China: handling internal investigations
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
China is the world’s second largest economy by nominal GDP and its growth still outpaces much of the developed world. The country’s growing middle class presents attractive opportunities for foreign investors despite a complex investment environment. China ranks 83 out of 168 countries on Transparency International’s 2015 corruption perceptions index. Corruption and fraud remain significant business risks. While China’s recent crackdown on corruption has been well publicised, foreign regulators continue to target multi-nationals for bribery and corruption involving China-related business. Recent scandals involving the pharmaceutical industry and the hiring of relatives of public officials have attracted significant media attention.
These risks highlight the importance of having appropriate procedures in place to address investment risks and protocols for conducting internal investigations should an incident occur. Conducting internal investigations in China can be difficult, due to the nuances of local restrictions that may sometimes be overlooked in the rush of an internal investigation. Recent steps by Chinese enforcement agencies to encourage whistleblowing by employees also adds to the risk that needs to be carefully managed by multinational companies with operations in China.
How internal investigations begin
The need to undertake an internal investigation usually arises as a result of two scenarios: where a former or current employee or a third party with information about an alleged wrongdoing blows the whistle; and where the company itself has suspicion of a risk problem and decides to investigate the existence and extent of the problem. In either case, an internal investigation would be required, or at least advisable, to properly identify and address any regulatory concerns, to protect the interests of the company and those of its shareholders, and to enable the company to proactively manage any negative publicity that might arise in the event of an enforcement action or the incident coming to light.
Although the issues that need to be considered in conducting the internal investigation will likely be similar on both occasions, the risk of adverse publicity and regulatory attention will feature more significantly in the former and a well-prepared communications strategy will be an important part of the internal investigation protocol.
In this article, we discuss some of the specific China-related considerations that can present challenges and risks when conducting internal investigations.
In recent years, whistleblowing has emerged as one of the most effective methods of unearthing corporate misconduct and the majority of corruption and fraud investigations in China, particularly those related to the healthcare sector, were initiated by whistleblowers.
In China, the Constitution protects the right of an individual to report illegal conduct and there are other laws (including without limitation the Criminal Law, the Criminal Procedure Law and other regulations issued by the Supreme People’s Procuratorate) that provide limited protection to individuals who report criminal activities and cooperate with the police.
In line with the increased level of whistleblowing activity in China, in October 2014, the Supreme People’s Procuratorate amended its Rules for Dealing with Whistleblowing that specify the rights of and protections afforded to whistleblowers who file complaints through official channels. In particular, article 8 of the amended rules provides for a whistleblower’s right to remain anonymous, to enquire into the status of the investigation after reporting the alleged wrongdoing, to appeal any refusal to investigate by the local procuratorate, and to request protection orders against personal harm or damage to property. In certain situations, a whistleblower may also receive a reward out of the sum recovered by the people’s procuratorates. More recently, in March 2016, the Supreme People’s Procuratorate released Several Provisions on Protecting and Rewarding Whistleblowers of Occupational Crimes, which provides for greater confidentiality, safety and protection of assets for whistleblowers and their close relatives. The provisions also extend the definition of retaliation to include measures such as terminating employment or demotion.
These efforts by the Chinese enforcement agencies to encourage whistleblowing and the lure of potential financial incentives indicate the heightened risk faced by multinational corporations operating in China for which compliance programmes need to be specifically tailored. Specifically, it underscores the need for companies to ensure the availability of an internal reporting system whereby complaints of any suspected wrongdoing or misconduct are effectively investigated and properly addressed.
In most cases, a key task in an internal investigation is the collection and review of hard-copy documents kept by relevant employees and third parties (for example, banks), as well as electronic records stored on employees’ computers and company servers. During this process, personal data involving the relevant employees will be obtained and processed. It might also involve the handling of confidential information concerning third parties such as a company’s customers.
