What You Need to Know about China’s Counter-Espionage Law

Written By

james gong Module
James Gong

Legal Director
China

I am a Legal Director based in Hong Kong and lead the China data protection and cybersecurity team.

harry qu Module
Harry Qu

Associate
China

I am a data associate in our Beijing office. My practice focuses on data privacy, cybersecurity, TMT, as well as antitrust and anti-competition law.

fengming jin Module
Fengming Jin

Associate
China

I am an associate in the Privacy and Data Protection practice in our Beijing office. I am experienced in data privacy, cybersecurity, telecommunications, and employment law compliance.

In an era marked by heightened concerns over national security, China has shown an unwavering commitment to safeguarding its national interests. Notably, China recently passed the revised Counter-Espionage Law (“CEL”), effective from July 1, 2023. The legislation signifies China’s dedication to strengthening its national security framework. This article summarises China’s counter-espionage regulations, with the CEL serving as the cornerstone, and offers guidance for businesses who need to comply with the regulations.

Background

China has recently faced unprecedented challenges in maintaining its national security amid increasing global concern over espionage activities. This concern has been accentuated by a series of notable cases that have highlighted the severity of these threats. In one case, a prominent expert consulting service provider, as announced by the Ministry of State Security, concealed the true identities of foreign consultants, and enticed influential experts across multiple industries to divulge sensitive information. This company, with over a thousand clients worldwide and a vast database of more than 300,000 experts, was involved in stealing state secrets and intelligence in key areas of China. Meanwhile, another high-profile case involved a renowned U.S. management consulting firm’s Shanghai office, which found itself the subjected of a dawn raid in April 2023.

These cases epitomise China’s proactive stance in addressing espionage and maintaining the integrity of its national security framework. Apart from the CEL, China has established a robust legal framework encompassing a series of laws and regulations designed to safeguard its national security interests, guided by the comprehensive principles of the National Security Concept (“国家总体安全观”). These include the National Security Law, the National Intelligence Law, the Counter-Terrorism Law, the Cybersecurity Law (“CSL”), and the Data Security Law (“DSL”).

Before the enactment of the CEL, the National Security Law and the Criminal Code served as key legal instruments to combat espionage activities, defining the high-level requirements, offenses, and penalties for espionage. The CEL was introduced in 2014, the first dedicated legislation specifically targeting espionage activities. To facilitate the implementation of the CEL, the State Council issued the Rules for the Implementation of the Counter-Espionage Law of the PRC (the “Implementation Rules”), and the Ministry of State Security formulated the Regulations on Counter-Espionage Security Precautions. In addition, many provinces and cities including Shanghai, Chongqing, Zhejiang, etc., have also formulated local regulations on counterespionage.

In April 2023, the National People’s Congress Standing Committee took steps to fortify China’s counterespionage framework and voted to pass the revised Counter-Espionage Law, which took effect on July 1, 2023. The recent legislative developments mark a pivotal moment in China’s commitment to enhancing its national security apparatus.

Key Provisions and Observations

I. What is espionage action?

The newly revised CEL refines the scope of espionage behaviours. Based on the CEL, an “act of espionage” refers to any of the following conduct:

i. Any activity that endangers the national security of China that is carried out, instigated, or funded by an espionage organisation and its agents, or carried out in collusion therewith by any domestic or foreign institution, organisation, or individual.

ii. Participation in an espionage organisation or acceptation of any task from an espionage organisation and its agents or seeking refuge with an espionage organisation and its agents.

iii. Any activity carried out, instigated, or funded by a foreign institution, organisation, or individual other than espionage organisations and their agents, or carried out in collusion therewith by any domestic institution, organisation, or individuals, to steal, spry for, purchase, or illegally provide any state secrets or intelligence, or other documents, data, materials, or items of concern to national security, or to incite, entice, coerce, or bribe a state employee to defect.

iv. Any cyber-attack, intrusion, interference, control, sabotage, or other such activity carried out, instigated, or funded by an espionage organisation and its agents, or carried out in collusion therewith by any domestic or foreign institution, organisation, or individual, which targets any state agency, entity involved with classified matters, or critical information infrastructure (“CII”), among others. CII specifically, refers to and information system that is crucial to national security, the economy, and public interests, and has been a focus since the enactment of the CSL. The revised CEL emphasises the duty to protect CII from cyberattack-alike threats.

v. Indicating any target for an enemy.

vi. Other espionage activity.

