China-related Cross-border Government Investigation after the Covid-19 Pandemic
This article explains in detail the updates and developments in cross-border investigation-related legislation and enforcement; analyses the recent status of China-related cross-border government investigation; and provides suggestions to companies for active and effective responses during such investigation.
- Recent status of china-related cross-border government investigation
- Current trends and developments in China,1 and enforcement and legislation
- Suggestions for companies that encounter cross-border government investigation
Referenced in this article
- China’s Industry Standards on Pharmaceutical Industry Compliance Management Practice
- China’s Export Control Law
- China’s Guidelines on Establishing Third-Party Supervision and Evaluation on Compliance System of the Companies Involved in Criminal Cases
- China’s Data Security Law
With the constant expansion of China’s ‘Belt and Road Initiative’, first proposed in September 2013, according to the statistics, China’s trade in goods with partner countries surpassed US$7.8 trillion, and direct investment in those countries topped US$110 billion.2 An increasing number of local Chinese companies have implemented and promoted their worldwide cooperation in business through the ‘going abroad’ method to achieve mutual benefits. Along with the increasing opportunities, the various challenges are also increasing. Under pressure from investigations launched by different government agencies and authorities, or by international organisations3 such as the World Bank Group, a growing number of companies in China are encountering challenges in different jurisdictions.
In the meantime, against the background of comprehensive establishment of an internal compliance management system, as requested by the state-owned Assets Supervision and Administration Commission (SASAC), and guided by certain effective laws and regulations related to compliance management in recent years, more companies have been putting emphasis on compliance risks (including how to implement the compliance and deal with cross-border government investigation efficiently) as well as treating compliance control as a prerequisite and an important guarantee.
Therefore, this article will explain and elaborate on three aspects, to preliminarily brief and analyse updates in China-related cross-border government investigation. The three aspects are:
- the current status of China-related cross-border government investigation;
- current trends and developments in Chinese legislation; and
- restrictions and suggestions for companies that encounter cross-border government investigation.
Recent status of China-related cross-border government investigation
Like other developing countries, China has been one of the key law enforcement regions with regard to global cross-border anti-corruption and integrity investigations for a decade. Companies subject to the supervision of foreign governments or international organisations have encountered more frequent and intense cross-border and even multinational law enforcement. However, with the enhancement of China’s compliance-related legislation and the strengthening of compliance-related enforcement domestically, China is continuously improving its domestic and international rankings of integrity condition. Since 1995, Transparency International (TI), a famous global anti-corruption non-governmental and non-profit organisation, has been releasing and offering yearly snapshots of the relative degree of corruption by ranking countries from all over the globe, known as the Corruption Perceptions Index (CPI). On 28 January 2021, TI Secretariat in Berlin, Germany, released the results of the 2020 CPI, ranking 180 countries and territories by their perceived levels of public-sector corruption according to experts and private sector professionals, using a scale between zero and 100, where zero is highly corrupt and 100 is very clean.4 According to this year’s list, China scores at 42 and ranks 78th among 180 countries, compared with its ranking of 80th in 2019 and its ranking of 87th in 2018. Due to the steady improvement in China, global cross-border anti-corruption and integrity enforcement against companies in China has been slowed down to some extent. In the meantime, administrators of the US Foreign Corrupt Practices Act (FCPA) – the US Department of Justice (DOJ) and the US Securities and Exchange Commission (SEC) – have reduced the intensity of investigations into such companies in the past two years. As for the statistics by the end of 2020 of DOJ5 and SEC,6 the number of law enforcement cases involving China in 2020 was four among the 43 cases.7,8 By contrast, in 2019, the contribution of the DOJ and SEC enforcement cases involving China was nine among the 82 cases, which was a relatively higher number.9
Nevertheless, cross-border investigations and actions against companies and individuals in China in relation to other critical compliance areas, such as trade secret, export control, data security, foreign investment and employment, have been enhanced by the US DOJ since the launching of the ‘China Initiative’10 at the end of 2018. These focuses are particularly important considering the economic impact of covid-19.11 Other countries, such as those in the EU and the UK, released and enacted various acts in relation to the above-mentioned areas after the outbreak of covid-19. For example, based on the General Data Protection Regulation, the European Commission (EC) issued a draft Implementing Decision on the Standard Contractual Clauses for Transferring Personal Data to Non-EU Countries in mid-November 2020,12 to ensure the appropriate data protection safeguards for international data transfers. The EC proposed a new Regulation to Address Distortions Caused by Foreign Subsidies in the Single Market on 5 May 2021,13 to ensure fair conditions for companies in the Single Market and address the regulatory gap for the foreign subsidies.
