In April 2023, China's parliament passed a wide-ranging update to the country's counter-espionage law. The revisions of the law, which was originally enacted in 2014 and will come into effect on July 1, 2023, significantly broaden the scope of what constitutes espionage and give the government comprehensive new powers to investigate and prosecute suspected spies.
The amendments are the extension of a growing body of national security-related legislation introduced during Xi Jinping’s mandate. This includes the 2014 Counter-Espionage Law, the 2015 National Security Law, the 2016 Cybersecurity Law, and the 2021 Data Security Law. Over the past decade, a number of foreign citizens - including Canadian, US, and Japanese nationals were detained under the provisions of this legislative package, along with a score of foreign companies targeted for suspected espionage activities. In most recent examples, the authorities arrested five Chinese employees of the US corporate diligence firm Mintz Group and closed the company’s Beijing branch in March. In April, the US management consulting firm Bain & Company acknowledged that the police inspected their Shanghai office and seized electronic devices.
Primary Changes to China’s Counter-Espionage Law
The legislation has alarmed foreign governments and businesses, who are concerned that the new regulation might create additional legal perils for foreign companies, journalists, and academic institutions operating in China or working with Chinese entities. The most significant changes to the law include the broadened definition of espionage, which can now involve the collection, storage, or transfer of any information deemed to be relevant to national security interests, including “documents, data materials, or items.” The definition was previously limited exclusively to classified information and state secrets and information.
In addition, the government has been given new powers to investigate and prosecute suspected spies, such as the ability to inspect homes and businesses, detain suspects and compel them to provide information and inspect their digital devices.
Concerns of China’s New Counter-Espionage Legislation
The legislation lacks clarity around what types of activities can be considered espionage. This could encompass a wide range of information, such as trade or military secrets, but also general business intelligence or web scraping. In that sense, exposure to any data that has not been approved by government-licensed media or has been removed from public circulation may be qualified as espionage. As some Western sources warned, the expanded definition of espionage could also be used by the Chinese authorities to justify gathering sensitive data, such as trade secrets from foreign companies, under the pretense of conducting counter-espionage activities.
Vaguely defined procedures and oversight give the Chinese national security authorities extensive, and largely unchecked, powers to charge and detain individuals and disrupt business operations of entities suspected of espionage. In May, US ambassador Nicholas Burns warned that the law “potentially could make illegal in China the mundane activities that a business would have to do,” inclusive of general business intelligence activities.
In such circumstances, the new amendments might lead to an increase in the number of espionage-related detentions of foreign and Chinese nationals employed by foreign companies, as well as considerably limit the ability of foreign businesses to operate in China. Some of the activities that might be qualified as espionage involve market research, facilitating recruitment, trade secret leakage, employing former government officials, and data sharing between Chinese and foreign companies in joint domestic or cross-border projects, such as the transfer of technology or information sharing.
What Organizations can do to Protect Themselves
In today’s digitalized economy, online exchange and collection of information represent an essential part of everyday business activity. In such an environment, foreign individuals and companies can quickly become exposed to legal challenges arising from new legislation. Foreign nationals who work in, or travel to China, or foreign companies which operate in China should therefore take proactive steps to enhance their cybersecurity posture, including:
Developing a robust compliance, crisis, and incident management program to make business operations less exposed to general cybersecurity threats in China and more specific national security-related legislative provisions. This may involve awareness training about cybersecurity threats when operating in China, tabletop exercises to simulate cybersecurity incidents, the detention of employees or raids of companies’ premises, and legal advice related to collection, sharing, or storage of data that might fall under the remit of the national-security legislation.
Developing a package of cybersecurity recommendations for travelers visiting China, with details around provisioning and using of personal electronic devices, applications, and cloud services, as well as providing advice on the use of the internet in China; it is worth keeping in mind that Chinese internet space is heavily monitored by the authorities. Users should be careful not to discuss politically sensitive topics or share unprotected sensitive information, noting that Chinese digital providers have a legal responsibility to censor and assist the authorities in their surveillance efforts.
Crisis24 provides in-depth intelligence, planning, and training, as well as swift and actionable responses to keep your organization ahead of emerging risks. Contact us to learn more.
Author(s)
Ante Batovic
Senior Consultant
Ante is a member of the Cyber Security team and is a certified ISO 27001 Lead Implementer (CIL) with the International Cyber Security Institute (ICSI).
He supports clients on both pre cyber incident...
Learn More