United States and China at a Crossroads: Global Trade Tensionsand Developments in Cross-Border Investigations

In summary

Trade tensions between the United States and China currently frame the legal environment of cross-border investigations. These tensions between the global superpowers have fuelled sharp increases in extraterritorial enforcement activity. The result is that companies find themselves struggling to balance the growing demands of regulators and investigators in multiple jurisdictions. This article analyses recent developments in the US and China in relation to export control regulations and anti-corruption measures and the corresponding compliance challenges facing companies and their boards.

Discussion points

• Ongoing US–China trade tensions fuelling increased cross-border investigations
• New US export controls and sanctions and China’s countermeasures
• Navigating conflicts of law in increasingly complex legal environments in the US and China
• Impact of data protection and privacy laws on cross-border investigations

Referenced in this article

• China Cyber Security Law of 2017
• China’s Data Security Guidelines 2019
• Personal Information Protection Law April 2021
• International Criminal Justice Assistance Law October 2018
• Chinese State Secrets Law

Introduction

It is no secret that the legal landscape of extraterritorial investigations continues to evolve. While the covid-19 pandemic may have temporarily slowed investigations, the current uptick in cross-border investigations involving China is undeniable. This upward trend is the result of a ‘perfect storm.’ Over the past year, trade tensions between the United States and China have exponentially risen, resulting in increased enforcement action and cross-border investigations as well as the imposition of sanctions and export restrictions on major Chinese companies. China has countered these export restrictions and sanctions by enacting measures of its own, including data protection and data localisation laws to effectively stop Chinese companies from providing information to, or cooperating with, investigators, under the threat of strict penalties. Companies large and small find themselves in the middle of the resulting trade tensions between countries. These companies are doing their best to stay off the investigatory radar of their own government, as well as those of other governments. In some, there has been a significant rise in internal investigations and a deepening and broadening of internal compliance programmes to manage risks. This article addresses each layer of the proverbial ‘perfect storm’.

Trade tensions continue to rise with potential retaliatory measures

In the past year, trade tensions between China and the United States have continued to escalate to new heights. China has aggressively responded to US extraterritorial sanctions and long-arm statutes by implementing its own export control regime and a new legal regime under its recently enacted Anti-Foreign Sanctions Law, both of which authorise retaliatory action against foreign governments. As China’s export control and sanctions regimes have been strengthened, and US export restrictions against prominent Chinese companies like Huawei continue, multinational corporations (MNCs) will need to carefully consider how to mitigate risk under both legal regimes and enhance their compliance efforts. Because of the greater enforcement risk under the ever-changing US and China trade laws, MNCs should stay updated on regulatory changes and undertake regular risk assessments to uncover non-compliance, remediate weaknesses in compliance controls, address potential violations and mitigate possible penalties.

Developments in US export controls and sanctions laws

The US Department of Commerce, Bureau of Industry and Security (BIS) continues to increase export restrictions against China and Chinese entities and has shown no signs of easing such restrictions. For example, Huawei remains designated on the Entity List and BIS has continued to add a number of Huawei’s non-US affiliates to the Entity List, while removing the former temporary general licence and expanding export restrictions on foreign-made items produced by Huawei.¹ BIS continues to require a licence for exports of Export Administration Regulation (EAR)-controlled items to Huawei, subject to a presumption of denial, and only in rare cases has provided approvals to US companies where there is no risk to US national security.$!

In addition to Huawei, BIS designated a series of other Chinese companies on the Entity List and Unverified List. These designations have targeted Chinese supercomputer companies and entities in the semiconductor, energy and unmanned aerial vehicle manufacturing industries, as well as educational and research institutions.³ On 28 April 2020, BIS expanded the Military End Use/End User (MEU) rule to capture a broader set of activities and items that ‘support’ a military end use.⁴ The MEU rule prohibits the export, re-export or in-country transfer of certain EAR-controlled items for a ‘military end user’ or ‘military end use’ in China, Russia or Venezuela.⁵ On 23 December 2020, BIS also placed exporters on notice of parties it deems ‘military end users’ by publishing an official list (the MEU List).⁶ As a result, MNCs may need to conduct an internal investigation or risk assessment to identify possible past violations and consider enhancing due diligence and screening processes to review publicly available information to determine whether any customers, end-users or suppliers are prohibited military end users under the MEU Rule.

