Insight,

Amendments to PRC Counterespionage Law And Matters for Attention

18 May 2023

Our People
CN | EN
Current site :    CN   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Tag:dispute resolution and litigation-criminal investigation and defense

On April 26th, 2023, the amended Counterespionage Law of the People’s Republic of China (the “Counterespionage Law”) was officially promulgated and will come into effect on July 1st. The newly amended law has attracted wide attention both in the legal practice field and among enterprises. Meanwhile, the recent media coverage has disclosed a series of law enforcement by the Chinese government and called out certain consulting firms for “being lack of consciousness on the national security” and “frequently walking on the edge of law”, arousing widespread concern and discussions. What changes have been made to the Counterespionage Law? What kinds of business activities of foreign investors in China need to be carried out with an eye on the new law? Has the investigating and consulting industry shut its door to foreign investors?

I. Highlights of the Amendments

The predecessor of the Counterespionage Law is the National Security Law enacted in 1993. The Counterespionage Law implemented in 2014 is a special law that regulates and safeguards counterespionage activities, and it is an important component of China’s national security legal regime. Since its implementation in 2014, the legal enforcement actions of national security authorities have effectively safeguarded China’s national security and interests. However, non-traditional espionage activities have proliferated over times, such as attacking cybersecurity vulnerabilities of critical information infrastructure (“CII”) and illegal collection of data in relation to national security, etc. Therefore, it is urgent to amend the Counterespionage Law to adapt to the need of counterespionage activities in the new era.

The following amendments of the Counterespionage Law are worth of attention:

1. Expanding the definition of “espionage activities”

Below are definitions of “espionage activities” as provided by the Counterespionage Law (2014) and the newly amended version: 

Specifically:

 (1) “Defecting to an espionage organization or its agent” is clearly defined as an act of espionage. Literally, “defecting to” refers to seeking shelter in, being attached to, and relying on. According to the few cases available to the public, the act of “defecting to” generally refers to contacting and establishing a relationship with an espionage organization or its agent.

 (2) Cyberattack is included as a means of espionage. When the Counterespionage Law (2014) was first enacted, the majority of espionage activities were still offline activities occurred in a real physical space, such as stealing and/or spying state secrets and intelligence on the spot. With the development of the network technology, a new kind of espionage crime appears – cyber espionage, which refers to using internet information technology to invade the target computer system to obtain intelligence or to destroy the target country’s CII, etc. In September 2022, the U.S. National Security Agency launched cyberattack against Northwestern Polytechnical University, one of the so-called “Seven Sons of National Defense”. To better regulate cyber espionage activities in the new era, and to strengthen the protection of internet information and electronic data, the newly amended Counterespionage Law explicitly includes “activities, such as cyberattack, intrusion, interference, control or destruction, against a State organ, secret-involved entity or critical information infrastructure and others” in the definition of espionage activities.

 (3) “Other documents, data, materials or articles relating to national security or interests” are covered within the protection scope of the Counterespionage Law, the same as “state secrets” and “intelligence. From the perspective of legislative intent, some documents and data may not be qualified as state secrets or intelligence in the strict sense, but they do relate to the national security and interests, and therefore, they deserve the protection under national security laws. From the perspective of legislative techniques, it is obviously unrealistic to require laws to list all the relevant documents. Accordingly, the abovementioned newly-added contents adopt a catch-all expression in order to adapt to the forward-looking needs of regulating similar behaviors to deal with new issues and situations that are constantly emerging.

 (4) New provision regarding espionage activities against a third country is added to the Counterespionage Law. In light of the increasingly close exchanges among countries in the global stage, the new law also specifically includes espionage activities against a third country that also endangers China’s national security into its scope of regulation.

2. Adopting additional investigation and handling measures regarding counterespionage work, and tightening the approval procedures for the law enforcement power

According to the Chapter II of the Counterespionage Law (2014), national securities authorities, in the course of conducting counterespionage work, may perform the functions and execute the power of investigation, detention, subpoena and execution of arrest, etc. To enhance the strength of counterespionage work, the newly amended Counterespionage Law improves the measures for counterespionage investigation by expanding administrative enforcement function and power to include retrieving electronic data, summoning relevant person, inquiring property information, etc.

