Chinese lawmakers approved revisions to the country’s counterespionage law on 23 April 2023, broadening the definition of spying and banning the transfer of any information related to national security interests (which are not defined by the law). The revisions, accompanied by raids on international businesses and new restrictions on access to information for foreign businesses and investors, are a symptom of further deterioration in the relationship between China and the West and have increased risks for foreign firms operating in China.
- The revisions to the law extend the Chinese government’s powers over national security issues, which were already wide-ranging. In conjunction with raids on foreign businesses, these revisions signal a new willingness on the part of the Chinese government to act aggressively against foreign businesses and to restrict the information they can access.
- Chinese authorities have targeted at least three international consulting firms since March 2023—Mintz Group, Bain & Company, and Capvision—accusing them of accessing secret and sensitive data on the country. Access to widely used databases such as Wind, Qichacha, and TianYanCha has been blocked to users outside of mainland China.
- These developments come at a time when access to corporate and financial data is critical for international companies with operations in China as they navigate an increasingly complex set of risks. Restrictions on data and information gathering activities will make it extremely difficult for companies to determine their exposure to forced labor in their supply chain, emerging dual-use technologies, and the Chinese military industrial complex—all of which come under the purview of U.S. sanctions, export controls, and other measures.
- The sanctions landscape is growing more complicated for China with increased scrutiny by the United States and other countries on Chinese trade with Russia, human rights violations, the civil-military technology overlap, and sanctions evasion with respect to other targeted regimes. With the likely development of an “outbound CFIUS” regime and the prospect of Chinese counter-sanctions, the need for accurate information on these points will only become more acute.
- Companies operating in China should review their travel and security protocols for employees, as well as information security policies governing data transfers and what devices are brought in and out of China. They should also review their policies and practices with respect to due diligence, supply chain intelligence, geopolitical risk, national security, and sanctions risk to ensure compliance with legal and regulatory requirements in China, the United States and other Western countries.
Recent Developments: Changes to the Counterespionage Law, Raids on International Firms, and Restrictions on Information Flows
The U.S. Chamber of Commerce has warned that businesses operating in China will face additional scrutiny as the revised counterespionage law widens the range of documents, data, or materials considered relevant to national security. The law refers to “state secrets” but also “intelligence, and other documents, data, materials, or items related to national security.” As “national security” is not defined, it will be difficult to judge what material could potentially fall under the law’s purview.
The revisions to the law coincide with actions targeting international consulting firms. In March 2023, Chinese authorities raided the Beijing office of corporate investigations firm Mintz Group, detaining five of its staff and forcing the firm to close its Beijing office. In April and May, authorities visited the Shanghai office of Bain & Company to question its employees, and conducted coordinated raids on the offices of expert network firm Capvision in Shanghai, Beijing, Suzhou, and Shenzhen. In a program broadcast on the state media platform CCTV, Chinese authorities accused Capvision of obtaining sensitive and secret information through consultations with experts in government policy, national defense, and technology, and warned of a crackdown on the use of consulting firms by foreign groups looking to access sensitive information on the country. This follows earlier instructions to state-owned enterprises to phase out contracts with Big Four accounting firms in February.
In addition to targeting firms engaged in information gathering, the government has also moved to restrict access to previously public data. It was reported on 3 May 2023 that one of the biggest Chinese financial data providers Wind had made part of its data inaccessible for users based outside of mainland China. Two other major Chinese corporate records databases, Qichacha and TianYanCha, have also blocked offshore users from accessing their content.
What It Means: A Sign of Intent and a Warning to the U.S. and Its Partners and Allies
The broad scope of the counterespionage law is not a new phenomenon. There have been many recent laws in China that have been vaguely drafted and have given the government wide-ranging powers over national security issues, including the Cyber Security Law and Foreign NGO Law of 2016; Hong Kong’s National Security Law of 2020; and new measures relating to cyber security introduced in 2022.
The latest revisions form part of a long-term strategy to increase the CCP’s control over the private sector in China, but the physical raids and the restrictions on databases and information access signal a new willingness on the part of Chinese authorities to act aggressively against foreign businesses. According to The Wall Street Journal, they were motivated in part by officials’ alarm at the use of open-source data by U.S. think tanks to analyze China’s military-industrial complex. These actions might also be a warning to U.S. partners and allies to “think twice” before taking a similar policy direction, even as the European Union (E.U.) contemplates sanctions against Chinese companies over the conflict in Ukraine.
Heightened Risks Across the Board for International Firms in China
Companies should immediately address questions of employee safety for those individuals based in China or travelling to the country. A more complex issue is how to evaluate potential new investments or partnerships in China; at a moment when the risks of doing business have increased, access to information to evaluate those risks has substantially decreased.