The protection of personal data in China has not, traditionally speaking, been particularly strong in practice. The prosecution of Peter Humphrey, a British national, and Yu Yingzeng, a US national, in August 2014 may indicate a shift in the mindset of the Chinese authorities. Humphrey and Yu, who ran a private investigation firm in China, were found guilty of obtaining and selling private records of Chinese citizens by illegal means and received prison terms of two-and-a-half and two years respectively. This high-profile prosecution appears to demonstrate greater scrutiny by the Chinese authorities over the handling of personal data and their preparedness to take enforcement measures against data privacy violations. The Ninth Amendment to the Criminal Law of the People’s Republic of China, which came into effect in November 2015, introduced penalties for the committing or facilitating of illegal sales or provisions of personal information.
There is presently no single law in China aimed exclusively at protecting personal data. Nevertheless, protection is provided through various laws, including, among others, the PRC Constitution, the General Principles of Civil Law, the Criminal Law and the Tort Liability Law. Of particular relevance is the Regulation on Employment Service and Employment Management, under which employers are required to keep confidential and prevent disclosure of employees’ personal data.
In recent years, a series of industry-specific regulations and guidelines have been promulgated to regulate the collection and use of personal information. These include the Decision of the Standing Committee of the National People’s Congress on Strengthening Protection of Internet Data (28 December 2012, the Internet Data Protection Decision), Provisions on Protecting the Personal Information of Telecommunications and Internet Users and Personal Data Protection Guidelines within Information Systems for Public and Commercial Services (1 February 2013, the Personal Data Protection Guidelines). From the perspective of ensuring that any corporate investigation does not infringe Chinese data protection laws, difficulties lie with the definitions of ‘personal data’ or ‘personal information’ as they leave too much room for interpretation. For example, the Personal Data Protection Guidelines specify sensitive personal data as ‘information, the disclosure or modification of which may have a negative effect on the data subject’, while the Internet Data Protection Decision defines electronic personal information as ‘information by which the individual identity of citizens can be distinguished’ and ‘involves a citizen’s privacy’. More recently, the State Administration for Industry and Commerce issued new Measures for Punishment against Infringements of Consumer Rights and Interests (the Measures), which came into effect on 15 March 2015. In particular, article 11 of the Measures defines consumer personal information as meaning ‘a consumer’s name, gender, occupation, date of birth, identification number, address, contact information, status of income and assets, health condition and consumption habits’.
In July 2016, the Standing Committee of the National People’s Congress published the second draft of a new Cyber Security Law. While still subject to further review and public consultation, the draft law contemplates a broad definition of personal information and enhanced restrictions on the use of such information.
Given these various regulations, it is important that employees’ consent should be proactively obtained before data is collected from their workplace and computers (including computers allocated to them by the company). Normally, the key to properly handling employees’ personal information and obtaining consent as early as possible is through proper drafting of employee contracts and staff handbooks, which should contain provisions regarding collection and use of employees’ information and limiting use of employers’ computers for work-related purposes only. One should, however, note that the validity of employees’ prior consent given in this manner is yet to be tested in China.
Further, it will also encourage the employees to cooperate with the internal investigation if all levels of company management, from senior management to the affected employees’ immediate supervisors, are seen to support the data collection process and be cooperative themselves. This may sometimes be difficult to achieve if the management itself is the target of investigation. Hence, an appropriate strategy should be considered in advance to cope with this issue.
When documents are collated, measures should also be taken to exclude personal information from the review unless express consent is given by the affected individual. In practice, such personal information may include identification numbers, bank information, mobile telephone numbers, racial or ethnic origin, political opinions, religious beliefs, personal photos, personal diaries, personal correspondence, genes, fingerprints, etc. Precautionary measures should also be taken to prevent the collated personal information from being disclosed to a third party without prior consent.
One aspect that is sometimes overlooked is the data that is stored on an individual’s portable devices such as smartphones and tablets. In China, conducting business through social media such as WeChat and WhatsApp is a common occurrence and where these portable devices are not supplied by the employer, consideration will need to be given as to how relevant data that is stored on such devices can be retrieved and accessed without infringing personal data laws.