In their first chapter “General Provisions”, both of the Counterespionage Law (2014) and the newly amended version emphasize that the counterespionage work shall be legally conducted, during which human rights shall be respected and protected, and the lawful rights and interests of individuals and organizations shall be protected. Nonetheless, the 2014 version lacks details in terms of law enforcement procedures. For example, it provides that consulting or obtaining relevant files, materials and items should be conducted “as approved in accordance with the relevant provisions of the state”, which is quite vague. The new Counterespionage Law tightens the approval procedures, clarifying the approval authority and procedure for each of the law enforcement function and power. As an illustration, consulting or accessing relevant files, materials and items shall be conducted “upon the approval of the person in charge of the national security authority at or above the level of a districted city”. It also addresses the limit of the scope of law enforcement, requiring “the consultation or accessing shall not exceed the scope and limit as required for the execution of the counterespionage task.”

3. Enhancing the cooperation and coordination among regulatory authorities, and underlining the cohesion between administrative and criminal law enforcement

With respect to the emergence of cyber espionage activities, the new Counterespionage Law adds notification and handling procedures for national security authorities when they discover any network information content involving espionage or any risk such as cyber-attack. The new law demands national security authorities to promptly notify relevant authorities, who are responsible to take corresponding measures against corresponding telecommunication business operators and Internet service providers.

Meanwhile, the new Counterespionage Law enhances the cooperation and coordination between national security authorities and relevant authorities regulating border exit and entry. According to its provisions, national security authorities may decide to prohibit certain Chinese citizen(s) or a person suspected of espionage from leaving China within a certain period, or certain overseas individual(s) from entering China. The immigration administration will cooperate and impose restrictive measures for exit and/or entry.

The new law particularly stresses that if, upon investigation, national security authorities find that an espionage activity is suspected of a crime, they shall file a case for criminal investigation in accordance with the Criminal Procedure Law of China. Such provision fits in with the working mechanism of connecting administrative law enforcement and criminal justice which China has focused on in recent years. It emphasizes that administrative law enforcement authorities shall not replace criminal punishment with administrative punishment. A criminal case shall be filed and criminal liability shall be investigated for a person who is suspected of the crime of espionage or the crime of stealing, spying, buying or illegally providing State secrets or intelligence for overseas parties.

4. Increasing the categories of administrative penalties, and enlarging their applicable scope   

Besides the administrative detention stipulated in the Counterespionage Law (2014), the new law increases the categories of penalties to include fines, regulatory talks, circulation of notice of criticism, temporary suspension or revocation of licenses, etc. It also expands the applicable circumstances of administrative penalties, providing that any individual or entity that conducts espionage activities, which does not constitute a crime, may be imposed a fine based on the amount of illegal income derived therefrom. In addition, for any failure to perform the counterespionage security precaution obligation, the national security authorities may order rectification, and hold regulatory talks with the relevant person-in-charge if the relevant party fails to make rectification as required, and may give a warning or circulate a notice of criticism if such failure has harmful consequences or adverse effects.

In particular, the competent authorities may impose penalties on parties who refuse to cooperate with the national security authorities in data collection in accordance with the relevant provisions of the Data Security Law. Article 48 of the Data Security Law provides, “Whoever, in violation of Article 35 hereof, refuses to cooperate in the data collection will be ordered by the relevant competent authority to make rectifications and given a warning, and may be concurrently fined not less than RMB 50,000 but not more than RMB 500,000, and the person directly in charge and other directly liable persons will be fined not less than RMB 10,000 but not more than RMB 100,000.”