Information on Chinese companies and individuals is especially critical given U.S. sanctions, export controls, and other measures aimed at restricting Chinese access to emerging technologies and preventing U.S. firms from engaging with the country’s military-industrial complex, or with entities implicated in forced labor and human rights violations in Xinjiang. The sanctions landscape is growing more complicated, with increased scrutiny in the United States and the E.U. on Chinese trade with Russia (particularly as it relates to the conflict with Ukraine), human rights violations, involvement in the fentanyl trade, the civil-military overlap in technology, and sanctions evasion with respect to other targeted regimes. The high probability that the Biden administration will soon legislate to monitor and limit U.S. investment into China through a “reverse CFIUS” process (as detailed in our earlier policy alert of March 29) will only make this more acute, as will the introduction of Chinese countermeasures.
Considerations for Companies Operating in China
The risks facing international companies will differ depending on whether they are already present in China and the nature of their operations there:
- Companies with existing operations in China should review their employee travel and security policies, as well as policies governing what devices are brought into China and what access is available through them to data held and managed in their home countries. They should also consider conducting risk assessments on their operations in light of the new environment and updating their processes for monitoring their supply chains, competitors, and policy developments in China, the United States and other relevant jurisdictions in order to ensure compliance with legal and regulatory requirements.
- Companies evaluating investments in China—investment funds or corporates investing in joint ventures or manufacturing operations—should review processes for conducting due diligence and consider engaging specialist advisors with expertise in geopolitical, national security, and sanctions risks.
- Finally, companies considering divesting or downsizing their China operations should plan the announcement carefully to mitigate any backlash from local and/or state-level authorities in China. If they are selling rather than scaling down their investments, they should consider the profile of prospective buyers and assess any reputational or legal risks in engaging with them.
 Laurie Chen, “China Approves Wide-Ranging Expansion of Counter-Espionage Law,” Reuters, April 27, 2023, https://www.reuters.com/world/asia-pacific/china-passes-revised-counter-espionage-law-state-media-2023-04-26/.
 U.S. Chamber of Commerce, “U.S. Chamber Statement on Concerns Over PRC Investment Climate,” April 28, 2023, https://www.uschamber.com/international/u-s-chamber-statement-on-concerns-over-prc-investment-climate.
 Counter-espionage Law of the P.R.C. (2023 ed.) (chinalawtranslate.com).
 James T. Areddy, “Chinese Authorities Raid Office of U.S. Investigations Firm Mintz Group,” The Wall Street Journal, March 24, 2023, https://www.wsj.com/articles/chinese-authorities-raid-office-of-u-s-investigations-firm-mintz-group-de818140.
 Daisuke Wakabayashi and Keith Bradsher, “U.S. Consulting Firm Is the Latest Target of a Chinese Crackdown,” The New York Times, April 27, 2023, https://www.nytimes.com/2023/04/27/business/bain-china.html.
 “China Raids Multiple Offices of International Consultancy Capvision,” Financial Times, May 8, 2023, https://www.ft.com/content/fc364119-979d-4090-83bf-2e6a24d5b175.
 “China Urges State Firms to Drop Big Four Auditors on Data Risk,” Bloomberg, February 22, 2023, https://www.bloomberg.com/news/articles/2023-02-22/china-urges-state-firms-to-drop-big-four-auditors-on-data-risk?srnd=premium-uk&leadSource=uverify%20wall&sref=Xl91GI8N.
 Xie Yu, Julie Zhu, Summer Zhen, “Chinese Data Provider Tightens Some Information Access for Offshore Users,” Reuters, May 3, 2023, https://www.reuters.com/world/china/chinese-data-provider-tightens-some-information-access-offshore-users-sources-2023-05-03/.
 2016 Cybersecurity Law, China Law Translate, November 7, 2016, https://www.chinalawtranslate.com/en/2016-cybersecurity-law/.
 2016 Foreign NGO Law, China Law Translate, April 28, 2016, https://www.chinalawtranslate.com/en/2016-foreign-ngo-law/.
 National Security Law, Hong Kong e-Legislation, accessed May 5, 2023, https://www.elegislation.gov.hk/fwddoc/hk/a406/eng_translation_(a406)_en.pdf.
 China Issued New Measures for Cybersecurity Review in 2022, White & Case, February 8, 2022, https://www.whitecase.com/insight-alert/china-issued-new-measures-cybersecurity-review-2022.
 Lingling Wei, “U.S. Think Tank Reports Prompted Beijing to Put a Lid on Chinese Data,” The Wall Street Journal, May 7, 2023, https://www.wsj.com/articles/u-s-think-tank-reports-prompted-beijing-to-put-a-lid-on-chinese-data-5f249d5e.
 Laurence Norman, “EU Targets Eight Chinese Companies in Russia Sanctions Push,” The Wall Street Journal, May 8, 2023, https://www.wsj.com/articles/eu-targets-eight-chinese-companies-in-russia-sanctions-push-a5fe6c2e.
 For more information, see K2 Integrity’s March 29, 2023, Policy Alert, “Anticipated Executive Order Likely to Expand Regulations and Limit Investment Abroad.”