On account of the impact of globalisation, it has become a trend for China-located companies and employees to directly confront foreign enforcement agencies and be subject to frequent cross-border investigations. This trend has strengthened compliance and risk control awareness for companies in China who are ‘going abroad’. How the companies respond to the crisis, carry out emergency actions, prevent and control legal risks, and draw up short-, medium- and long-term strategies will become a necessary topic concerning the development of the company and the safety of employees.
Current trends and developments in China’s enforcement and legislation
Since the covid-19 outbreak, different jurisdictions have constructively enacted and promulgated laws, regulations, acts and orders to ensure that they are sufficient to strengthen supervision over the implementation of compliance on enterprises and individuals within each jurisdiction. On the one hand, such new legislative processes aim to promote the effective implementation of compliance management by the companies, reducing potential legal and compliance risks as well as reducing the loss of economic interests due to violations by the companies. On the other hand, the promulgation of these laws and regulations also provides guidance to companies while encountering cross-border investigations and responding to the law enforcement movement from other jurisdictions from different perspectives. The section below elaborates on certain major changes in the recent development of China’s legislation.
Compliance regarding anti-bribery and integrity management
Since the Biden Administration took office, the enforcement trend of the FCPA investigations is still unclear, but it is expected by some analysts that the Biden Administration will continue the trend of increasing FCPA enforcement settlement values, while also increasing the pace of initiating new FCPA investigations.14 In July 2020, the US DOJ and SEC released ‘A Resource Guide to the US Foreign Corrupt Practices Act, Second Edition’, which addresses and provides detailed updates regarding statutory requirements, as well as insights into DOJ and SEC enforcement policies and practices through hypotheticals, examples of enforcement actions and inclinations, and summaries of applicable case law.15
For a long time, the pharmaceutical industry has been a significant focus of law enforcement in relation to commercial bribery in various jurisdictions. The notorious GlaxoSmithKline bribery case, which was revealed in July 2013, raised more red flags for the companies in the pharmaceutical industry. According to FCPA enforcement statistics, there are currently four cases involving the pharmaceutical industry. In China, according to public information and legal database retrieval through the Shanghai Municipal Market Supervision Administration regarding anti-bribery punishment,16 cases of commercial bribery, administrative enforcement and punishment in the pharmaceutical industry did not increase significantly after a new version of the PRC Anti-Unfair Competition Law was released on 1 January 2018. In 2020, the largest number of administrative enforcement cases against commercial bribery in Shanghai are still in the healthcare and pharmaceutical industry, with a total of 23 cases, accounting for nearly half of the number of law enforcement cases. To further standardise the internal compliance management of pharmaceutical enterprises, and to further control or reduce the potential risks existing in daily operations, the China Pharmaceutical Industry Association issued the ‘Industry Standards on Pharmaceutical Industry Compliance Management Practice’17 on the last calendar day of 2020. Such standards stipulate a comprehensive specification and more stringent requirements for pharmaceutical enterprises from various aspects such as anti-commercial bribery; antitrust; finance and taxation; product promotion; centralised procurement; environment; health and safety; adverse reaction reports; data compliance; and network security. Among the standards, the anti-bribery section illustrates detailed compliance requirements18 in relation to product sales and distribution; acceptance and verification of invoices; personnel recruitment; interactions with government officials and healthcare professionals/organisations; donation and sponsorship; hospitality and gift-giving; expense reimbursement; and third-party management. Additionally, the standards specify the requirements on compliance risk evaluation procedures, whistle-blowing, and internal investigation, as well as internal compliance training.