5. Inserting a chapter specially on security precaution, and devoting more efforts in carrying out counterespionage publicity and education

Where there is precaution, there is no danger. With the severe challenge brought by even more complex subjects, extensive fields, diverse targets and covert methods of espionage activities than ever before, the Chinese government believes that it is urgent to engage the whole people in counterespionage work. The newly amended Counterespionage Law inserts a special chapter (Chapter II) focusing on security precaution. It stipulates the duties of State organs, people’s organizations, enterprises, public institutions and other social organizations to carry out security precautions work. At the same time, the new law establishes a management system for key entities for counterespionage security precautions, and it requires such entities to strengthen their security precaution management of classified information, and to adopt both physical and technical precautions to safeguard their critical information.

Although the 2014 version of the Counterespionage Law does not contain specific provisions on security precautions, on the basis of the National Security Law, the Counterespionage Law (2014), the Implementing Rules for the Implementation of the Counterespionage Law and other relevant laws and regulations, the Ministry of State Security has promulgated the Provisions on Counterespionage Security Precautions in 2021, which specifies counterespionage security precaution obligations, guidance and inspection of carrying out counterespionage security precaution work and legal liabilities for failure to perform relevant duties and obligations. The amendment of the Counterespionage Law in 2023 elevates counterespionage security precaution work from the level of departmental regulation to national law, fully reflecting the importance attached to it by the State.

II. Questions Raised and Matters Enterprises Should Be Aware of in Operation

1. Is the Counterespionage Law’s scope of protection too vague, resulting in unpredictable risks to foreign investors and foreign individuals?

Some people believe that the newly amended Counterespionage Law, by expanding the scope of protected objects from state secrets and intelligence to include “other documents, data, materials or articles relating to national security or interests”, is too broad and may result in unpredictable risks to the normal business activities of foreign invested enterprises in China as well as to foreign individuals traveling to China for business or personal purposes.

First of all, not compromising China’s national security is a general principle that every foreign enterprise and individual in China should obey, rather than a special provision under the Counterespionage Law or other national security laws. In fact, prior to the Counterespionage Law’s addition of the abovementioned new provision, laws and regulations such as the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law and the Security Protection Regulations for Critical Information Infrastructure have already clarified the scope, collection, storage, use, processing, transmission, provision and public disclosure of important data.

Therefore, in our view, the newly amended Counterespionage Law does not set any unprecedented regulatory requirement. Foreign investors and individuals need not to worry about material risks of violating the Counterespionage Law as long as the laws and regulations of China with respect of investment and operation, industry access, data protection, exit and entry administration and other regulatory rules are strictly followed.

2. Can foreign invested consulting firms continue to operate in China?

It is certain that China currently does not prohibit foreign investors from engaging in the consulting business. Hence, foreign invested consulting firms can continue to operate in China.

However, foreign invested consulting firms must tighten their compliance control in the future. According to our experience accumulated through handling data security cases and information revealed by the China Daily’s article named “Official Disclosure! This Firm Has Become an Accomplice of an Overseas Intelligence Agency”, the risks of data security must be especially alerted if a target of consulting and investigation falls within important industries or fields (such as national defense and military, finance and currency, high-tech, energy and recourse, medicine and health, etc.). If consultation with “experts” is included as an investigative approach, it is necessary to strengthen the screening for the legality of the source of experts’ information.

The People’s Daily has also made its point, “The State supports the development and growth of the consulting industry, and encourages it to engage in the international business. It is hoped that consulting firms will seriously fulfill their review and approval obligation in carrying out their business; that experts and scholars will earnestly fulfill their security and confidentiality obligation in accepting consultations; and that relevant entities will strengthen the supervision and management of their personnel taking in consultation requests, so as to jointly safeguard the national security and development interests of China, and ensure a new development pattern with a new security pattern. ”

3. Does that mean domestic enterprises in important industries and fields are no longer available for foreign investment?

Speaking of “important industries and fields”, we refer to the Measures for the Security Review of Foreign Investment[1], according to which foreign investments (or acquisition of control) in the following industries and fields require prior review in consideration of their importance attached by the State:

(1) Military industry, military industrial supporting and other fields relating to the security of national defense, and investments in areas surrounding military facilities and military industry facilities;

 (2) Important agricultural products, important energy and resources, important equipment manufacturing, important infrastructure, important transport services, important cultural products and services, important information technology and internet products and services, important financial services, key technologies relating to national security.

