China: handling internal investigations

With its vast economy and focus on expanding domestic consumption, China remains an attractive destination for foreign investment. However, like many emerging markets, corruption and fraud remain significant business risks. Conducting an internal investigation in China raises a number of unique challenges, particularly for multinational companies headquartered overseas that have obligations to report to senior management and applicable regulators in multiple jurisdictions.

This article addresses some of the key issues faced in conducting an internal investigation in China. As set out below, the retrieval and handling of information that may contain state secrets and personal or other sensitive data can give rise to considerable complexity. Consideration must be given to the flow of information within the investigation team in order to comply with Chinese law, maintain legal professional privilege to the extent possible, and ensure that the company's board and regulators are kept informed. As the investigation progresses, managing self-reporting and employment issues can also present significant challenges.

How internal investigations begin

The need to undertake an internal investigation can arise in a variety of scenarios. Improper conduct is often revealed through whistleblowing by a former or current employee. In recent years, the publication of reports by short sellers and third-party analysts have also prompted internal inquiries. Even in the absence of a regulatory inquiry, an internal investigation will often be necessary to identify and address potential wrongdoing and to protect the interests of the company and those of its shareholders.

At the outset, it is crucial that investigators have a well-prepared plan for conducting the internal investigation, handling and reviewing information gathered and internal and external communications. It will often be necessary to restrict the flow of information relating to the investigation in order to comply with PRC law and maintain legal professional privilege to the extent possible. However, the company's relationships with regulators around the globe and any self-reporting obligations will also need to be considered. We address these issues in further detail below.

Whistleblowing

In recent years, corporate misconduct has been frequently exposed by whistleblowers. In China, the Constitution protects the right of an individual to report illegal conduct and there are other laws (including without limitation the Criminal Law, the Criminal Procedure Law and other regulations issued by the Supreme People's Procuratorate) that provide limited protection to individuals who report criminal activities and cooperate with the police.

The Supreme People's Procuratorate's Rules for Dealing with Whistleblowing specifies the rights of and protections afforded to whistleblowers who file complaints through official channels. Article 8 provides for a whistleblower's right to enquire into the status of the investigation after reporting the alleged wrongdoing, to appeal any refusal to investigate by the local procuratorate, and to request protection orders against personal harm or damage to property. In certain situations, a whistleblower may also receive a reward out of the sum recovered by the people's procuratorates.

In March 2016, the Supreme People's Procuratorate released Several Provisions on Protecting and Rewarding Whistleblowers of Occupational Crimes, which provides for greater confidentiality, safety and protection of assets for whistleblowers and their close relatives. The provisions also extend the definition of retaliation to include measures such as terminating employment or demotion.

These regulations highlight the need for multinational corporations operating in China to ensure the availability of an internal reporting system whereby complaints of any suspected wrongdoing or misconduct are heard, effectively investigated and addressed.

Data protection

In most cases, a key task in an internal investigation is the collection and review of hard-copy documents kept by relevant employees and third parties (for example, banks), as well as electronic records stored on employees' devices and company servers. During this process, personal data involving the relevant employees will be obtained and processed. It might also involve the handling of confidential information concerning third parties, such as a company's customers.

A substantial rise in criminal prosecutions relating to violations of personal data laws in recent years indicates the Chinese authorities' increasing preparedness to enforce measures against data privacy violations. Foreign and Chinese technology companies have been involved in a number of high-profile data breaches. In a recent high-profile case, 22 people involved in an underground operation relating to the sale of Apple users' personal data were arrested on suspicion of obtaining personal information by illegal means.

There is presently no single law in China aimed exclusively at protecting personal data. Nevertheless, protection is provided through various laws, including, among others, the PRC Constitution, the General Principles of Civil Law, the Criminal Law, the Tort Liability Law and the new Cybersecurity Law. There are also a number of industry-specific regulations and guidelines relating to the collection and use of personal information. Of particular relevance is the Regulation on Employment Service and Employment Management, under which employers are required to keep confidential and prevent disclosure of employees' personal data.