Compliance re export control and trade
On 27 April 2020, the US Department of Commerce announced on its website that it would tighten restrictions on technology exports to prevent US companies from exporting overseas products that could strengthen China’s military power. The new rule expands the list of products and technology made in the United States that are subject to review by national security experts before being shipped overseas.19 With the constantly expanding sanctions and restrictions in relation to export control from different jurisdictions, especially from the US and EU, the number of Chinese companies listed on the Entity List20 is increasing. On that account, quite a few companies are now aware of establishing or starting to establish the internal export control regime.
As the international trade competition is increasingly fierce, and in response to the new situation for export control risks and challenges under different jurisdictions, the PRC Standing Committee of National People’s Congress promulgated the PRC Export Control Law on 17 October 2020. Generally, companies in China have responded passively to cross-border government investigations; however, in recent years, in the process of building and improving the active defence, such companies have also developed their own systems more efficiently. Considering experiences of international practices, the PRC Export Control Law sets up the licensing list, convenience measures and control system, etc, to expand the scope of export control. Promulgation and implementation of the PRC Export Control Law have effectively made up for the deficiencies of China’s previous legal system regarding export control, comprehensively promoted export control at the legislative level and set the tone for further improvement of China’s legal system regarding export control and the precise enforcement of law in the future.
Similar to the Commerce Control List (CCL), Commerce Country Chart (CCC) and the Entity List under the US Export Administration Regulations (EAR), the PRC Export Control Law authorises relevant government authorities to formulate and adjust the list of items subject to export control,21 to prohibit the export of relevant controlled items or to prohibit the export of relevant controlled items to specific countries and regions of destination or specific organisations and individuals.22
Moreover, the transfer of controlled items by Chinese citizens, legal persons and other non-incorporated organisations to foreign organisations and individuals is prohibited and restricted under PRC Export Control Law,23 which is similar to the definition of ‘deemed export’ under EAR. Similar to ‘re-exporting’ under EAR, the following are subject to the relevant provisions under the law:
- transit, transhipment through transport or re-export of controlled items;
- export of controlled items from areas under special supervision of customs, such as bonded zones and export processing zones; and
- export supervision warehouses and bonded logistics centres.24
However, at the time of writing, the details above have not been issued with the PRC Export Control Law. The authors suggest that export enterprises pay attention to the relevant control lists and updates in the implementation of the rules, to ensure timely examinations and confirmation on whether items are covered under the Export Control Law and fully compliant with the statutory requirements.
Review and evaluation of compliance systems
After the covid-19 outbreak, jurisdictions such as the US and China authorised a new milestone function for government criminal enforcement authorities – discretion regarding the supervision and evaluation of compliance systems or programmes of companies involved in criminal cases, to determine what kind of punishment to impose, whether to bring criminal charges, when to launch the criminal investigation and whether to prosecute or accuse. The US DOJ Criminal Division issued updated guidance for ‘Evaluation of Corporate Compliance Programs’ in April 2020.25 On 3 June 2021, the PRC Supreme People’s Procuratorate and another eight national departments issued the ‘Guideline on Establishing Third-Party Supervision and Evaluation on Compliance System of the Companies Involved in Criminal Cases’.
As the US DOJ Assistant Attorney General Brian A Benczkowski said, ‘effective compliance programmes play a critical role in preventing misconduct, facilitating investigations, and informing fair resolutions.’26 The new era of criminal enforcement gives companies involved in criminal cases an incentive to seek remedial efforts, but how a company accurately designs or improves its internal compliance; how to effectively operate the system; and whether and to what extent the compliance mechanism would be recognised by government authorities are all challenging subjects.
Compliance regarding data transfer and security
In the era of digital economy, data security has become the most urgent and fundamental security issue. Many governments in the world have gradually realised that data has become a major factor that is closely related to national security and international competitiveness. Meanwhile, data security protection and governance have expanded from the level of traditional protection of personal privacy to that of national security and national competitiveness.