The Office of Foreign Assets Control (OFAC) also imposed sanctions against China through targeted designations on its Specially Designated Nationals (SDN) List and Non-SDN Chinese Military-Industrial Complex Companies (NS-CMIC) List. The assets of SDNs are blocked from the US financial system, and US persons are generally prohibited from dealing with SDNs. From 2019 to 2021, OFAC designated several Chinese government officials and entities as SDNs pursuant to EO 13818.⁷ OFAC also designated Chinese entities as CMICs.⁸ On 3 June 2021, President Joseph Biden issued EO 14032, which prohibits US persons from investing in publicly traded securities of companies operating in China’s defence and surveillance technology sectors, which are identified in the Annex to EO 14032 and on OFAC’s NS-CMIC List.

Developments in China’s export control and sanctions regimes

In the past year, China adopted its new Export Control Law (ECL), which marked a significant development in China’s implementation of its own export control regime.^{9 On 17 October 2020, the Standing Committee of the National People’s Congress (SCNPC) approved the ECL, which became effective on 1 December 2020. The passage of the ECL reflects China’s broader efforts to further its national security interests and counteract the US government’s use of export controls to restrict the transfer of sensitive technologies to China. The new law also follows China’s announcement of its Unreliable Entity List on 19 May 2019, and the release of implementing provisions on 19 September 2020.10 These provisions allow the Chinese government to designate any foreign entity that endangers the national sovereignty, security or development interests of China. To date, the Chinese government has not designated any foreign entities on the Unreliable Entity List but this may soon change with the passage of the ECL.}

China’s new ECL mirrors the US and other foreign export regimes as it defines controlled items and technologies, deemed exports and export control authorities, and asserts extraterritorial jurisdiction on transfers of controlled technology outside of China. Exporters are required to apply for an export permit to export controlled items, as well as items that are otherwise subject to restrictions under the People’s Republic of China (PRC) Export Control Law. Similar to the US and other export regimes, China’s ECL provides a range of administrative and criminal penalties for violations of the law.¹¹ Unlike other export regimes, China’s ECL authorises the Chinese government to take retaliatory measures in response to any country or region that ‘abuses export control measures to endanger the national security and national interests of the People’s Republic of China.’¹² As a result, MNCs should continue to review any additional rules and guidelines adopted by the Chinese government to implement the new ECL.

On 28 April 2021, China’s Ministry of Commerce (MOFCOM) issued its official guidance on the development of policies and procedures to prevent, detect and remediate violations of China’s ECL.¹³ China’s new guidelines mirror the guidance by the US Department of Commerce under its export compliance programme.¹⁴ MNCs should consider implementing an export compliance programme, which takes into account MOFCOM’s recent guidance, in order to comply with the ECL.

On 9 January 2021, MOFCOM released the Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Laws and Other Measures (the Chinese Blocking Statute).¹⁵ The Chinese Blocking Statute established the first blocking statute in China to counteract the impact of foreign legal measures on Chinese persons. The Chinese Blocking Statute applies to situations where the extraterritorial application of non-Chinese laws and other measures is determined to violate ‘international law and basic principles of international relations’, and ‘unjustifiably prohibit or restrict Chinese Persons from engaging in normal economic, trade and related activities.’¹⁶ Under article 5, Chinese parties are required to submit a report to MOFCOM within 30 days of being subject to an extraterritorial measure. The State Council will then review the report and may issue an order to prohibit the Chinese party from complying with the extraterritorial measure. A Chinese party may also apply for and be granted an exemption from any such order.

In addition to its new export law and blocking statute, China has also expanded its sanctions regime. On 10 June 2021, the SCNPC passed the Anti-Foreign Sanctions Law of the People’s Republic of China (AFSL).¹⁷ The AFSL is a legal framework that the Chinese government created to counteract sanctions imposed by foreign governments and protect Chinese individuals and organisations from suffering resulting damages. Article 3 asserts the right of the PRC to take countermeasures in response to discriminatory or restrictive measures against Chinese citizens and organisations, as well as interference in China’s internal affairs. These countermeasures include designations on a ‘countermeasures list’, as well as additional penalties under article 6, which include refusal of visa issuance, deportation, freezing of assets and any other measures deemed necessary. Article 12 allows Chinese individuals and organisations to file a lawsuit in China against foreign individuals or organisations where they have suffered from ‘discriminative or restrictive’ measures by foreign countries.

