This update captures the latest on PRC laws with a special focus on factors relevant to business decision-makers. The content here is tailored to what we recommend every corporate director/board member of international corporations know about these new surveillance laws. These laws post a risk to any company doing business in China, not only including those that manufacture or purchase supplies from PRC based partners but also those that sell into the market there.

According to the National Counterintelligence and Security Center (NCSC, part of the U.S. Intelligence Community), Beijing has viewed outbound flows of information from China to be a national security risk and have also established the need to leverage access to and control over data held by international firms in China for surveillance purposes. New laws grant the PRC government with access to data.

U.S. and other global companies and individuals in China could face penalties for traditional business activities that Beijing deems acts of espionage or for actions that Beijing believes assist foreign sanctions against China. The laws may also compel locally-employed PRC nationals of U.S. firms to assist in PRC intelligence efforts (note: These laws now apply to operations in Hong Kong as well).

The most recent law is has just taken effect. It is an update to their counter-espionage laws which redefines the scope of what could be considered espionage to any information they want to call espionage related.

To put this most current law into context here is an overview of key laws impacting U.S. and other international company operations in China passed by the PRC since 2015:

2015 NATIONAL SECURITY LAW

This law stipulates that any PRC citizen and private organization must assist the PRC government and intelligence services with any security issues when ordered. This includes compelling locally employed PRC nationals of companies to assist in investigations, covertly.

2017 NATIONAL INTELLIGENCE LAW

This law builds upon the 2015 national security law to underscore that the PRC’s intelligence services must always be complied with.

2017 CYBERSECURITY LAW

This law requires that all critical infrastructure companies (not defined in the law, includes any foreign companies working with critical infrastructure) must retain their data in China’s borders and make all their data available to intelligence services.

2021 DATA SECURITY LAW

This law adds new restrictions on data including introducing a tiered system according to Beijing’s interpretation of the data’s importance to state security. It imposes stricter measures and much more significant penalties for any companies for noncompliance.

2021 ANTI-FOREIGN SANCTIONS LAW

This law provides grounds for the PRC to take counter- measures against foreign sanctions and authorizes PRC actions against foreign persons or entities that implement or assist foreign sanctions against China. This means the PRC can retaliate against any firm that it judges has assisted in implementing foreign sanctions. Some companies may be forced to choose whether to follow US or PRC guidance on sanctions and the law in this regard.

2021 PERSONAL INFORMATION PROTECTION LAW

Some have called this analogous to the GDPR since on the surface it claims to codify the privacy right of PRC citizens. But in reality no PRC citizen has what we would call privacy rights, at least not privacy from government and CCP surveillance. All domestic and foreign companies must comply with reviews to ensure data is being controlled properly. It restricts the ability of companies to gather and retain data on PRC people and also authorizes the PRC government to take all data it desires if they believe it is in the public interest.

2021 CYBER VULNERABILITY REPORTING LAW

This law introduces risks to all who use IT. It Requires all companies with China-based equities to report cyber vulnerabilities discovered in their systems or software to PRC authorities and mandates that the vulnerabilities cannot be publicly disclosed or shared overseas until PRC authorities complete and assessment. This provides PRC authorities the opportunity to exploit system flaws before vulnerabilities are known by others.

2023 COUNTER-ESPIONAGE LAW UPDATE

This is the latest in this long string of laws that impact U.S. and other foreign corporations acting in China, including those selling into the market. It significantly broadens the scope of the PRCs counterespionage law by expanding the definition of espionage from covering state secrets and intelligence to any documents, data, materials or any other items related to national security interests. And it does this without defining those terms further, meaning anything the PRC government or CCP wants to be considered subject to this act can be treated this way. It is in effect now.

This law, building on all the others, introduces new legal risks and uncertainties for companies doing business in or with China. All documents, data and materials can be considered relevant to PRC national security.

What does all these mean for you and your business?

Corporate directors, C-Suite leaders, strategists, financial planners and policy makers should evaluate what the current legal environment. As an aid in your planning process, here is a list of recommendations for you to evaluate:

1. Perhaps the greatest, most important recommendation we have for your business is that you should conduct a net-assessment on the risks and benefits of doing business in China. Every company is different and the scenarios you plan for will need to be tailored to your situation. We can assist with your planning by informing your team on the very latest developments and the nature of risk in the area. Reach out if we can help.
2. Continue to make yourself aware of the geopolitical situation in the region as well as the most relevant aspects of the ongoing trade and tech tensions. Be sure that you, and all members of your team, are on distribution for the free OODA Daily Pulse. OODA Loop members also have access to several strategic reports written to provide insight on China and these can help level set your entire team (start with our special report on The China Threat).
3. This topic of geopolitical risk, including this specific topic of potential scenarios and actions by China, is a frequent topic of OODA network monthly meetings and informs our recommendations. These sessions are only for OODA expert level members. Sign up here to participate directly in discussion of these topics with your peers.
4. Continuously consider your cybersecurity governance procedures. Do not wait for the SEC to mandate that your board address these topics. See: OODA’s Cyber Board Advisory Services for starting points to consider. Cyberattacks will almost certainly continue to shift. Some adversaries may decide to make direct attacks against U.S. organizations to degrade and disrupt production. So stay agile in defense. Ensure your team is following Cybersecurity Best Practices. Red Team your defenses. Leverage deception in your defenses. Protect the communications of your executive team.
5. Analyze your technology dependencies and the dependancies of your supply chain as well. What are dependencies on China? What are exposures to their laws? Do you sell into the Chinese market? What data do you have that is applicable to these laws? Where is it stored? Are your networks segmented?
6. Review your current intensions regarding M&A or divestiture. Do any transactions impact business with PRC based companies?

As an OODA member we also ask that you keep us in the loop on how the OODA Network can best serve your interests. Reply to any of our newsletters or contact us here. 

Resources and Additional Information:

NCSC on Safeguarding Our Future: A succinct overview of the laws referenced above from the National Counterintelligence and Security Center.

The OODA C-Suite Report: Updated strategic intelligence for corporate directors and the C-Suite providing insights into geopolitical risk, technological developments and cyber conflict.

The China Threat Brief Provides strategic intelligence on China, the PRC and their global intentions.

 Global Risk and Geopolitical Sensemaking: A dynamic resource for OODA Network members looking for insights into the geopolitical dynamics driving global risks.