China's new Cybersecurity Law took effect on 1 June 2017. The law governs the construction, operation, maintenance and use of computer networks and the supervision and administration of cybersecurity in the PRC. It includes measures that require the storage of personal information and other important data in mainland China. Similar to the other relevant regulations and guidelines, ‘personal information' is defined broadly, as ‘various information which is recorded in electronic or any other form and used alone or in combination with other information to recognise the identity of a natural person, including but not limited to name, date of birth, ID number, personal biometric information, address and telephone number of the natural person.'

Given these various regulations, it is important that employees' consent should be proactively obtained before data is collected from their workplace and devices (including devices allocated to them by the company). Normally, the key to properly handling employees' personal information and obtaining consent as early as possible is through proper drafting of employee contracts and staff handbooks, which should contain provisions regarding collection and use of employees' information and limiting use of employers' devices for work-related purposes only. One should, however, note that the validity of employees' prior consent given in this manner is yet to be tested in China.

When documents are collated, measures should also be taken to exclude personal information from the review unless express consent is given by the affected individual. In practice, such personal information may include identification numbers, bank information, mobile telephone numbers, racial or ethnic origin, political opinions, religious beliefs, personal photos, personal diaries, personal correspondence, genes, fingerprints, etc. Precautionary measures should also be taken to prevent the collated personal information from being disclosed to a third party without prior consent.

One aspect that is sometimes overlooked is the data that is stored on an individual's portable devices such as smartphones and tablets. In China, conducting business through social media such as WeChat and WhatsApp is a common occurrence and where these portable devices are not supplied by the employer, consideration will need to be given as to how relevant data that is stored on such devices can be retrieved and accessed without infringing personal data laws.

As further discussed below in the context of state secrets, personal information and other data obtained during an internal investigation generally should not be transferred outside of mainland China. The Measures on the Security Assessment of Cross-border Transfer of Personal Information and Important Data issued by the Cyberspace Administration of China, which are being implemented from 1 June 2017, require that network operators obtain a subject's consent before electronically transferring personal information (which includes employee information, customer information, and information relating to both PRC nationals and foreign nationals) outside of China. In many cases, however, the transfer of personal information or other important data may be prohibited entirely. For these purposes, ‘network operator' is broadly defined and, in effect, may extend to any company. The term ‘important data' is also defined only in broad terms as referring to data that is closely related to national security, economic development and societal and public interests. These rules apply regardless of whether the information and data is transferred from a server in the PRC to a location outside the PRC, or is accessible to a remote operator located outside the PRC.

State secrets

Cross-border investigations by multinational companies are often handled with the assistance of forensic accountants, lawyers and other experts who may not be based in China. However, transferring data outside of China or enabling remote review from an information platform established in China can have significant legal consequences.

The Chinese government has consistently emphasised the importance of safeguarding information that constitutes a ‘state secret'. According to the revised Law of the People's Republic of China on Guarding State Secrets (the State Secrets Law), exporting electronic data that includes state secrets, whether by means of a computer, the internet or otherwise, constitutes a criminal offence. As such, before exporting data out of China, or giving overseas-based individuals access to a host platform to review data, measures must be taken to ensure that such data does not contain any state secrets. Hong Kong and Macao are likely to be treated as foreign countries under the State Secrets Law.

From a compliance perspective, the State Secrets Law is opaque and expansive, as state secrets are ambiguously defined in article 2 as any ‘matters which have a vital bearing on state security and national interests and which are entrusted to a limited number of people for a given period of time'. Article 9 of the State Secrets Law sets out a broad list of what constitute state secrets, including, without limitation, secrets relating to ‘national economic and social development', ‘science and technology' and ‘material decisions of national importance'. There is also a catch-all provision that includes ‘other matters that are classified as state secrets by the National State Secrets Bureau'. Further, in addition to data that belongs to state, provincial or local governments, the concept of state secret also captures data that belongs to state-owned enterprises.

