Cross-border investigations focusing on witnesses and data residing in China are being complicated by an array of legal and regulatory developments. Tougher data protection and privacy laws and the hardening of national security concerns between the US and China are just the start.
For example, under China’s newly adopted Data Security Law, imposes a requirement that when companies receive a request from an overseas enforcement agency (such as the DOJ or SEC) to transfer data outside of China, they must first obtain the approval of the Chinese government. This law joins a collection of other PRC laws and regulations that are powerful drivers affecting the complexity of US-China cross-border investigations.
Below are some key steps and challenges to help guide in-house legal teams as they work with experienced counsel in developing an effective US-China cross-border investigation work plan.
- Carefully preserve evidence. When the team issues the legal hold and begins collecting information and data, effective and timely communication to all stakeholders is key to avoiding interference from employees who may react out of malicious intent, misunderstanding or fear. Evidence must be collected and preserved with chain of custody intact, in conformity with applicable laws and consistent with company policies and procedures. On-the-ground support and experienced bilingual resources are key to ensuring preservation and collection is handled appropriately. At the same time, an acute understanding of the company’s global IT infrastructure, particularly as it pertains to the retention and backup of emails and server data that may reside outside of China, would round out an effective onshore/offshore strategy of efficiently collecting relevant data and developing an appropriate review plan.
- Be strategic about data collection. As data is compiled, evidentiary requirements and challenges must be considered. The investigation may spur legal or regulatory action in the US, China, or both, so counsel must think about the types and form of evidence that will be admissible in each jurisdiction. For example, evidentiary requirements are much different in China than they are in the US, with China relying heavily on notarized documentary evidence rather than testimony and expert opinion. Early on, the team should address the different types of evidence they will need to mount and support a viable case in multiple jurisdictions.
- Understand the scope of privilege. The concept of legal professional privilege – and attorney work-product protection – does not exist under Chinese law. Special care should be taken to ensure proper privilege protection throughout the course of an investigation. This includes carefully considering how and to whom communications are made, who is instructing the investigation team, where the team members are geographically located, and which individuals within the company are being apprised of the investigation. Precautions to maintain privilege should be communicated promptly and clearly to the entire team and stakeholders. It is important to note that, even with appropriate precautions, unwanted forced disclosures and governmental orders to require disclosure could potentially destroy privilege and/or complicate the investigation.
- Leverage advanced data insights. The advent of social media and the penetration into everyday life of apps and connected devices has created a plethora of potential data points that have been a boon to investigations. When investigators know where to look, they can access a wealth of information, which may provide the team with a relationship map that highlights possible connections between employees, companies, shareholders, etc. With these insights, legal teams can analyze potential conflicts of interest, motives, transfer of funds, government official touchpoints, and other data points in support of their fact-finding.
- Address cross-border data transfer risk. Because Chinese data transfer and state secrets laws are becoming increasingly strict, it is often best to keep any data in China throughout the investigation and establish protections so it cannot be accessed by unauthorized parties. If data is to be transferred outside of the country, organizations must consider whether the transfer is compliant with applicable Chinese laws, which may in certain cases require a review of documents before they are sent to the US.
In the aftermath of an investigation, a company may have the opportunity to strengthen its anti-bribery and anti-corruption compliance program. Routine audits and effective reporting are vital so that issues are promptly addressed. Business teams should be trained on the company’s boundaries – and provided with practical local examples – about what is considered appropriate (and inappropriate) and know when and how to escalate if they have concerns.
Find out more by contacting Jason Chang or your regular DLA Piper attorney.
 The PRC Data Security Law was adopted and promulgated on June 10, 2021. It will take effect on September 1, 2021.