China Compass, Spring 2024

Navigating cross-border internal investigations under current data regulations

Business meeting online
  • Newsletter
  • 4 minute read
  • 04 Apr 2024

Covid restrictions taught organizations some valuable lessons about working in a “remote new normal.” One of them is how to adapt their internal audits, investigations and compliance functions to reflect situations in which they may have little or no physical access to their Chinese subsidiaries.

During the pandemic, many multinational companies adopted more remote methods of conducting audits, compliance reviews and internal investigations, including online interviews, digital document reviews and virtual process walkthroughs. Although Covid restrictions have been lifted, remote workflows are often seen as time and cost effective and many therefore remain in place. The regulatory landscape in China is evolving, however, and this poses notable challenges to internal investigations and compliance reviews involving cross-border data transfers.

Laws on personal information and data security

China has introduced a number of major regulations recently, including the Personal Information Protection Law (PIPL) and Data Security Law (DSL) in 2021. PIPL mandates that companies use specific data transfer mechanisms if they want to move personal information to a location outside China. The DSL refers to “implementing categorized and graded protection according to the data’s degree of importance in economic and social development.” Data classified in the Data Security Law as “core” and “important” require restricted handling for reasons of data security. In addition, both data-regulation laws mention that any provision of data to foreign justice or law enforcement agencies requires approval by the relevant Chinese authorities.

Cyberspace Administration of China (CAC)

In 2022, CAC introduced measures for assessing the security of data exports. Under the measures, a security assessment of certain amounts and types of personal data, as well as “important” data, must be completed with CAC prior to cross-border transfer through cyber space. Further, in April 2023 China updated its Counterespionage Law, broadening the scope of what is considered espionage. As the law states: “No individual or organization may unlawfully obtain or possess any documents, data, materials or items that are state secrets.” Since it does not provide further details on the various categories, the law could therefore be applicable to diverse types of data.

Internal cross-border investigations

These complex and evolving regulatory demands must be given proper attention by the professionals who examine China-related activities and ensure compliance with the relevant laws as part of internal cross-border investigations. The following steps could prove useful for monitoring a company’s China business and identifying as quickly as possible any potential issues related to controls, compliance or fraud:

  • Strengthen local teams: Many companies have begun to recruit or expand their internal audit and compliance staff in China, or to collaborate with professional firms in China to conduct reviews. These skilled, local resources can provide an on-site presence for the reviews and address the challenges mentioned above. They can use their “local perspective” to identify and assess country-specific issues, such as regulatory changes, market practices, local business culture and stakeholder expectations. Further, local resources can also help interpret and explain requests for information. In addition, they can make reviews more productive by connecting the local and global teams. 
  • Enhance the compliance framework: Enhancing or modifying elements in the compliance framework, such as whistle-blower and third-party risk management programs, can help reduce the potential for compliance violations. For example, having effective triage procedures in place makes it easier to identify and address potential issues early on. Improving third party risk management allows headquarters and regional offices to become better acquainted with local business partners, while helping the compliance team lower the risk of fraud, collusion and other potential regulatory violations. 
  • Safeguard data management for internal investigations and China-related litigation: In recent years, China-based legal and forensic teams have created instructions on how to collect and handle data that are needed for an investigation or compliance review in the country. If data related to a case will be shared with or accessed by parties outside Mainland China, legal counsel should be consulted to assess conditions for the cross-border transfer of data, as compliance with a range of regulations may be needed.
Paul Tan - PwC

Paul Tan

Paul Tan is partner in PwC’s Forensic Services practice in China. He has been assisting corporate clients in managing their business risks in China since 2004. He has extensive experience in conducting internal investigations into accounting fraud, misappropriation of assets, and bribery and corruption. His areas of expertise include advising on compliance programs, fraud risk assessments, anti-bribery compliance reviews and compliance monitoring. He is a Fellow of the Association of Chartered Certified Accountants and is based in Shanghai.

Tel: + 86 21 2323 2405

Marina  Dorn - PwC

Marina Dorn

Marina Dorn is director at PwC (Advisory) in Frankfurt. She has over 12 years of cross-industry experience in various reputational due diligence projects, ranging from business partner due diligence to country risk assessments and sanctions monitoring. Prior to joining PwC, she built and led a team focusing on background research, including in-depth investigative research at another Big4 consulting firm. Prior to that she worked as a journalist. Marina holds an MBA from the European School of Management and Technology ESMT in Berlin.

Tel: +49 151 55997203

Further information

Chinese laws to consider while planning an internal investigation or review

The above links are for informational purposes only and do not represent legally binding translations.

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, legal or other professional advice. Please refer to your advisors for specific advice.

Interested in knowing more?

Make sure you get the latest information and subscribe. As a subscriber to the digital edition, you will receive an information update three times a year.

PwC China Compass

You will discover how to take advantage of current opportunities and safely circumnavigate the risks of doing business in China.

Follow us

Contact us

Thomas Heck

Thomas Heck

Partner, PwC USA Business Group & China Business Group, PwC United States

Tel: +49 175 9365-782

Katja Banik

Katja Banik

Editorial management, PwC Germany

Tel: +49 151 1426-2429