II. Who should comply with the CEL?

The CEL and its accompanying Implementation Rules apply to three categories: General Units, CII Operators, and Key Units for countering espionage. The obligations vary based on the organisation’s characteristics and nature.

i. General Units: This category encompasses government agencies, organisations, enterprises, and social institutions responsible for fulfilling general counter-espionage security obligations. Typically, most foreign enterprises are categorised as General Units.

ii. CII Operators: CII Operators cover critical network and information systems in vital sectors, with added security requirements.

iii. Key Units: As defined in the Implementation Rules, Key Units bear extra duties. The Ministry of State Security, together with relevant departments, maintain a list of Key Units, and organisations identified as Key Units receive official notifications from the authorities.

III. What are your obligations?

The CEL and its Implementation Rules impose a set of stringent obligations on organisations. These include prohibitive requirements, which forbid activities posing threats to national security, as well as general requirements aimed at enhancing vigilance, stressing reporting duties, and facilitating cooperation with authorities, etc.

Prohibitive requirements:

The CEL sets forth two prohibitive requirements:

i. Organisations shall not illegally acquire or possess documents, data, information, or items of concern to national security.

Notably, with the rise of laws and regulations such as the CSL, the DSL, and the Measures of Security Assessment for Data Export, China has strengthened its control over data localisation and data export. (For our comments on the data export requirements in China, please click here.) In particular, the DSL outlines special requirements for national core data and important data, and the Ministry of Industry and Information Technology also require that national core data and important data are related to “key areas related to national security”. In practice, regulatory authorities in various industries are currently formulating guidelines for the identification of these data and may require organisations to identify their own important data and formulate an internal list of important data.

ii. Organisations shall not illegally manufacture, sell, possess, or use specialised espionage devices required for espionage activities.

The Implementation Rules specifies the definition of specialised espionage devices. Specialised espionage devices are the following devices specially used for espionage activities:

  • Hidden eavesdropping and hidden spy equipment;
  • Burst transceivers, one-time pads, steganography tools;
  • Electronic monitoring and interception equipment used to obtain intelligence; and
  • Other specialised espionage devices.

Specialised espionage devices are confirmed by the Ministry of State Security. However, we have not seen any list or interpretation of specialised espionage devices issued by the Ministry of State Security.

General requirements:

General requirements encompass the following obligations:

i. Conducting comprehensive counter-espionage security education and training;

ii. Strengthening security management and implementing pertinent security measures;

iii. Promptly reporting to the relevant state security administrations any suspicious occurrences that pose a threat to state security;

iv. Furnishing facilities or rendering assistance, to state security authorities in legal enforcement; and

v. Effectively responding to counter-espionage security emergencies concerning the organisation and its personnel.

Notably, when assisting law enforcement, employees may be required to disclose corporate information, including specific details regarding the offshore business operations of multi-national companies.

IV. Liability

The CEL is a robust legal framework that enforces strict liability provisions. The framework delineates the consequences for individuals and entities that are engaged in espionage activities or unable to fulfil compliance obligations.

Individuals:

i. Criminal Liability: Espionage acts constituting a crime will be subject to criminal prosecution as per the law, such as the crime of illegal provision of state secrets or intelligence (“非法提供国家秘密、情报罪”) and espionage crime (“间谍罪”).

ii. Administrative Liability: For acts of espionage not amounting to a crime, individuals may receive warnings, administrative detention up to 15 days, fines up to CNY 50,000, or fines between 1 and 5 times the illegal gains (if over CNY 50,000). Those aiding or sheltering espionage activities may face similar penalties. Besides, other non-compliance with the CEL not amounting to espionage would result in warnings, or administrative detention of up to ten days, and may be fined of up to CNY 30,000 for individuals.

iii. Foreign Individuals: Foreign individuals violating the CEL may be ordered to leave China within a set period, with potential entry bans. Failure to exit may lead to deportation.