Cross-border investigations by multinational companies are often handled with the assistance of forensic accountants, lawyers and other experts who may not be based in China. Therefore, the collated data may need to be transferred out of China or reviewed offshore by remotely accessing an information platform established in China. This approach, however, may have significant legal consequences.
The Chinese government has consistently emphasised the importance of safeguarding information that constitutes a ‘state secret’. According to the revised Law of the People’s Republic of China on Guarding State Secrets (the State Secrets Law), which came into effect in October 2010, exporting electronic data that includes state secrets, whether by means of a computer, the internet or otherwise, constitutes a criminal offence. As such, before collated data is exported out of China, or giving overseas-based individuals access to the host platform to review the data, measures should be taken to ensure that such data does not contain any state secrets. Hong Kong and Macao are likely to be treated as foreign countries under the State Secrets Law.
From a compliance perspective, the State Secrets Law is opaque and expansive, as state secrets are ambiguously defined in article 2 as any ‘matters which have a vital bearing on state security and national interests and which are entrusted to a limited number of people for a given period time’. Article 9 of the State Secrets Law sets out a broad list of what constitutes state secrets, including, without limitation, secrets relating to ‘national economic and social development’, ‘science and technology’ and ‘material decisions of national importance’. There is also a catch-all provision that includes ‘other matters that are classified as state secrets by the National State Secrets Bureau’. Further, in addition to data that belongs to state, provincial or local governments, the concept of state secret also captures data that belongs to state-owned enterprises.
As it is almost impossible to conduct business in China without any dealings with the government or state-owned enterprises, companies can never be sure that they have not obtained information that may be regarded as state secrets. To complicate matters, whether or not the information is marked ‘confidential’ is irrelevant to it being classified as a ‘state secret’. Thus, a safer approach to conducting any review of collected documents and data is to only store the data within China and to restrict access to locally based individuals. Furthermore, after concluding the review, the company should be careful not to move data outside China, but only to share a summary of the review with parties based overseas, unless clearance is given by the Chinese authorities.
An important consideration when conducting any internal investigation is the preservation of legal professional privilege over the investigative process and findings. In China, there is no concept of legal privilege, although there is a similar concept of confidentiality, under article 38 of the Amended Lawyer’s Law, which is designed to protect communications between a lawyer and his or her client, and lawyers are under an obligation to preserve their clients’ private information subject to certain exceptions. Under China’s Civil Procedure Law and Criminal Procedure Law, however, a lawyer may still be obliged to disclose clients’ private information by court order or upon request from a regulatory body or government official, and to testify in court about a clients’ private information, with no claim to legal privilege.
This is different from the position in common law jurisdictions such as the UK and Hong Kong where legal professional privilege protects from disclosure confidential communications between a client and their lawyer that come into existence for the purpose of giving or receiving legal advice, as well as confidential communications and documents generated for the sole or dominant purpose of actual or contemplated litigation (including those generated by third parties such as witnesses and experts).
Preserving legal professional privilege is of critical importance in the context of an internal investigation as it safeguards the confidentiality of the process in which a company’s legal counsel, whether in-house or external, can fully assess the factual position, draw conclusions on whether any misconduct has occurred and make informed decisions on whether any reporting obligations arise from the facts that have been uncovered and if so, how these are to be managed.
For privilege to apply, confidentiality is an essential requirement. Companies should therefore aim to limit the dissemination of privileged material, which should only be circulated to the smallest group of individuals as necessary on a need-to-know basis, with the documents appropriately marked as ‘privileged and confidential’.
At the start of an investigation, an internal note should be sent to all staff who are involved reminding them not to create additional documents that comment on the matters under investigation. Additionally, when engaging external consultants for an internal investigation, consideration ought to be given to whether communications with such external consultants will be privileged, as communications between external consultants may not be protected by privilege. One common way around this is to ensure that any external consultant engaged is retained by the company’s lawyers under an engagement in writing that states that the consultant is working at the direction of the lawyer to provide their expertise to allow the lawyer to properly advise the company.