When a company is encountering a cross-border government investigation from another jurisdiction, it should cooperate with the investigation authority in providing the requested materials, information, documentation, data, etc, in various formats. Nevertheless, critical issues regarding important or sensitive data to be transferred arise at the same time. US President Biden issued an ‘Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries’27 on 9 June 2021, to address the national emergency with regard to information and communications technology and service supply chains owned or controlled by foreign adversaries, including China.
After the PRC Cybersecurity Law came into effect on 1 June 2017, the PRC Standing Committee of National People’s Congress promulgated the PRC Data Security Law on the day after Biden issued the aforementioned Executive Order. Together with the PRC Cybersecurity Law and the PRC Personal Information Protection Law, which is still undergoing the legislative process, the PRC Data Security Law establishes a comprehensive legal framework for data protection and security in China. From a personal point of view, the PRC Data Security Law poses more strict statutory requirements when a company is under investigation by foreign government authorities or international organisations. First, without the prior approval of the competent PRC government authorities, all the companies or individuals within the territory of China are forbidden to provide the data stored domestically to foreign judicial or law enforcement authorities.28 This is one of the most important principles for data processing during cross-border government investigations. Second, establishing a data classification and hierarchical protection system will strengthen the special protection of important data listed in catalogues, especially core data concerning national security, lifelines of the national economy, important people’s livelihood, major public interests, etc.29 In addition, data for controlled items that relate to exercising national security and fulfilment of international obligations is under the export control as well.30 Third, data security risk assessment is a centralised, unified, efficient and authoritative mechanism.31 In other words, private entities or individuals will not be qualified for important or core data classification and risk assessment without government authorisation. Moreover, the law stipulates a national security data review system in relation to data processing activities.32 Under the law, data processing activities involve the full life cycle of data, such as collection, storage, use, processing, transmission, availability and disclosure.
Restrictions and suggestions for companies that encounter cross-border government investigation
In accordance with the above, how companies in China proactively defend and respond to cross-border government investigation is becoming a real challenge under the rapidly changing situation all around the world. From years of practical work experience and the preliminary analysis above, the authors would propose the following suggestions for companies.
The companies should first re-examine internal compliance policies, risk control systems, standard of procedures, compliance management organisation and execution teams, as well as re-identify the up-to-date compliance risks due to the recent updates of legislation in different jurisdictions. Despite the pre-existing written documentation, it is worth mentioning that companies should also make efforts to improve internal compliance supervision mechanisms. Companies should establish a practical internal investigation system to sort out the facts and to identify the positive evidence when encountering cross-border government investigation. On the other hand, an efficient and effective compliance framework might be an advantageous defence to some extent.
Secondly, paying more attention to prohibitions and restrictions during a cross-border government investigation is still of great importance. Since covid-19, recent Chinese legislation has raised critical challenges for companies that are requested to cooperate with foreign government authorities during cross-border investigations. As mentioned above, companies are not allowed to provide any data to another jurisdiction without the consent of and risk assessment by Chinese government authorities, which poses a dilemma for companies (including MNCs) when cooperating with investigations by other jurisdictions and fully complying with local laws. Several other PRC laws and regulations regarding national security, state secrets and international criminal judicial assistance share similar principles. For this reason, the authors would suggest conducting pre-review on the data internally, carefully filtering apparent state secrets and political sensitive data before the assessment by the Chinese government authorities and transferring the data abroad.
Last but not least, companies would be wise to closely communicate with internal or external compliance and investigation professionals (even advisers in other jurisdictions) to design a feasible plan to respond to the investigation. It is more appropriate for companies to discuss and consult with professionals associated with the investigated issue, to figure out more details regarding the investigation, such as the process and focuses of the foreign enforcement authorities, tactics during the investigation interviews and inquiries, as well as the possibly upcoming negotiation, settlement or potential dispute resolution afterwards. In addition, the new PRC Anti-foreign Sanctions Law33 and PRC Measures for Blocking Improper Extraterritorial Application of Foreign Laws and Measures34 allow companies certain lawful countermeasures against foreign laws and enforcement, such as filing a lawsuit of infringement. Therefore, to be prudent, the internal legal and compliance team should be equipped with external professionals who not only deeply understand Chinese laws and regulations, but have comprehensive knowledge of multi-jurisdiction law, as well as insights into political factors. The team would be suggested to closely communicate with such professionals on how to protect themselves to the maximum extent by exercising such legitimate rights.
