Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

It’s the right time to reassess China due diligence and compliance risks

China has been mentioned in more than 60 FCPA corporate enforcement actions, including eight in 2019 alone. So FCPA practitioners have long been wary of potential problems there. And yet, with serious recent developments potentially impacting trade and on-the-ground operations, now is a good time to reassess China compliance risks.

Here are some trends emerging from enforcement actions and legal developments, in both the United States and China, to be aware of:

China-based executives as agents for U.S. parent companies. The 2019 “Jerry Li and Mary Yang” case was groundbreaking. It was the first time Chinese nationals working for subsidiaries of a U.S.-based company (Herbalife) were charged by the DOJ as agents of the issuer parent company, despite having no formal legal ties with it. The defendants were both Chinese citizens who entered into employment contracts only with Herbalife’s wholly-owned Chinese subsidiary and not with Herbalife itself. Such a broadened agency theory could bring numerous Chinese executives working in subsidiaries of U.S.-based firms under FCPA jurisdiction. This case stood in sharp contrast to the 2014 Avon FCPA enforcement action, which had many similar fact patterns, but no individuals were charged. That said, it remains to be seen whether this broad agency theory will survive after Judge Arterton dismissed FCPA charges based on agency against Alstom’s Lawrence Hoskins in February 2020.

Data privacy and cybersecurity risks in FCPA investigations. In addition to the FCPA, there are other PRC legal risks that MNCs should beware of when conducting or outsourcing due diligence investigations. One important area is personal data protection and information privacy. PRC laws and regulations regarding data collection have been rather scattered. Of the most central importance, Article 253 of China’s Amendments to the Criminal Law (enacted in 2015) bans “stealing or illegally obtaining, by any means, personal information.” In the infamous GlaxoSmithKline case, the company-hired private investigator Peter Humphrey and his wife. They were convicted and jailed precisely for “illegally obtaining private information” to prepare the due diligence reports.

When conducting investigations within China, companies should thus pay special attention to the following:

  • Ask employees to identify whether their computers and documents contain personal information
  • Always obtain employees’ consent before collecting their personal information, and
  • Before transmitting documents subject to FCPA investigations outside China, companies should always consider whether the information is protected by PRC Law. For instance, do the documents  constitute trade secrets, state secrets, or bank secrets?

The last point also brings to the attention the 2016 China Cyber Security Law, which is sweeping and comprehensive. It covers “every district, every ministry, every business and other institution,” including foreign companies and Chinese companies alike. That means the information obtained from an MNCs’ VPN intranet, which was previously not scrutinized by the authorities, now also falls within the jurisdiction.

Cross-border data transfer during internal or external FCPA investigations. Despite the wide scope of the Cyber Security Law, its language is vague. There is still insufficient clarity on when and what types of data transfer could pass the security assessment, or what data would first need to be localized within China. Two laws, the Personal Data Protection Law and the Data Security Law, that are now in draft and should come out this year, are supposed to bring some clarity to the requirements for data localization. For now, MNCs operating in China should keep a close eye on the government’s enforcement priorities and proactively communicate with industry regulators.

Implications for international anti-corruption cooperation. Clearly, China’s relations with the West, and in particular the United States, have entered an unstable period, which likely bodes ill for the future of international anti-corruption cooperation. In response to Western pressures and new sanctions, beneficial cooperation between jurisdictions will likely be impeded. Though the DOJ has emphasized its cooperation with traditional allies, and that it will continue to strengthen communications with those jurisdictions, there is little chance that it will cooperate with Chinese counterparts in the near-term. In addition, in response to Western moves, we may soon see more stringent enforcement by authorities in China against MNCs. Thus any company doing business there should take steps to improve overall compliance.

Share this post


Comments are closed for this article!