Furthermore, the Security Protection Regulations for Critical Information Infrastructure[2] also identifies important industries and fields shall at least include public telecommunications and information services, energy, transportation, water conservancy, finance, public services, e-government, science, technology and industry of national defense, etc.

In spite of the broad scope of the aforementioned industries and fields, China does not completely bar investment made by foreign invested enterprises to the enterprises in those industries and fields (unless such investment involves industries or matters explicitly prohibited by China’s “Foreign Investment Negative List”, which is not included for the simplicity of this article). Under the Counterespionage Law, we believe, it is significant that foreign invested enterprises and their agencies must collect relevant data legally upon the consent of the target of investment (instead of obtaining data or information illegally through third-party investigation or other methods), and follow the relevant laws and regulations on data export. Otherwise, they will run the risk of committing espionage acts of “stealing, spying, buying or illegally providing state secrets, intelligence or other documents, data, information or articles relating to national security and interests”. In addition, to protect the investors, foreign invested enterprises should require their targets of investment to make some basic warranties, such as none of the data or documents provided by the target contains any state secrets or other confidential information that shall not be disclosed in accordance with laws and regulations, and all personal information involved has acquired corresponding subjects’ prior consent, etc.

Accordingly, as long as foreign investment access restrictions and relevant provisions on foreign investment security review are not violated, and the data processing is legally conducted in accordance with above principles, there exists no issue regarding the legality of foreign enterprises' investment in domestic enterprises operating in important industries and fields, and there is no material risk of violation of the Counterespionage Law.

4. Matters foreign invested enterprises should be aware of

Based on the recent law enforcement actions and our practical experience, we believe foreign invested enterprises should pay particular attention to the following aspects in their daily operation or investment activities:

 (1) As data is frequently mentioned and emphasized in the Counterespionage Law,   foreign invested enterprises should act prudently in handling data-related matters, ensuring the legality of the data collection, storage, use, processing, transmission, provision, export and other relevant activities. Enterprises may take measures such as:

a. Staying alert to the industry of the data provider as well as the data it processes;

b. Making sure any data collection is subject to the knowledge and prior written consent of the person(s) entitled to such data;

c. Not collecting data from any third party unless legal authorization from the person(s) entitled to such data has been obtained;

d. In principle, storing all data collected within the territory of China; if certain data needs to be transferred overseas, security assessment procedures shall be strictly followed in accordance with the requirements under Security Assessment Measures for Outbound Data Transfers and other relevant laws and regulations;

e. Not sharing data with any third party (regardless of domestic or overseas) unless legal authorization from the person(s) entitled to such data has been obtained;

f. Duly performing the obligations of data security protection such as cybersecurity grade assessment and filings.

 (2) Including compliance terms in contracts with customers, suppliers and other relevant parties, and requiring such parties to represent that all the data or materials provided by them do not contain any state secret or any information that is likely to relate to the national security and interests or shall not be disclosed for any other reason.

 (3) Duly complying with provisions regarding security precaution obligations under the Counterespionage Law, especially for enterprises engaging in sensitive industries (consulting, due diligence investigation, energy, power, finance, etc.); establishing a compliance scheme that covers counterespionage contents; and conducting regular trainings on counterespionage and relevant national security laws, enhancing employees’ awareness of counterespionage security precautions.

 (4) Actively cooperating with national security authorities or other competent authorities when they carry out counterespionage work in accordance with law, and voluntarily report individuals or enterprises that are suspected of espionage activities.

