China amends the Anti-Espionage Law

Definition of "Espionage Activities"

The previous version of Anti-Espionage Law, which was implemented in 2014 and will be abolished as of July 1, 2023, specifies the following five types of "espionage activities":

• activities compromising national security, whether committed by or under the instruction of or funded by an espionage organization or its agent, or committed by a domestic or overseas institution or organization or individual in collusion with the espionage organization or its agent;
• joining an espionage organization or accepting a task assigned by an espionage organization or its agent;
• stealing, spying, purchasing, or illegally providing state secrets or intelligence, or instigating, luring, bribing the state personnel to betray his/her country, whether committed by or under the instruction of or funded by an overseas institution or organization or individual other than an espionage organization and its agent, or committed by a domestic institution or organization or individual in collusion with the overseas institution, organization or individual;
• indicating the attack targets to enemies; and
• other espionage activities

Under the Amended AEL, the definition of "espionage" now covers four new forms of activities, namely:

1. seeking refuge from an espionage organization or its agent;
2. stealing, spying, purchasing, or illegally providing “documents, data, materials and articles concerning the national security and interest”, or coercing state personnel to betray his/her country, whether committed by or under the instruction of or funded by an overseas institution or organization or individual other than an espionage organization and its agent, committed by a domestic institution, organization or individual in collusion with the overseas institution, organization or individual;
3. Activities such as cyber-attacks, intrusions, interferences, controls or destructions against entities such as state organs, state-secret-involved units, and critical information infrastructure, whether committed by or under the instruction of or funded by an espionage organization or its agent, or committed by a domestic or overseas institution, organization or individual in collusion with the espionage organization or its agent; and
4. other espionage activities conducted by the espionage organization or its agent, either within the territory of the PRC, or by taking advantage of the PRC nationals or organizations, or other PRC-related conditions, against a third country.

Specifically, the Amended AEL now covers the espionage activities associated with “all documents, data, materials and articles concerning national security and interests”. As a broad interpretation, both (i) “important data” (unspecified yet) under the Cybersecurity Law and the (ii) “documents, data, materials and articles” involved in and generated from the operations relating to the public telecommunications, information services, energy, transportation, water conservancy, finance, public services, e-government and national defense science, technology and industry, as well as other important fields that play an important role to national security, economy and the people's livelihood and public interests, by reference to the Cybersecurity Law and the Security Protection Regulations for Critical Information Infrastructure, may fall within this scope under this vague language. It remains to be seen if any implementing rules will be promulgated to provide further clarification on what type of information or data relates to national security and interests.

Should there be any online information or cyberattacks that involve espionage, Article 36 of the Amended AEL empowers national security authority to handle the risk or order the telecommunications business and internet service provider to promptly take rectification measures, including fixing loopholes, consolidating network protection, ceasing transmission, eliminating programs and contents, suspending relevant services, removing relevant applications, and shutting down relevant websites. The powers of the national security department have also been expanded to include the "ordering the suspension of relevant services".

The Ministry of State Security and other relevant enforcement authorities have a wide array of discretionary powers to decide the relevant parameters of espionage activities.

Wider Investigative Powers

The Amended AEL also allows national security authority (i) to require cooperation from private companies in countering espionage, and more importantly, (ii) to adopt the following investigative measures in anti-espionage work:

• Checking of the identification of a Chinese national or foreign individual, and inspection of the personal belongings of an unidentified person who is suspected of espionage;
• Inspection of the electronic equipment, facilities, programs, and tools of a relevant individual or organization;
• Inspection and retrieval of the relevant documents, data, materials, and articles;
• Detaining or freezing the relevant sites, facilities, or assets;
• Summons;
• Body check and inspection of articles/sites in connection with the espionage;
• Obtaining the asset and financial information of a suspect; and
• Restricting relevant individuals from leaving or entering the PRC.

The above measures 5 to 9 have been newly added in the Amended AEL. While we note that these measures have been largely reflected in other pieces of existing PRC legislations, including the administrative and criminal procedure laws, it remains to be seen how the national security authority translates these laws into enforcement and practice.

Organizational Obligations to Counter Espionage

Article 12 of the Amended AEL now imposes organizational obligations on "state organs, people’s organizations, companies and public institutions, and other social organizations to counter espionage". The key obligations include:

• implementing precautionary measures,
• educating their staff members to maintain national security, and
• mobilizing and organizing their staff members to prevent and counter espionage.

The national security authority can order rectification or request interview with the relevant person in-charge, and may impose administrative liabilities including warning or public reprimand on the relevant organization in case of non-compliance above, which would apply to both domestic Chinese entities and foreign-invested entities in China. Coupled with the recent publicized enforcement action, we see increasing possibilities of enforcement actions against multinationals (including their on-site employees and staff) in PRC.

Key Entities for Anti-espionage Security Precaution

China has mandated the sectoral authority to develop a list of key entities for implementing the anti-espionage security precaution works, pursuant to the Provisions on Security Precautions Against Espionage effective April 26, 2021. While the list remains confidential to the public, these key entities will be notified in writing and required to perform specific obligations, including establishing a system for anti-espionage security precaution works, in addition to those imposed on general state organs, people’s organizations, companies and public institutions, and other social organizations.

The Amended AEL restated that heightened rules would apply to "key entities for anti-espionage security precaution". Under the Amended AEL, a key entity for anti-espionage security precaution shall:

• establish anti-espionage security precaution work rules, fulfill anti-espionage security precaution work requirements, and specify the anti-espionage security precaution duties of its internal functional departments and personnel;
• strengthen the education and management of anti-espionage security precaution for its employees;
• strengthen the routine management of the security protection of matters, sites, and carriers, among others, involving confidential information, and take anti-espionage physical precaution measures; and
• according to the requirements and standards for anti-espionage technical specification, take corresponding technical measures and other necessary measures, and strengthen anti-espionage technical protection against critical departments and parts, network facilities, and information systems.

Next Step

How Does a Foreign-invested Enterprise Address the Amended AEL?

PRC national security authority is expected to take a more proactive approach to counter espionage activities in China and enhance its anti-espionage enforcement actions among key sectors. While we see no intentions by PRC authorities, through the Amended AEL, to sabotage the business environment or target the ordinary commercial business and operations that foreign invested companies are conducting in China when such business activities do not possess the intention to endanger China’s national security, foreign invested companies should devote particular attention to the following considerations:

• Be mindful of the inbound data flows, directly or indirectly, from the Chinese counterparties specialized in sensitive sectors in China, and asses if any “documents, data, materials and articles concerning national security and interests” will be involved therein that may create any risk exposures under the Amended AEL.  
• Understand the nature of the prospective business engagement and due diligence requests with your business partners. If any business engagement would require your company to approach individuals serving in at government agencies or important industries and fields (e.g., defense companies) or to provide information related to classified state secrets, trade secrets, defense information, critical infrastructure operation etc., please conduct a robust risk assessment and due diligence to understand the business intention before accepting the business engagement.
• Implement internal anti-espionage/national security compliance procedure in accordance with the Amended AEL, such as reviewing and updating the data processing and cybersecurity policies, organizing compliance training for local management and staff, developing an emergency response plan and setting up a dedicated team for the anti-espionage/national security investigation and dawn raids, closely monitoring the cross-border business dealings and the data transfer involved, as well as the international travel of local staffs, etc.

Hogan Lovells has been closely monitoring this government regulatory development and national security enforcement actions. Please reach out to any of the listed Hogan Lovells contacts should you have specific scenario and questions to analyze.

Authored by Beth Peters and Ben Kostrzewa.