As it is almost impossible to conduct business in China without any dealings with the government or state-owned enterprises, companies can never be sure that they have not obtained information that may be regarded as state secrets. To complicate matters, whether or not the information is marked ‘confidential' is irrelevant to it being classified as a ‘state secret'. Thus, a safer approach to conducting any review of collected documents and data is to only store the data within China and to restrict access to locally based individuals. Furthermore, after concluding the review, the company should be careful not to move data outside China, but only to share a summary of the review with parties based overseas, unless clearance is given by the Chinese authorities.

Private investigators

The use of private investigators to aid an internal investigation in China or overseas can be problematic. Where private investigators are used, they should always have clear terms of reference and steps should be taken to ensure that they comply with all applicable laws. However, in practice, the capacity of private investigators to effectively assist an internal investigation in mainland China by obtaining personal or corporate information is severely restricted.

Article 253(A) of China's Criminal Law makes it an offence to sell or illegally provide to others personal information on Chinese citizens. On 9 May 2017, the Supreme People's Court and the Supreme People's Procuratorate of China issued an Interpretation of Several Issues regarding the Application of Law to Criminal Cases of Infringement of Citizen's Personal Information. These rules interpret article 253(A). They include an extended definition of personal information and clarify that the offence of selling or illegally providing personal information will apply regardless of whether the data was obtained through legitimate or illegitimate means (ie, in the process of performing one's duties or otherwise).

In 2014, a British national, Peter Humphrey and his wife (a US citizen) were convicted under article 253(A) in connection with the alleged purchase of private information of Chinese citizens. Mr Humphrey and his wife operated a risk advisory firm that offered investigation services to multinationals and professional services firms doing business in mainland China. Prior to his arrest, Mr Humphrey's firm had been assisting a foreign multinational in connection with an investigation of allegations of bribery and corruption involving its mainland business.

The Humphrey case highlights the substantial risks and limitations of using private investigators in mainland China. It should also be noted that Chinese authorities have restricted third-party access to corporate records from the Administration of Industry and Commerce in recent years further limiting the usefulness of private investigators.

Privilege

An important consideration when conducting any internal investigation is the preservation of legal professional privilege over the investigative process and findings. In China, there is no concept of legal privilege, although there is a similar concept of confidentiality, under article 38 of the Lawyer's Law, which is designed to protect communications between a lawyer and his or her client, and lawyers are under an obligation to preserve their clients' private information subject to certain exceptions. Under China's Civil Procedure Law and Criminal Procedure Law, however, a lawyer may still be obliged to disclose clients' private information by court order or upon request from a regulatory body or government official, and to testify in court about a clients' private information, with no claim to legal privilege.

This is different from the position in common law jurisdictions such as the UK and Hong Kong where legal professional privilege protects from disclosure confidential communications between a client and their lawyer that come into existence for the purpose of giving or receiving legal advice, as well as confidential communications and documents generated for the sole or dominant purpose of actual or contemplated litigation (including those generated by third parties such as witnesses and experts).

Preserving legal professional privilege is of critical importance in the context of an internal investigation as it safeguards the confidentiality of the process so that a company's legal counsel, whether in-house or external, can fully assess the factual position, draw conclusions on whether any misconduct has occurred and make informed decisions on whether any reporting obligations arise from the facts that have been uncovered and if so, how these are to be managed.

For privilege to apply, confidentiality is an essential requirement. Companies should therefore aim to limit the dissemination of privileged material, which should only be circulated to the smallest group of individuals as necessary on a need-to-know basis, with the documents appropriately marked as ‘privileged and confidential'. This is particularly important in light of recent English court decisions that have adopted a stricter approach in defining who the client is for the purposes of establishing legal advice privilege.