Companies:

i. Criminal Liability: Companies engaged in criminal espionage acts will be prosecuted accordingly.

ii. Administrative Liability: Companies conducting espionage activities not constituting a crime or supporting espionage actions may receive warnings and fines up to CNY 500,000 or 1 to 5 times the illegal gains (if over CNY 500,000). In addition, based on the severity of violations, the Ministry of State Security may recommend actions such as ceasing related activities, suspending production, revoking licenses, or cancelling registration.

Entities failing to meet counter-espionage security obligations may be ordered to make corrections. If non-compliance persists, regulatory discussions, warnings, or circular reprimands may occur.

Recommendations for Compliance

To ensure compliance with the CEL, enterprises must adopt a strategy that encompasses several key facets, addressing both prohibitive requirements and general compliance measures.

I. Training and employee management

Many instances of intelligence leaks stem from employee negligence within organisations. It’s therefore imperative that enterprises to conduct training programs, particularly targeting key personnel with access to sensitive information. Therefore, we recommend that enterprises conduct trainings on relevant laws including the CEL, the Criminal Code, the State Security Law, the CSL and the DSL, etc., to enhance the awareness of espionage-related risks among employees.

II. Strengthening internal data compliance

National secrets and important data constitute some of the most critical assets for public interests and national security. Our understanding is that enterprises may take the following measures to mitigate non-compliance risks:

i. Data classification system: Creating an internal list by establishing a data classification system that identifies and categorises important data, national core data, and state secrets.

ii. Anti-espionage contingency plans: Developing contingency plans for foreign exchanges and cooperation and outlining specific measures to prevent espionage-related incidents.

iii. Physical security measures: Implementing physical security measures, such as isolation and fortification, for safeguarding sensitive information, locations, and carriers.

iv. Technological safeguards: Using technological safeguards and necessary equipment to enhance counter-espionage efforts in critical departments, network facilities, and information systems. This includes strict code control, comprehensive business penetration testing, permission control, data encryption, and regular audits.

v. Suspicious activity reporting: Ensuring prompt reporting of any suspicious activities related to espionage or threats to national security to the relevant national security authorities.

III. Supervising third parties

Third-party service providers, consultants, and due diligence firms can bring invaluable insight and resources to an organisation. However, it also introduces potential risks related to espionage activities, making thorough oversight of third-party partnerships critical. Our understanding is that companies may pay attention to the following aspects:

i. Conducting background checks: Prior to engagement, performing comprehensive background checks on third-party service providers, consultants, and due diligence firms.

ii. Avoiding suspicious partners: Refraining from collaborating with entities suspected of involvement in domestic or foreign espionage activities, particularly those officially identified as espionage organisations or agents.

iii. Conducting information safeguards: Avoiding sharing or exchanging critical information with partners in high-risk sectors.

iv. Ensuring agreement clarity: Using contracts to clearly define the rights and obligations of all parties involved, especially when dealing with sensitive information. Specifying the nature of the information, obtain legal authorization, and implement stringent confidentiality measures.

IV. Device management

To ensure compliance, we recommend that employees, especially those with access to sensitive information, use designated work devices exclusively during work hours and refrain from transferring any files from these work devices to their personal devices. Additionally, for heightened data security and in alignment with counter-espionage laws, it is recommended that all important files stored on these devices, encompassing state secrets and trade secrets, be encrypted. This proactive approach not only enhances data protection but also reinforces compliance with relevant counter-espionage laws and regulations.

Latest insights

More Insights
green space

A sneak peek into the draft NESRS: What sustainability reporting standards may non-EU parent companies expect?

Dec 24 2024

Read More
Curiosity line blue background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More