although not being national secrets and intelligence information, are not in the public domain and are subject to physical, technical, or administrative measures to restrict presentation or circulation. The clues of determination can be found from the concepts of the Core Data and the Important Data under the Data Security Law;
  2. secondly, because the New Law does not provide a definition or a referential scope for “relating to national security and interests”, this potentially could have a very broad and discretionary coverage. However, the bottom line is that such “relating to” must have the realistic potential to harm the national security. The scope of national security is defined in Chapter 2 of the National Security Law, the Duties to Safeguard National Securities. ; and
  3. lastly, the New Law also provides that, on a case-by-case basis, national or provincial administration of state secrets protection can be called upon in accordance with the law to assess and determine whether a certain matter, item or information is national secret, intelligence information, may harm or to what extent to harm national security

With the assistance of a local professional in PRC who is familiar with the national security issues, a certain type of documents, data, materials, or items can be approximately assessed whether they have any national security concern.

The coverage of this type of espionage is very broad, and, because this type of espionage only requires connection with normal foreign organizations, entities, and individuals, which means that such type of espionage may happen in the day-to-day businesses, foreign businesses and foreign invested companies should be extra-cautious about engaging in such type of espionage in accidents or without knowledge. To prevent from engaging such type of espionage, foreign businesses and foreign invested companies should:

  • Create a special awareness training to cover this type of espionage for its mid and high-level management team;
  • Identify the areas of the national security and interests that are most relevant to the company and formulate proper compliance policies to address risks associated with such items;
  • Make a plan of reasonable due diligence against the business counterparties and vendors and to understand the “documents, data, materials and items” provided by them.

    If a foreign business or a foreign invested companies cannot have reliable source of local professionals with good knowledge of national security, a dummy approach is that DO NOT BE CURIOUS about “documents, data, materials and items” that are not publicly available. For example, when you hear that a new policy is being drafted and internally discussed, and someone claims they can work with you to get, or they can sell you, or even they provide you for free, a copy or detailed information about it, treat it as a red flag and do not accept such offering.

New Mechanism for Security Protection

The New Law established a new tiered mechanism for security protection. Foreign invested companies are also included in such a mechanism and should be responsible for its own anti-espionage responsibilities in the same way as the Chinese governmental agencies, the Chinese governmental agency sponsored and administrated institutions, the Chinese domestic companies, public institutions and other non-profit institutions and organization. Such responsibilities include offering espionage awareness training and formulating anti-espionage policies, among other things. 

The most significant change to this section is the addition of the special provisions on the critical entities against espionage and security protection. Under the law, the national security agency is responsible for creating and updating the list of such critical entities and notifying the entities on the list, but the list is not open to the public. There are escalated responsibilities of entities on the list. It is unlikely for foreign invested companies to get on such a list, but foreign companies and foreign invested companies should take extra caution in dealing with the entities on the list when they become aware that they are doing business with such entities.

Enforcement Measures

The New Law defines more clearly the procedural requirements on enforcement by the national securities agencies.

Generally, without special approval, the national security officers can only check the identify certification of and ask questions to the individuals and entities, and check the carry-on items of the espionage suspects, after presenting their work ID.

They have to seek approval from the person-in-charge of the national security agencies at the city level or above if they want to:

  • Check the electronic devices, facilities of the individuals and organizations and the applications and tools installed therein;
  • Review and request copies of documents, data, materials, items of the relevant individuals or entities;
  • Subpoena the relevant individual with approval;
  • Frisk the suspects (woman suspects can only be frisked by woman staff) or investigate his or her places; and
  • Inquire the assets information of the suspects.

When they have the approval to do the above, they have to do it in a pair.

Under the New Law, the national security agency at the central level can notify the immigration agency to block exit of any Chinese citizens or entry of any foreign national who threat or cause harm to national security, and the national security agency at the provincial level may notify the immigration agency to block Chinese national suspects of espionage from exiting the country.