Scan the QR code to subscribe to "King & Wood Mallesons" for more information

Article 4 of the Measures for the Security Review of Foreign Investments provides, “For foreign investments within the following scope, foreign investors or the relevant parties in China (hereinafter referred to collectively as the "parties concerned") shall take the initiative to declare to the office of the working mechanism prior to implementation of the investments:

(1)    investments in military industry, military industrial supporting and other fields relating to the security of national defense, and investments in areas surrounding military facilities and military industry facilities; and

(2)    investments in important agricultural products, important energy and resources, important equipment manufacturing, important infrastructure, important transport services, important cultural products and services, important information technology and Internet products and services, important financial services, key technologies and other important fields relating to national security, and obtaining the actual controlling stake in the investee enterprise…”

Article 2 of the Security Protection Regulations for Critical Information Infrastructure provides, “For the purpose of these Regulations, critical information infrastructure refer to the important network facilities and information systems in important industries and fields such as public telecommunications, information services, energy, transportation, water conservancy, finance, public services, e-government and national defense science, technology and industry, as well as other important network facilities and information systems which, in case of destruction, loss of function or leak of data, may result in serious damage to national security, the national economy and the people's livelihood and public interests.”
Categories

Reference

  • [1]

    Article 4 of the Measures for the Security Review of Foreign Investments provides, “For foreign investments within the following scope, foreign investors or the relevant parties in China (hereinafter referred to collectively as the "parties concerned") shall take the initiative to declare to the office of the working mechanism prior to implementation of the investments:

    (1)    investments in military industry, military industrial supporting and other fields relating to the security of national defense, and investments in areas surrounding military facilities and military industry facilities; and

    (2)    investments in important agricultural products, important energy and resources, important equipment manufacturing, important infrastructure, important transport services, important cultural products and services, important information technology and Internet products and services, important financial services, key technologies and other important fields relating to national security, and obtaining the actual controlling stake in the investee enterprise…”

  • [2]

    Article 2 of the Security Protection Regulations for Critical Information Infrastructure provides, “For the purpose of these Regulations, critical information infrastructure refer to the important network facilities and information systems in important industries and fields such as public telecommunications, information services, energy, transportation, water conservancy, finance, public services, e-government and national defense science, technology and industry, as well as other important network facilities and information systems which, in case of destruction, loss of function or leak of data, may result in serious damage to national security, the national economy and the people's livelihood and public interests.”

MEET THE AUTHORS

LATEST THINKING
Insight
FAQs regarding China Technology Import and Export Control
In today’s AI-driven era, advanced semiconductors have become central to both commercial innovation and national security. U.S. export control laws have been rapidly expanding its influential scope and even extending to the jurisdictions of U.S. allied countries. These developments have drawn intense attention from industry and policymakers alike, who view U.S. controls as the benchmark for global technology governance. What is less well known, however, is that China has maintained its own legal regime governing cross-border technology trade dates back decades. It only rarely affected mainstream commercial transactions until recent geopolitical and supply-chain pressures brought them into the spotlight. Against this evolving backdrop, technology import and export controls have reemerged as a mainstream compliance priority. This article therefore offers an overview of China’s technology import/export statutes and practical guidance on compliance, equipping international stakeholders with the tips they need to navigate both sets of rules.corporate mergers and acquisitions-export control and sanctions,intellectual property,telecommunications media entertainment and technology-technology

15 May 2025

Insight
Data Breach Notification System and Compliance Essentials
Data misuse and data breaches are the two core risks of data security. Data misuse can be prevented through strict legal regulations that ensure standardized data processing. compliance and regulatory-cybersecurity and data compliance,telecommunications media entertainment and technology-data protection and privacy

28 April 2025

Insight
Chinese Court Found AI-Generated Pictures Not Copyrightable — Convergence with the U.S. Standard?
On March 19, 2025, the Chinese Zhangjiagang Court ruled in a recent AIGC copyright infringement case Feng v. Dongshan Company that, the plaintiff's AI-generated pictures lacked enough original authorship to be copyrightable and that the prompts were not copyrightable either.[1] Unlike the previous AIGC copyrightability cases where the local Chinese courts recognized the original authorship in the AI-generated work, this is the first Chinese case under which AI-generated pictures were denied copyright protection.intellectual property-trademarks and copyright,digital economy,artificial intelligence

25 April 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
CROSS-JURISDICTIONAL PRACTICE OFFICE
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies