China 2023: heightened risk, mixed messages and varied responses – part 3

This is the last in a three-part series discussing multinational companies working effectively in China given the significant geopolitical tensions, the People’s Republic of China’s heightened scrutiny and government actions surrounding “sensitive data” – and what this means for Third Bridge, its clients and specialists.

By Paul Caulfield, Chief Legal Officer, Third Bridge

View part one and two here and here respectively.

Art and science

“Regulation by enforcement” is a criticised behavior by supervisory agencies that compliance and risk management practitioners find difficult to operate under when the rules are general, vague or unclear. A similar occurrence is unfolding in China, albeit with much higher stakes.    

Managing risk requires active engagement and, at times, interpretation. The following, while not exhaustive, offers examples of information that companies should largely treat as prohibited. 

  • Unpublished government data such as “breakthroughs”, advancements in China-led technology (AI), healthcare (genetic research) or energy
  • Internal government reports not publicly disseminated
  • Law enforcement or judicial affairs data
  • Export controls data, including details about materials or items targeted
  • Non-public manufacturing or production techniques
  • Data involving a scientific or technological achievement, particularly if it has a direct impact or connection to national security or economic competitiveness in areas such as cryptography, biology, electronic information and AI
  • Public health and safety data, including related geographic information system data or genetic resources
  • Financial transaction data that may affect or is related to financial stability

Of course, a full set of circumstances may challenge or alter this list, but in such instances relying on a skilled legal or compliance professional may be warranted.  

Controls in action

Notwithstanding the foregoing, requirements around privacy and information security are an additional way firms should be demonstrating adherence to controls around China data. This includes well understood controls that data protection officers and chief information security officers are putting in place for information when it is used, transferred and stored – especially when cross-border. China’s Personal Information Protection Law, which came into effect in late 2021, is one such recent measure. 

Having a China Important Data Programme is not new, to be clear, although it has received renewed importance. It should point to all of the controls being implemented around personal information protection and cybersecurity. It should also be fairly prescriptive as to what information will be off-limits. 

Looking at it globally, these are controls being similarly called for when one considers the EU’s General Data Protection Regulation and cybersecurity standards found in the National Institute of Standards and Technology. 

Conclusion: this is difficult

National security expert, Matthew Pottinger, stated in a recent Financial Times interview that, “[u]nderstanding the Chinese leadership involves holding ‘several very different ideas in mind at the same time.’” 1 perspective and the difficulties faced lend themselves to two headlines published within 48 hours of one another last month:

“China looks to relax cross border data security controls”, from the Financial Times

“China blocks executive at U.S. firm Kroll from leaving the Mainland”, from The Wall Street Journal

Third Bridge’s path forward has been a cautious one, mindful of dichotomies and nuance, but appreciative that an opportunity to still work in China exists. Our work will continue in earnest as we monitor and interpret the law, learn from ongoing government actions, speak with clients and assess our ongoing risk appetite. Throughout this process, we are making efforts to tangibly demonstrate both our controls and adherence to our policies. We believe the process is working. 

Keeping compliance at the heart of everything Third Bridge does remains our guiding principle and a key differentiator in the incredibly competitive and fast-paced market in which we operate. This requires us to remain committed to continuously improving our robust framework. 

We hope our efforts reassure you, our employees, clients and specialists, that our mission is to operate transparently and safely no matter our location.

The information used in compiling this document has been obtained by Third Bridge from experts participating in Forum Interviews. Third Bridge does not warrant the accuracy of the information and has not independently verified it. It should not be regarded as a trade recommendation or form the basis of any investment decision.

For any enquiries, please contact