China’s adoption of its AFSL shows how countries are implementing measures to counteract extraterritorial sanctions by foreign countries, such as the United States. These conflicts of law present challenges for both US and China-based MNCs to comply with applicable laws, particularly in the areas of sanctions and export controls. MNCs should implement in-depth and comprehensive due diligence programmes in conducting international business to assess the risks presented by such laws and mitigate the risks of non-compliance.

Increased US focus on corruption

On the corruption front, President Joseph Biden, on 3 June 2021, issued a Memorandum on Establishing the Fight Against Corruption as a Core United States National Security Interest.¹⁸ As the name suggests, this general statement of policy and accompanying Fact Sheet are intended to invigorate already-existing efforts to stamp out corruption. Specifically, the memorandum requires a 200-day ‘interagency review process’ and the development of a ‘Presidential strategy’ that will, when implemented, significantly bolster the ability of the US government to:

• modernise, coordinate, and support efforts to better fight corruption;
• curb illicit finance through the establishment of a ‘beneficial ownership’ registry to thwart financial anonymity and secrecy both domestic and abroad;
• hold corrupt actors accountable by building upon anticorruption sanctions under the Global Magnitsky Act and bolstering criminal and civil enforcement actions;
• build international partnerships through, inter alia, the United Nations, G7 and Financial Action Task Force to counteract corruption at the strategic level; and
• improve foreign assistance by partnering with foreign governments and civil society to ‘enhance the capacity of their domestic institutions to implement transparency, oversight, and accountability measures’.

This Presidential Memorandum solidifies the notion that anti-corruption efforts domestic and abroad remain a key priority of the US, regardless of the increasing difficulty to investigate corruption across national frontiers. The Administration’s 3 June announcement coincided with several other US and global anti-corruption initiatives, including the 2 June 2021 launch of the US Congress’s Caucus against Foreign Corruption and Kleptocracy, the first United Nations (UN) General Assembly Special Session on corruption, which took place the first week of June and the G7 Foreign Ministers’ statement.¹⁹ Nonetheless, collectively these announcements are unlikely to shift the landscape and expectations for enforcement of the US Foreign Corrupt Practices Act (FCPA), including in China where the FCPA has been and will remain the primary focus of MNCs’ compliance programmes and internal investigations.

Investigators in the United States will continue to build upon a 2019 FCPA Corporate Enforcement Policy revision,²⁰ which provided for a ‘presumption of declination’ of prosecution to any company that ‘voluntarily self-discloses, fully cooperates, and appropriately remediates any violation of the FCPA’. For example, in July 2020, the US Department of Justice (US DOJ) and the US Securities Exchange Commission (US SEC) Enforcement Division released updated guidance on FCPA compliance. The Second Edition of the Resource Guide to the US Foreign Corrupt Practices Act assimilated the compliance principles previously published in its June 2020 Evaluation of Corporate Compliance Programs²¹ into a cross-border investigation context. For example, in the updated Resource Guide, the US DOJ continued to emphasise a risk-based approach in the design, implementation and assessment of FCPA compliance policies. Given the frequency of FCPA issues arising from the use of third parties, particularly in foreign countries like China, the updated Resource Guide reflects the US government’s emphasis on the need for a company to engage in due diligence regarding the qualifications and business justifications for the engagement of third parties, as well as ongoing monitoring of these third-party relationships.

Compliance programme assessments carry weight

Without question, the US government’s focus on China has not shifted with the turnover of presidential administrations. When asked at her confirmation hearing for Deputy Attorney General whether the Biden Administration would continue the former administration’s China Initiative,²² the incoming administration’s nominee, Lisa Monaco, stated that the US DOJ ‘has an important role to play in countering China and its adversarial actions, which pose the top security threat to the United States’ interests and values’.²³ Indeed, as trade tensions continue to simmer, China has remained the primary focus of the US government’s enforcement activities, not only with the FCPA, but also the panoply of other laws and regulations carrying extraterritorial effect that investigators have aimed at business conduct in China.

As cross-border investigations increase in frequency, compliance programme assessments remain either a critical defence, or conspicuous weakness, in both the United States and China. China is increasingly asserting jurisdiction over Chinese companies’ conduct abroad, applying extraterritorial principles in the same manner that US investigators have long embraced with antitrust and securities laws. By enforcing US laws extraterritorially, such as US sanctions against Huawei and other Chinese companies, the US government expects to maintain pressure on China in what has become a global hegemonic struggle between the two superpowers. Likewise, as trade tensions continue to increase, Chinese government officials have reiterated their commitment to exercising extraterritorial jurisdiction when they perceive foreign conduct as threatening China’s national interests.

Compliance programme assessments and effects on prosecutorial discretion

In the United States, the dual-edged nature of compliance assessments was on full display. Effective compliance programmes garnered leniency, while ineffective compliance programmes resulted in increased penalties. Global companies’ business conduct in China remained in the spotlight through the final year of the Trump Administration as US government investigators weighed companies’ efforts to comply with the FCPA, including targeting businesses with ineffective compliance procedures. For example, in December 2019, Swedish telecom giant Ericsson agreed to pay over US$1 billion in one of the largest FCPA enforcement actions to date. In the US SEC’s civil complaint, government investigators found that in 2013 Ericsson had instituted a policy restricting the use of third-party agents. However, the US SEC found that Ericsson’s own head of Asia-Pacific ‘determined that it was important for Ericsson China’s business to continue to engage third-party agents with strong connections to Ericsson China’s state-owned customers’, and continued to use and pay agents by circumventing what the US SEC deemed ineffective internal procedures²⁴.

Conversely, the past year reinforced how cooperation and the implementation of effective compliance procedures can work to a company’s benefit. The opening weeks of 2020 witnessed investigators aiming enforcement tools beyond solely the FCPA to combat instances of business misconduct and corruption, particularly in China. In January 2020, courts in France, the United Kingdom, and the United States approved parallel versions of a deferred prosecution agreement (DPA) between multinational government investigators and Airbus that included a combined fine of nearly US$4 billion for the aerospace company. The resolution ended multi-year investigations into Airbus’ conduct globally, and in particular in China between 2008 and 2015, by the French National Financial Prosecutor’s Office, the UK Serious Fraud Office and the US DOJ.²⁵ The US DPA provided Airbus credit for voluntarily disclosing International Traffic in Arms Regulations (ITAR) violations, and further credited Airbus for cooperating, and for committing to additional investigation of the ITAR-related conduct. The DPA also noted that Airbus engaged in corrective measures, including identifying and implementing corrective actions to remediate past misconduct and improve its overall export compliance programme and associated internal controls going forward. Airbus agreed to pay a criminal penalty just north of US$2 billion for the misconduct, which represented a 25 per cent departure from the bottom of the Sentencing Guidelines range²⁶.

The twenty-first century’s military, economic and technological competition between the two global superpowers, the US and China, also extends to the legal arena. Increasingly, China has adopted regulations and enforcement practices that mirror those in the United States just as, for example, Germany’s Kaiser Wilhelm II sought to compete with and mimic British naval power at the turn of the twentieth century. Beginning in 2018, with China’s passage of the Amended Anti-Unfair Competition Law (AUCL), the Chinese government aimed to provide incentives for the implementation of robust compliance programmes in the same way as China’s regulator-counterparts in the UK and the US. The AUCL, which provides that ‘acts of bribery committed by a staff member of a business operator shall be deemed the conduct of the business operator, unless the business operator has evidence to prove that such acts of the staff member are unrelated to seeking business opportunities or competitive advantage for the business operator’, placed the onus of compliance on businesses operating in China to present persuasive evidence to show that it should not be held vicariously liable for an employee’s misconduct.

Over the past two years, Chinese authorities have increasingly moved in lockstep with their US counterparts when it comes to compliance programme expectations. Although there is no direct parallel, or equivalent, to a DPA in China, 2020 witnessed the country’s first pilot programme for corporate criminal compliance and non-prosecution. In March 2020, the Supreme People’s Procuratorate’s pilot programme became the first in China to allow local People’s Procuratorates to make non-prosecution determinations and thereby request that Chinese companies make specific compliance commitments and develop more effective compliance programmes.

Moreover, in October 2019, the Shenzhen Nanshan District Public Security Bureau received a report that employees of an unnamed company, Company Y, paid bribes to an employee of the procurement department of Company H, as well as a director of Company H. In March 2020, the Public Security Bureau referred the case to Shenzhen Nanshan District Procuratorate Bureau. The Procuratorate Bureau investigated the alleged misconduct and found that the employees of Company Y paid bribes, and that Company Y, as a soon-to-be-publicly-listed company, had significant gaps in its corporate compliance programme. After an investigation, the Procuratorate declined to prosecute the employee of Company Y. And in July 2020, the Procuratorate signed a compliance supervision agreement with Company Y that required Company Y to establish an effective compliance system.²⁷

The recognition of a company’s effective compliance programme as an important consideration in granting cooperation credit or in declining to prosecute by governments around the globe underscores the importance of compliance as a defence for a company in a government investigation and a foundation for sustainable business operations in its home country and abroad. And China, as it will soon reach the 10th anniversary of President Xi Jinping’s anti-corruption campaign in 2022, will continue to benchmark the investigative and enforcement practices of US and European countries – including compliance programme assessments and leniency programmes as well as an increased focus on prosecuting individual liability in corruption cases – and adopt similar approaches to become part of the multilateral efforts by governments to crack down on corruption.

Data security and new restrictions on cross-border data transfer

While there has been an uptick in offensive cross-border investigations, there is now a defensive component to cross-border investigations as well. Typically, when a Chinese company is the subject of a cross-border investigation, this investigation will require investigators located outside of China to review vast amounts of data located within China. Over time, however, the Chinese government has developed a complex regulatory regime governing cross-border data transfers, which makes it increasingly difficult to obtain the requisite data and information to respond to a government investigation initiated by a foreign prosecutor or conduct cross-border investigations.

Chinese State Secrets Law

The Chinese State Secrets Law serves as one of China’s most foundational data localisation laws, prohibiting the transfer of state secrets outside of China’s borders. China broadly defines ‘state secrets’ as ‘matters that concern state security and national interests.’²⁸ With this definition, it is not always clear what constitutes ‘state secrets’, but the concept generally includes any data or information that is related to China’s ‘economic and social development’, information related to science and technology, or any information that, if released, could pose a threat to Chinese national security.²⁹ If there is uncertainty whether certain information is a state secret, companies may need to submit the information to the Chinese government for prior approval. Violators of the State Secrets Law are subject to strict criminal penalties.

China Cyber Security Law of 2017

The China Cyber Security Law of 2017 (CSL) has added further complexity to the regulatory regime, requiring ‘network operators’ – which, in effect, includes nearly all businesses operating in China – to implement network security measures that protect personal information and important data. Moreover, those operating ‘critical information infrastructure’ (CII) must ensure that all personal information and important data collated or generated in China is stored on a server that is physically located in China. Any cross-border transfer of this data is subject to heightened security assessments.³⁰ The CSL broadly defines CII as ‘an infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger [China’s] national security, national welfare or the livelihoods of the people, or the public interest’.

PRC Data Security Law 2021

Building upon the general data transfer provisions contained in the CSL, the National People’s Congress passed the PRC Data Security Law (DSL) on 10 June 2021, after having previously circulated two DSL drafts. The DSL comes into effect on 1 September 2021, and serves as China’s first comprehensive data security legislation governing issues related to the collection, storage, processing, use, provision, transaction and publication of any data. Pertinent to cross-border investigations, the DSL’s final version requires Chinese government approval before providing data physically stored in China, to law enforcement authorities or judicial bodies outside China.

For example, if the US DOJ were to request data that is generated or collected in China as part of an investigation, the individual or entity that plans to transfer the data would need to obtain the approval from the Chinese government prior to submitting the data or information to the US DOJ. Notably, violations of China’s prohibition on cross-border data transfer attract significant penalties including inter alia, confiscation of illegal gains, warnings, fines under 10 million yuan, business suspensions, business permit or licence revocations and potential criminal penalties. Therefore, when Chinese companies are the subject of an investigation, they must consider the consequences of complying with the DSL and potentially ignoring the US investigation, or cooperating with the US investigation and thereby violating the DSL. Given conflicting Chinese legal regimes, these companies must also consider the negative externalities and consequence inherent in either choice. Lastly, most of the provisions of the DSL are only statements of principle as we await implementing regulations, standards, and guidelines to determine how these provisions will be interpreted and applied.

International Criminal Justice Assistance Law October 2018

The conundrum of having to comply with conflicting legal requirements of a foreign jurisdiction, such as the US, and domestic Chinese laws is not a novel issue. In October 2018, China enacted the International Criminal Justice Assistance Law (ICJAL), which requires companies or individuals in China to seek government approval before providing ‘judicial assistance’ to foreign prosecutors in support of international criminal proceedings. Judicial assistance includes service of documents, investigation and evidence collection, witness testimony, seizure and confiscation of illegal assets, and the transfer of convicted persons. Where approval to provide judicial assistance is granted, the Chinese government may monitor such assistance and intervene in its discretion. Consistent with our last article discussing cross-border investigations, it remains to be seen how this law will be implemented and enforced as there are no implementing regulations, and there is still only one US case wherein the ICJAL was cited as a basis for non-compliance with a US subpoena.³¹ In that case, the DC federal district court was not persuaded, holding that the US’ security interest outweighed ICJAL requirements.

PRC Securities Law 2019

China enacted amendments to the PRC Securities Law in December 2019,³² prohibiting overseas regulatory agencies from conducting investigations and collecting evidence directly in the territories of the PRC. Further, entities and individuals subject to PRC law may not provide documents or information related to securities to an overseas entity or individual without the approval of the competent authorities and regulatory agencies affiliated with the PRC State Council.

China’s Data Security Guidelines 2019

In 2019, China issued new draft ‘Measures for Data Security Management’ (the 2019 Draft Security Assessment Measures) and ‘Measures on Security Assessment of the Cross-Border Transfer of Personal Information’ (the 2019 Draft Cross-Border PI Measures) on 28 March 2019 and 13 June 2019 respectively. Fundamentally, the 2019 Draft Security Assessment Measures address the venue of ‘important information’. ‘Important information’ is broadly defined as data that, if leaked, may affect China’s national security, economic security, social stability and public health. The 2019 Draft Cross-Border PI Measures specifically address ‘personal information’, as the name suggests. Generally, personal information consists of all information that can be used to identify a natural person. Under the 2019 Draft Cross-Border PI Measures, CII operators and network operators are required to undergo the Cyberspace Administration of China’s official security assessment. CII and Network operators are also required to conduct security risk assessments and obtain a data subject’s express consent.

Personal Information Protection Law April 2021

China recently released the second draft of the Personal Information Protection Law (PIPL) on 29 April 2021.³³ The draft law regulates how personal information is collected, stored, and shared in China. Perhaps most significantly, article 41 of the PIPL prohibits companies from providing personal information to extraterritorial law enforcement, or judicial bodies outside mainland China without Chinese authorities. As discussed with respect to China’s DSL, this could pose significant hurdles when conducting cross-border investigations.

Conflicts of laws and new data protection and privacy laws create complexities for compliance and cross-border investigations

MNCs continue to face the challenge of navigating conflicts of law, especially in light of recent changes in US–China export controls and sanctions laws and China’s increasingly stringent data privacy laws. The jurisdictional reach of US sanctions is broad, applying to both US persons and US dollar transactions, thus US companies and international financial institutions will likely continue complying with US sanctions and avoid dealing with SDNs. On the other hand, China’s AFSL is also broad and provides extended authority to PRC regulators to designate anyone participating in ‘discriminatory restrictive measures’ against Chinese persons and organisations, and to impose retaliatory measures. As a result, companies with a substantial physical presence or assets in China may decide to comply with the AFSL and avoid dealing with entities on the ‘countermeasures list’.

Considering the legal framework above, it is clear that companies need to take a more proactive approach in conducting cross-border investigations to avoid the high costs of responding to government investigations and to mitigate compliance risks. Chinese companies are strengthening their compliance functions and conducting regular internal investigations, for corporate compliance is now a requirement that has been mandated by the Chinese government. At the same time, MNCs will need to consider compliance with China’s new data security and privacy laws in carrying out internal investigations.

The complexity and variety of data privacy and data protection regimes in the Asia-Pacific region, together with pandemic-related travel restrictions imposed by governments in the region, and the ongoing developments of new laws related to the collection and use of evidence located in China, have made conducting investigations in the region increasingly challenging. These regimes may impose restrictions on a company’s ability to collect, use, transfer and disclose personal information or important data, all of which are necessary to conduct internal investigations, to comply with subpoenas or requests for information from authorities, or where companies wish to voluntarily disclose data or information to law enforcement agencies to receive more lenient treatment.

Accordingly, MNCs should weigh the consequences of complying with US and Chinese laws that might be in conflict with each other. And compliance measures, such as a pre-transaction screening process, whistle-blowing mechanism for reporting non-compliance, data governance and investigation protocols, should be carefully designed. To further address the complexities in cross-border investigations, MNCs should adopt a risk-based approach with respect to compliance in general and cross-border investigations specifically:

• Evaluate business activities to determine jurisdictional reach and application of both the US and Chinese trade and all applicable blocking laws, as well as potential penalties for non-compliance.
• Tailor one’s compliance programme based on the jurisdictional reach and application of the US and Chinese trade and blocking laws as well as the company’s risk profile in each jurisdiction.
• Obtain legal guidance on assessing the implications of the blocking laws when dealing with a PRC entity or for entities with operations in the PRC.
• Prepare and implement internal guidance and re-examine compliance policies and controls to determine any potential liability under US or Chinese trade laws, including the blocking laws.
• Consider adopting new compliance measures, such as a screening process, to avoid dealing with designated individuals or entities.
• Re-examine contractual clauses, and use appropriate clauses in contracts where a company may be subject to both US and PRC sanctions.
• Engage with US and Chinese government authorities depending on one’s commercial activities for cross-border data transfer approval, or to provide a notification of the intent to argue foreign law as early as possible³⁴.
• Monitor the Chinese government’s implementation of the blocking laws to determine potential impact in practice.
• Conduct compliance risk assessments and internal investigations proactively before becoming the subject of an external investigation.
• Internally assess how data and information is collected, stored, protected, processed, and transferred to proactively determine each applicable jurisdiction’s compliance requirements, and friction points between these requirements.
• Plan ahead and formulate the investigation plan by considering the additional time and coordination that may be required due to pandemic-related or other travel restrictions for investigation lawyers and data transfer restrictions, particularly if there is any risk of evidence spoilation.
• Utilise technological innovations, including artificial intelligence, to assist in the identification of relevant data and information in investigations, while also understanding the limitation of technology where an investigation counsel’s experience as well as his or her cultural and linguistic know-how are required to interpret the data.
• Identify gaps in internal investigations due to data handling restrictions and develop plans to address these gaps.
• Stemming from internal investigations, develop a contingency plan to respond to cross-border requests for data from government agencies.
• Consider conducting in-country data review by investigation counsel who can advise on conflicts of law and determine how to handle data that cannot be transferred outside of China, and document the decisions with respect to data management in connection with cross-border litigation or investigations.

Conclusion

Balancing conflicts of Chinese and US laws and considering the related implications will be critical for MNCs in conducting cross-border investigations in the coming year. MNCs should continue to maintain a robust internal investigation protocol that actively detects and uncovers violations, implements corrective actions and considers data privacy and data security laws. Conflicts of law have complicated how MNCs may carry out cross-border investigations, but an experienced legal team with multi-jurisdictional expertise can assist. Experienced counsel can consider the conflicting obligations imposed under US and Chinese laws, evaluate risk exposure and, where necessary, implement remedial measures that may mitigate potential enforcement action by US or Chinese government authorities.

The authors would like to acknowledge Joshua Turner, Cindy Shen and Samantha Arnold, for their helpful assistance in providing the multi-jurisdictional legal research for this article.

Notes