This China Newsletter provides an overview of key developments in the following areas:
1. Antitrust
- China's SAMR Publishes Horizontal Merger Review Guidelines
2. Compliance
- China Amends Anti-Money Laundering Law
3. Data Privacy & Cybersecurity
- China Issues Regulations on Network Data Security Management
- China Releases Guidance for CBDT in Great Bay Area
4. International Trade
- China Issues New Regulations on Export Control of Dual-Use Items
5. Health Care
- China's NMPA Issues Interim Provisions on the Administration of the Domestic Responsible Person Designated by Foreign MAH
Antitrust
China's SAMR Publishes Horizontal Merger Review Guidelines
中国市监总局印发《横向经营者集中审查指引》
On Dec. 10, 2024, the State Administration for Market Regulation released the Guidelines for the Review of Horizontal Business Concentrations (Guidelines). The Guidelines, formulated according to the AntiMonopoly Law of the People's Republic of China, took effect the same day.
The Guideline comprises 12 chapters and includes 29 guiding cases. Below are the Guidelines' key points:
- Clear Competition Damage Theories: The Guidelines define two competition damage theories, unilateral effects theory and coordinated effects theory. These theories align with international practices and provide an evaluation framework for anti-monopoly law enforcement authorities during reviews, as well as for business entities conducting self-assessments.
- Deals within the Digital Economy: The Guidelines tackle the challenges posed by the digital economy's growth in anti-monopoly reviews of business concentrations. When reviewing transactions involving two-sided or multi-sided platforms, the Guidelines require companies to consider all platform businesses and evaluate both direct and indirect network effects. Additionally, for transactions within the platform economy, companies must analyze factors such as technical methods, platform rules, data, and algorithms to determine their potential to facilitate coordinated behavior. For killer acquisitions of start-ups, particularly in markets with high concentration and few competitors, it is crucial to assess whether the transaction might stifle competition and hinder innovation. This assessment should consider the transaction's purpose, potential competition, and innovation capabilities.
- Definition of "Relevant Markets:" The Guidelines introduce a new approach to defining relevant markets by incorporating factors such as "changes in other national policies" and "availability of goods." This represents a disruption in the traditional analytical framework for anti-monopoly control of business concentrations.
- Consideration of Government Subsidies: The inclusion of government subsidies in the review of business concentrations can be beneficial for addressing relevant foreign countervailing policies. It can also be applied to the anti-monopoly review of domestic business concentrations to prevent market competition from being excluded or restricted by business concentrations supported by local government subsidies.
- "Safe Harbor:" The Guidelines introduce China's first anti-monopoly control "safe harbor" for horizontal business concentrations. Using the Herfindahl-Hirschman Index (HHI) measurement of market concentration, the relevant market is categorized into three types: low concentration, medium concentration, and high concentration. Two HHI index change thresholds of 100 and 200 are applied to form three zones: "safe," "comprehensive review," and "presumed to have or likely to have anticompetitive effects."
The Guidelines mark a milestone in China's anti-monopoly efforts, suggesting continuous improvement in the regulatory system. By combining provisions with guiding cases, the Guidelines demonstrate the review process, competition analysis, and assessment factors for horizontal business concentrations. This helps refine anti-monopoly rules, improve review procedures, and may provide a more predictable environment for investments and mergers.
Compliance
China Amends Anti-Money Laundering Law
新修订《反洗钱法》通过,于 2025 年 1 月 1 日起施行
On Nov. 8, 2024, the Standing Committee of the National People's Congress adopted the amended AntiMoney Laundering Law (Amended AML Law), which took effect Jan. 1, 2025. This new legislation replaces the existing Anti-Money Laundering Law of 2006 (AML Law 2006), integrating previously established administrative regulations and introducing changes to China's anti-money laundering (AML) regime.
1. Expanding the Scope of AML Efforts
The Amended AML Law broadens the scope of anti-money laundering activities. Article 2 now includes a catch-all provision to encompass disguising or concealing activities linked to "other crimes," providing the authorities flexibility to address emerging threats, such as telecom and online fraud. Additionally, the amended law extends its application to counter-terrorism financing, reinforcing China's commitment to addressing both money laundering and terrorism financing.
2. Redefining Obligors in AML Compliance
Under the AML Law 2006, financial institutions and certain non-financial institutions had to fulfill AML obligations. The Amended AML Law revises and expands this list to include
- real estate developers and intermediaries involved in sales or brokerage;
- accounting firms, law firms, and notary offices engaged in handling real estate transactions, fund management, and asset management, among other activities;
- traders of precious metals or gems exceeding specified transaction amounts; and
- other institutions the State Council's anti-money laundering authority, i.e., the People's Bank of China, deems necessary based on assessed risks.
These entities should tailor their AML strategies to industry characteristics, operational scale, and specific money laundering risks in order to develop a more targeted approach to compliance.
3. Introducing a Beneficial Ownership Filing System
With the goal of increasing transparency, the Amended AML Law mandates establishing a beneficial ownership filing system. Both financial and specified non-financial institutions are required to identify and verify their clients' beneficial owners. A beneficial owner is defined as the natural person who ultimately owns, controls, or benefits from a legal entity. This aligns with the recently enacted Administrative Measures for Beneficial Ownership Information (BOI Measures), which require existing entities to file beneficial ownership information by Nov. 1, 2025.
4. Establishing Extra-Territorial Jurisdiction
The Amended AML Law extends its reach beyond China's borders, applying to any overseas money laundering and terrorist financing activities that threaten China's sovereignty, security, financial order, or that infringe upon the rights of Chinese citizens and entities. This extraterritorial application signals China's intent to play a proactive role in the global fight against money laundering and terrorism financing.
5. Conclusion
The Amended AML Law represents an advancement in China's legal framework for combating money laundering and terrorist financing. By expanding the scope of AML activities, redefining compliance obligations, introducing beneficial ownership requirements, and asserting extraterritorial jurisdiction, China is seeking to enhance its ability to address domestic and global financial crimes. It is crucial for affected entities to understand and align with these new requirements, enhancing compliance and contributing to a safer financial environment.
The Amended AML Law reflects ongoing changes to China's AML framework, which align with global standards that bodies like the Financial Action Task Force (FATF) have set. These updates suggest an intent to address financial system integrity and related domestic concerns.
Data Privacy & Cybersecurity
China Issues Regulations on Network Data Security Management
国务院发布《网络数据安全管理条例》,于 2025 年 1 月 1 日起施行
On Sept. 30, 2024, the State Council of China announced the release of the long-awaited Regulations on Network Data Security Management (Regulations). Following three years of deliberations and stakeholder consultations since the initial draft in 2021, these regulations took effect Jan. 1, 2025. They represent a critical component of China's legal framework, supporting Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL) enforcement.
1. Scope of Application and Extra-Territorial Reach
The Regulations apply to data handling activities within China and extend to certain activities outside the country. Specifically, foreign entities that collect personal data from China for selling goods or services to Chinese consumers or for tracking the behavior of individuals in China fall under its jurisdiction. Additionally, if overseas data activities threaten China's national security, public interest, or the legal rights of Chinese citizens, they are subject to these regulations.
This extra-territorial application, although previously covered by laws like PIPL, is now explicitly clarified. Foreign businesses must appoint a representative or establish a designated organization within China and report their contact information to the Cyberspace Administration of China (CAC), indicating heightened scrutiny of cross-border data activities.
2. Defining "Important Data"
The concept of "important data" is crucial, as entities handling such data face stricter compliance requirements but previously lacked clarification. To address ambiguity, the CAC issued the Provisions on Promoting and Regulating Outward Data Flow, clarifying that data should be treated as non-important unless identified in a published important data catalogue or notified by Chinese regulators. This clarification helps reduce compliance uncertainty for businesses.
The Regulations, aligning with the foregoing provisions, require businesses to use published important data catalogues and conduct self-assessments to determine if their data is classified as important. Unless notified by regulators, they can assume their data is not "important data."
In 2024, several Chinese Free Trade Zones initiated regulatory "sandbox" experiments, introducing more flexible rules. For instance, Beijing and Tianjin Free Trade Zones increased the threshold for personal data considered important from 1 million to 10 million individuals.
The Regulations adopt this relaxed approach. However, companies handling personal data of over 10 million individuals must still create a dedicated department and appoint a senior executive for data security who reports to regulators. They must also submit a data disposal plan in cases of mergers, acquisitions, spin-offs, or insolvency affecting data security.
3. Cross-Border Data Transfers
The Regulations outline clear guidelines for data processors aiming to transfer personal information overseas, enhancing compliance and safeguarding individual rights. Key conditions include:
- Outbound Security Assessment: Data processors must evaluate risks associated with international data transfers to protect privacy and security.
- Standard Contract Compliance: Transfers must adhere to a standard contract that defines the responsibilities of all parties involved.
- Contractual Necessity: Transfers are allowed if needed to fulfill a contract involving the individual, ensuring contractual obligations are met.
- Human Resources Management: Personal information can be transferred for HR purposes if compliant with labor regulations and collective contracts, crucial for international operations.
- Legal Obligations: Transfers are permitted to fulfill legal duties or obligations.
- Emergency Situations: In emergencies threatening life, health, or property, data can be transferred to ensure protection and assistance.
- Legal Provisions: Compliance with any additional legal conditions for international data transfer is required.
The Regulations signal China's commitment to data protection while facilitating necessary business and legal data transfers.
4. Special Obligations for AI-Generated Content and Data Scraping
In response to the deployment of new technologies such as AI-generated content and data scraping, the Regulations also set specific obligations for data processing activities in these fields.
With respect to data scraping, data processors that access or collect network data using automatic tools (e.g., scraping) must assess its impact and ensure the scraping does not violate PRC laws and regulations and does not interfere with the normal operation of network services.
In addition, data processors offering generative artificial intelligence services must implement effective measures to prevent and address network data security risks to ensure AI training data and related activities are secure.
5. Special Obligations for Large Network Platforms
Large network platforms, defined as those with over 50 million registered users or 10 million monthly active users, face specific compliance obligations. They must not abuse their position to restrict data access or discriminate against users. Additionally, they are required to publish annual personal data social responsibility reports.
6. Enforcement and Liabilities
The Regulations carry enforcement power, with penalties ranging from warnings and business suspensions to fines and personal liability for executives. Violations may also trigger penalties under the CSL, DSL, and PIPL, with fines reaching RMB 50 million or 5% of annual turnover, as well as potential criminal liability.
China Releases CBDT Guidance for Great Bay Area
中国发布《网络安全标准实践指南——粤港澳大湾区(内地、香港)个人信息跨境处理保护要求》
On Nov. 21, 2024, the National Technical Committee 260 on Cybersecurity of the Standardization Administration of China issued the Cybersecurity Standard Practice Guide - Personal Information CrossBorder Processing Protection Requirements for the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (Guide).
The Guide establishes the fundamental principles and requirements for the mutual recognition of personal information cross-border flows within the Greater Bay Area. It suggests that certified enterprises can facilitate cross-border personal information flows within the region.
The Guide introduces a hybrid certification approach that combines professional certification bodies with official recognition. Under this framework, personal information processors or recipients in Guangdong province (including Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, and Zhaoqing) can seek cross-border security certification through professional institution certification. At the same time, those in Hong Kong can apply to be listed on the "Approved List for Cross-border Transfer of Personal Data in the Greater Bay Area (Mainland, Hong Kong)," which the Office of the Privacy Commissioner for Personal Data of Hong Kong maintains, to facilitate the cross-border processing of personal information.
The Guide provides explicit compliance instructions for enterprises in the Greater Bay Area that engage in cross-border personal information processing. Enterprises should refine their procedures and enhance security measures to adhere to these requirements.
International Trade
China Issues New Regulations on Export Control of Dual-Use Items
中国发布《两用物项出口管制条例》和《中华人民共和国两用物项出口管制清单》
On Oct. 19, 2024, the State Council of the People's Republic of China (PRC) announced the Regulations on Export Control of Dual-Use Items (Regulations), which took effect Dec. 1, 2024. The Regulations mark a step in consolidating and streamlining China's export control system for dual-use items—goods, technologies, and services that can be used for both civilian and military purposes. This move aims to enhance national security while meeting international obligations.
1. Defining Dual-Use Items
Aligning with the Export Control Law, the Regulations define "dual-use items" as those that can contribute to military potential or be used in weapons of mass destruction development. This includes related technical materials and data. The definition underscores the importance of controlling these items to protect national security and fulfill non-proliferation commitments.
2. Consolidated Control List and New Coding System
A significant development under the Regulations is the introduction of a Consolidated Control List of Dual-Use Items (Consolidated List). Historically, China's export control system has been fragmented, with separate lists for different categories of dual-use items, such as nuclear materials and biological agents. The new list, which the Ministry of Commerce (MOFCOM) manages, will unify these under a single framework, simplifying compliance and enforcement.
On Nov. 15, 2024, MOFCOM released the Consolidated List, preempting all lists separately issued before. This Consolidated List introduces a five-character coding system, akin to the Export Control Classification Number (ECCN) used in the United States. This system seeks to facilitate international trade by making it easier to reference and compare controlled items. Unlike previous lists tied to customs HS codes, this standalone system aims to provide a clearer and more precise classification of dual-use items.
3. Entities and Watch Lists
- List of Entities Under Export Control: The Regulations expand the criteria for foreign importers and end-users to be included on this list. Entities that misuse dual-use items or pose risks to national security may find themselves subject to export restrictions.
- Watch List: A new precautionary measure, the Watch List serves as an intermediary step before an entity is placed on the List of Entities under Export Control. Entities that fail to comply with verification procedures may be added to the Watch List, complicating their ability to secure export licenses.
4. Temporary Control and Licensing Enhancements
The Regulations reiterate the temporary control mechanism from the Export Control Law, allowing for the imposition of controls on items outside the Consolidated List for up to two years. This mechanism is subject to evaluation and can be extended twice if necessary.
Significant changes in licensing procedures include:
- General Export License: This new license type permits qualified exporters to conduct multiple exports to specified end-users within a defined scope and timeframe. Exporters must maintain a robust internal compliance system to qualify.
- Export Credentials: These are introduced for specific scenarios, such as re-export for repairs, allowing for a more streamlined customs clearance process.
- Application for Licenses: Exporters must reapply for licenses if there are changes to key elements like the type of dual-use items or end-user. Failure to comply can result in severe penalties, including fines and business suspension.
5. Reporting Obligations and Extraterritorial Jurisdiction
The Regulations emphasize the importance of reporting obligations, requiring immediate notification to MOFCOM upon receiving foreign government requests related to export control. This ensures that Chinese entities remain compliant with national and international standards.
Furthermore, the Regulations grant MOFCOM limited extraterritorial jurisdiction, allowing it to control certain transfers of dual-use items abroad. This jurisdiction applies specifically to items containing Chinese-origin dual-use components and underscores the global reach of China's export control policies.
6. Conclusion and Potential Implications for Exporters
The introduction of the Regulations and the Consolidated List marks an advancement in China's export control framework, providing clarity and consolidating various existing provisions. However, certain areas, such as the requirements for export credentials and the scope of extraterritorial jurisdiction, require further clarification.
Exporters engaged in the trade of dual-use items should prioritize developing and refining their internal compliance systems. Proactive adherence to reporting obligations and a thorough assessment of export operations are crucial may help exporters avoid violations and implement sustainable business practices.
Health Care
China's NMPA Issues Interim Provisions on the Administration of the Domestic Responsible Person Designated by Foreign MAH
中国药监局发布《境外药品上市许可持有人指定境内责任人管理暂行规定》
On Nov. 13, 2024, the National Medical Products Administration (NMPA) released the Interim Provisions on the Administration of the Domestic Responsible Person Designated by Foreign Marketing Authorization Holders (Provisions), which will take effect July 1, 2025. The Provisions aim to enhance the oversight of foreign drug marketing authorization holders (MAH) and ensure they fulfill their primary responsibility for post-marketing drug quality management. The Provisions' key points include:
- Qualifications: The domestic responsible person, as outlined in the Provisions, refers to a domestic legal entity the MAH appoints to fulfill the MAH's obligations within China and share joint and several liability. This entity must be a legally established corporate entity within China, possess a suitable quality management system for fulfilling MAH responsibilities, have capable personnel, including dedicated staff for independently managing drug quality activities, and maintain suitable office premises.
- Reporting Requirements: Before a drug's initial import and sale, the MAH must file the designated domestic responsible person with the provincial drug regulatory department through the National Drug Business Application System. For a specific drug variety, the MAH is required to designate a single domestic responsible person. This domestic responsible person may accept designations from multiple MAHs for different imported drug varieties. The NMPA will incorporate this information into the drug variety file and make it publicly accessible, ensuring transparency and public access to this information
- Obligations: Domestic responsible persons and MAHs share responsibilities, including, but not limited to, ensuring drug quality and safety, establishing a drug traceability system, maintaining an annual reporting system and a pharmacovigilance system, overseeing drug recalls, and managing quality complaints.
- Consequences of Non-Compliance: If a domestic responsible person does not meet the qualifications the Provisions outline, they will be required to make corrections within a specified timeframe. Failure to comply within this period may result in actions such as suspending sales and imports. If the domestic responsible person neglects their duties, leading to potential safety risks for imported drugs, measures like warnings and interviews will be conducted, and the findings from inspections and handling will be publicly disclosed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.