The New Law also adds provision targeting cyber risks of espionage. When the national security agencies discover information contents relating to espionage or the cyber-attack risk that is subject to espionage, it may ask the public security or the telecom regulatory agencies to order, or may order by itself in urgencies, bug-fixing, cyber protection enhancement, deletion of applications and contents, suspension of service, applications take-down, website shut-down or block.

In espionage investigation, the New Law keeps the provision that the national security agencies may conduct technical investigation with special internal approval and additionally may ask assistance and support by the postal and courier services, as well as telecom services. The national security agencies can also enter the any facilities and entities for investigation, even restricted facilities, and entities after securing proper approval. They can also take over transportation vehicles, telecommunication devices, places, or buildings for investigation purposes.

Based upon the above, the national securities agencies in their law enforcement and investigation generally have broad power, and all individuals and entities bear the legal obligation to cooperate and assist. Therefore, it is critical foreign invested companies should be familiar with the legally defined procedural requirements of the enforcement and investigation. Creating a quick reference booklet, a special operation procedure, a clearly defined internal escalation path and holding mock trial practice from time to time are all helpful to deal with unexpected investigation or dawn raids.

Liabilities

Committing espionage will likely be subject to criminal liabilities and administrative liabilities by both individuals and entities. The following will focus on administrative liabilities because the criminal liability analysis can warrant another article. 

Individuals committing espionage will be subject to (1) administrative warning, (2) detainment for up to 15 days, and/or (3) administrative fines up to five times of the income if the income is more than RMB50K, or RMB50K if the income is less than RMB50K, and (4) disciplinary punishment. All the incomes received by such individuals or his/her relatives, or anyone associated with such individuals, or their relatives should be forfeited. Knowingly aiding or supporting espionage with anything or in whatever ways or hiding or covering up individuals or evidence of espionage are deemed commission of espionage. Foreign nationals committing espionage could be ordered to exit China with a ban for a certain period from re-entry, or, if being ordered of expulsion, the ban will be for 10 years.

Entities committing espionage will be subject to (1) administrative warning, and/or (2) administrative fines up to five times of the income if the income is more than RMB500K, or RMB500K if the income is less than the amount, and (3) punishment of its legal representative and other staff responsible for the espionage with the same liabilities as those as if they were committing espionage personally.

It is important to note that entities which failed to implement the statutory anti-espionage measures will also be held liable.

On the other side, anyone can report the national security agencies and their staffs if they abuse their powers and commit wrongdoings to the superior national security agencies, to the supervisory body of the Party or to the prosecution agencies. The redresses of the individuals or entities includes request for administrative review of the decisions and filing administrative lawsuits.

Final Comments

The New Law is PRC's response to the complications of the current geopolitical fight, and it takes a defensive approach to address the security risks. Indeed, it has a broad and vague coverage on security concerns, and it increases the security risks faced by the foreign companies or foreign invested companies but it should not be the reason to fear because (1) making vague and increasing power are the universal approach of every government in defending its security concern, (2) security is never a static legal definition but a dynamic concept based upon a government's perception of risks in stability, and local wisdom resources are available to define the approximate boundary, and (3) compared with the original edition in 2012, the New Law actually adds more clarity and legal resorts. Time and practice will reveal what it really is. 

The last note about the New Law is that even it attempts to cover foreign companies, on the strength, China is not aggressive to make its own law enforcement extraterritorial, and doing so is also not consistent with its needs for security. Therefore, even though it includes foreign companies as entities regulatory objects, Chinese government will not target foreign companies for enforcement beyond the Chinse border, and the foreign companies can make themselves at home when they visit or do business in China or with partners in China if:

  • They are wary about the political differences and the scope of the espionage;
  • They have guidelines for their staff about China's security concern relating to their businesses;
  • They can check and prevent their staff from bringing with them documents or materials that are deemed sensitive or political offensive in China;
  • They can offer their staff travelling to China with tips and guidance in handling general checks and investigations by the Chinese governmental agencies, including the Chinese border control officials; and
  • They have capable local resources available in case of emergency.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.