At the start of an investigation, an internal note should be sent to all staff who are involved, reminding them not to create additional documents that comment on the matters under investigation. In addition, the investigation team itself should exercise care in the production of documents relating to the investigation. In certain circumstances, interview notes, for example, may not be covered by legal professional privilege. Further, any external consultants should be engaged by the company's lawyers under an engagement in writing that states that the consultant is working at the direction of the lawyer to provide their expertise to allow the lawyer to properly advise the company.

It is important to ensure the preservation of privilege, especially as privileged documents may be protected from disclosure if a regulatory investigation or civil litigation occurs. Care needs to be taken not to inadvertently waive privilege in certain materials by, for example, referring to it in a final investigation report, which may not be privileged. This would be a prudent approach to adopt notwithstanding the absence of a recognised concept of legal professional privilege under Chinese law as the ability for a company to withhold the investigation findings on the grounds of legal professional privilege may still be relevant where the company may be exposed to regulatory and civil actions in other jurisdictions in respect of the conduct in question.

Self-reporting

Another important consideration that often comes up in the context of internal investigations is whether any self-reporting obligation has been triggered and, even if no such obligation arises, whether it is in the interests of a company to report the investigation findings to the regulators, shareholders or other third parties.

In China, article 108 of the Criminal Procedural Law states that all entities and individuals are entitled and obliged to report any suspected criminal conduct to the public security, a people's procuratorate or a people's court in China. However, there are no penalties prescribed under the Criminal Procedural Law for violation of this provision. Nevertheless, it is best to err on the side of caution to report suspected criminal conduct of employees to the relevant authorities. This is because the Chinese government retains a significant amount of discretion as to how to treat companies that may have been involved in suspected wrongdoing. Moreover, certain legislation, such as the Law on Administrative Penalty, offer leniency to those who self-report wrongdoing and cooperate with investigations, for both administrative or criminal proceedings.

Notwithstanding the absence of an obligation to report criminal conduct under Chinese law, consideration should be given to whether self-reporting is required under the laws of the parent company's home jurisdiction or would be prudent in any event. In particular, anti-money laundering laws and regulations applicable to the parent company may impose an obligation to notify the relevant authority of any property it has received representing the proceeds of criminal conduct. The books and records of the company may also be affected, resulting in the need to restate past accounts and/or in potential liability under the US Foreign Corrupt Practices Act.

Employment issues

The internal investigation may reveal individual employees involved in wrongdoing. As part of the investigation, the company will need to decide how to deal with them. Such measures may include termination, suspension or other disciplinary action.

In China, any early termination of an employment contract must be based on a statutory ground provided for at law. However, the applicable union must also be consulted for any unilateral termination of employment by the employer even if it is based on a statutory ground. The statutory grounds include, among others, material breach of the rules and regulations of the employer, serious dereliction of duty or deception for personal gain and causing serious loss to the employer, or that the employee has been found guilty of a criminal offence. In that context, it is important that relevant contractual terms in the employment contract or company policies contain provisions dealing with disciplinary action against employees.

It may also be appropriate to consider suspending an employee while an investigation is ongoing. The reasons for suspension and the risks connected with the decision to suspend must be considered carefully. Suspension may be appropriate where the allegations against the employee are serious and there is a risk of ongoing negative impact on the company's operations. Any risk that the employee may attempt to destroy or conceal relevant documentation should also be considered. On the other hand, suspension may not be appropriate where it could affect the employee's cooperation with the investigation or unsettle other employees and make it more difficult to secure their cooperation.

Conclusion

Allegations of fraud or corruption in China require careful handling when responding to local and foreign regulatory inquiries as well as media scrutiny. Involving advisers with the necessary experience and market knowledge to assist in an internal investigation as early as possible is important to execute an effective internal investigation. Internal investigations involving China often give rise to complex issues in managing information and self-reporting to local and foreign regulators. Having experienced advisers is important to address these challenges and maintain the confidence of regulators in China and overseas.