Navigating cross-border internal investigations under current data regulations

During the pandemic, many multinational companies adopted more remote methods of conducting audits, compliance reviews and internal investigations, including online interviews, digital document reviews and virtual process walkthroughs. Although Covid restrictions have been lifted, remote workflows are often seen as time and cost effective and many therefore remain in place. The regulatory landscape in China is evolving, however, and this poses notable challenges to internal investigations and compliance reviews involving cross-border data transfers.

Laws on personal information and data security

China has introduced a number of major regulations recently, including the Personal Information Protection Law (PIPL) and Data Security Law (DSL) in 2021. PIPL mandates that companies use specific data transfer mechanisms if they want to move personal information to a location outside China. The DSL refers to “implementing categorized and graded protection according to the data’s degree of importance in economic and social development.” Data classified in the Data Security Law as “core” and “important” require restricted handling for reasons of data security. In addition, both data-regulation laws mention that any provision of data to foreign justice or law enforcement agencies requires approval by the relevant Chinese authorities.

Cyberspace Administration of China (CAC)

In 2022, CAC introduced measures for assessing the security of data exports. Under the measures, a security assessment of certain amounts and types of personal data, as well as “important” data, must be completed with CAC prior to cross-border transfer through cyber space. Further, in April 2023 China updated its Counterespionage Law, broadening the scope of what is considered espionage. As the law states: “No individual or organization may unlawfully obtain or possess any documents, data, materials or items that are state secrets.” Since it does not provide further details on the various categories, the law could therefore be applicable to diverse types of data.

Internal cross-border investigations

These complex and evolving regulatory demands must be given proper attention by the professionals who examine China-related activities and ensure compliance with the relevant laws as part of internal cross-border investigations. The following steps could prove useful for monitoring a company’s China business and identifying as quickly as possible any potential issues related to controls, compliance or fraud:

• Strengthen local teams: Many companies have begun to recruit or expand their internal audit and compliance staff in China, or to collaborate with professional firms in China to conduct reviews. These skilled, local resources can provide an on-site presence for the reviews and address the challenges mentioned above. They can use their “local perspective” to identify and assess country-specific issues, such as regulatory changes, market practices, local business culture and stakeholder expectations. Further, local resources can also help interpret and explain requests for information. In addition, they can make reviews more productive by connecting the local and global teams. 
  
• Enhance the compliance framework: Enhancing or modifying elements in the compliance framework, such as whistle-blower and third-party risk management programs, can help reduce the potential for compliance violations. For example, having effective triage procedures in place makes it easier to identify and address potential issues early on. Improving third party risk management allows headquarters and regional offices to become better acquainted with local business partners, while helping the compliance team lower the risk of fraud, collusion and other potential regulatory violations. 
  
• Safeguard data management for internal investigations and China-related litigation: In recent years, China-based legal and forensic teams have created instructions on how to collect and handle data that are needed for an investigation or compliance review in the country. If data related to a case will be shared with or accessed by parties outside Mainland China, legal counsel should be consulted to assess conditions for the cross-border transfer of data, as compliance with a range of regulations may be needed.