Companies who are engaging in a global business operation should abide by the laws of the countries involved, respect different legal cultures and actively adapt to the legal requirements under new environments. This puts a higher burden on legal and compliance business operations. However, by having a mindset that sticks with the times, a company should improve its own compliance mechanisms, avoid risks, protect interests and resolve disputes overseas in a more efficient way.
 For the purpose of this article, ‘China’ refers to the territory of Chinese Mainland, not including Hong Kong SAR, Macau SAR, and Taiwan, due to different legislation jurisdiction.
 Speech by State Councillor Wang Yi, ‘At the Opening of Lanting Forum on Promoting Dialogue and Cooperation and Managing Differences: Bringing China-US Relations Back to the Right Track,’ Beijing, 22 February 2021. Visit China Daily Official Website: http://www.chinadaily.com.cn/a/202102/23/WS60344244a31024ad0baaa498.html.
 A number of cross-border investigations were launched by international organisations such as the World Bank Group, Asian Development Bank and African Development Bank Group against China-located companies or individuals, who were involved in the programmes sponsored by these international organisations.
 For a full list, visit http://www.justice.gov/criminal-fraud/case/related-enforcement-actions/2020.
 For a full list, visit https://www.sec.gov/spotlight/fcpa/fcpa-cases.shtml.
 DOJ cases refer to United States v Airbus SE; United States v Herbalife Nutrition Ltd; United States v Novartis Hellas SACI. SEC cases refer to Herbalife Nutrition Ltd, Novartis AG, and Cardinal Health.
 Certain cases in DOJ and SEC joint enforcement actions were related to the same violations and entities.
 DOJ and DOJ cases refer to Yanliang Li (Jerry Li), Hongwei Yang (Mary Yang), Ericsson, Westport and Nancy Gougarty, Barclays, Quad/Graphics Inc., Juniper Networks, Deutsche Bank AG, Walmart Inc., and Fresenius Medical Care.
 See reference in Year Review of China Initiative. Visit http://www.justice.gov/opa/pr/china-initiative-year-review-2019-20.
 Reid Whitten, Scott Roybal & J Scott Maberry, 'The Next Four Years of FCPA Enforcement: What to Expect from the Biden Administration', posted on Global Trade Law Blog, 19 November 2020. Visit http://www.globaltradelawblog.com/2020/11/19/fcpa-enforcement-biden-administration/#more-3054.
 PIAC/T 00001-2020. Promulgated on 31 December 2021, and effective on 26 February 2021.
 For more details, see ‘Annex A – Anti-Commercial Bribery’.
 For the full list, see ‘Supplement No. 4 to Part 744—Entity List’, visit http://www.ecfr.gov/cgi-bin/retrieveECFR?gp=1&SID=9ae4a21068f2bd41d4a5aee843b63ef1&ty=HTML&h=L&n=15y220.127.116.11.28&r=PART#ap15.2.744_122.4.
 Article 9, PRC Export Control Law.
 Article 10, PRC Export Control Law.
 Article 2, PRC Export Control Law.
 Article 45, PRC Export Control Law.
 The White House Briefing Room. Visit http://www.whitehouse.gov/briefing-room/presidential-actions/2021/06/09/executive-order-on-protecting-americans-sensitive-data-from-foreign-adversaries/.
 Article 36, PRC Data Security Law.
 Article 21, PRC Data Security Law.
 Article 25, PRC Data Security Law.
 Article 22, PRC Data Security Law.
 Article 24, PRC Data Security Law.
 Promulgated and effective on 10 June 2021.
 Promulgated and effective on 9 January 2021.