It is important to ensure the preservation of privilege, especially as privileged documents may be protected from disclosure if subsequent regulatory investigation or civil litigation arises. Care needs to be taken not to inadvertently waive privilege in certain materials by, for example, referring to it in a final investigation report, which may not be privileged. This would be a prudent approach to adopt notwithstanding the absence of a recognised concept of legal professional privilege under Chinese law as the ability for a company to withhold the investigation findings on the grounds of legal professional privilege may still be relevant where the company may be exposed to regulatory and civil actions in other jurisdictions in respect of the conduct in question.
Another important consideration that often comes up in the context of internal investigations is whether any self-reporting obligation has been triggered and, even if no such obligation arises, whether it is in the interests of a company to report the investigation findings to the regulators, shareholders or other third parties.
In China, there is no statutory obligation for companies to self-report corruption or bribery offences to the Chinese authorities. Article 108 of the Criminal Procedural Law states that all entities and individuals are entitled and obliged to report any suspected criminal conduct to the public security, a people’s procuratorate or a people’s court in China. However, there are no penalties prescribed under the Criminal Procedural Law for violation of this provision. Nevertheless, considering the recent anti-corruption campaign in China, it would be best to err on the side of caution to report suspected corruption conduct of its employees to the relevant authorities. This is because the Chinese government retains a significant amount of discretion as to how to treat companies that may have been involved in suspected wrongdoing. Hence, companies should take note and act with caution. Moreover, certain legislation, such as the Law on Administrative Penalty, offers leniency to those who self-report corruption, provide useful evidence, and cooperate with investigations, for both administrative or criminal proceedings.
Notwithstanding the absence of an obligation to report criminal conduct under Chinese law, consideration should also be given to whether any self-reporting obligations arise in respect of the suspected misconduct under the laws of the parent company’s home jurisdiction if the internal investigation discloses evidence of criminal conduct at the Chinese subsidiaries. In particular, anti-money laundering laws and regulations applicable to the parent company may impose an obligation to notify the relevant authority of any property representing the proceeds of criminal conduct. In addition, where the internal investigation has been precipitated by a whistleblower report, consideration ought also to be given to whether, in the interest of mitigating the risk of regulatory action or the magnitude of any sanction against the company, it would be advisable to voluntarily notify the relevant authorities or regulators.
Relationship with local authorities
A further issue that companies should bear in mind when conducting an internal investigation is to manage their relationship with the local authorities. They should be sensitive about the possible reactions from the local authorities and to manage them appropriately. A dawn raid by the local authorities to seize all the original documents of the companies is usually a stressful event and may impede the proper conduct of the internal investigation, especially if the company has not yet completed its internal investigation.
In China, various authorities have the power to conduct a dawn raid, including, in particular, the Ministry of Public Security or its local counterparts if there is a potential crime, the state or local administration of taxation if there is a delay in paying tax or other potential tax evasion, the Administration for Industry and Commerce, its local counterparts or other antitrust enforcement authorities if there is a potential breach of antitrust law, and the National Development and Reform Commission, or its local counterparts, for pricing-related or anti-monopoly investigations. Where the company is the subject of a dawn raid, the company should ensure that it cooperates with the authorities in the execution of their search and seizure of documents. This will go a long way towards giving the authorities the assurance that the company is being cooperative and transparent in its dealing with any request for documents or information and thereby minimising the likelihood of similar raids in the future. The company should also make a record of any documents or material that is surrendered to the authorities in the process. It is notable that the Chinese authorities are entitled to seize any documents they believe are relevant to their ongoing investigations, including documents that may be privileged in the common law jurisdictions.
Allegations of fraud or corruption in China require careful handling when responding to local and foreign regulatory inquiries as well as media scrutiny. Involving advisers with the necessary experience and market knowledge to assist in an internal investigation as early as possible is important in executing an effective internal investigation. Internal investigations involving China often give rise to complex issues in managing sensitive materials and self-reporting to local and foreign regulators. Having experienced advisors can assist in addressing these challenges at an early stage and maintaining relationships with regulators.