This year’s historic stock market rise and crash was only the most visible sign of overall economic turmoil in China. Other key indicators include China’s lowest annual growth rate in decades, concerns about stagnating real estate prices and the first ever bond default by a state- owned enterprise. As a by-product of these significant and rapid economic changes, China’s already high instances of bribery, embezzlement, kickback schemes, insider trading, theft of trade secrets and other white collar crimes may see a further rise as dramatic and swift as that of stock prices this spring.
China’s current compliance challenges are a continuous source of concern for multi-national companies operating in China. The government’s most recent campaign against corruption has made progress in this area, but in the near future these issues will remain a high priority for compliance professionals. Identifying and remedying these violations can be expensive and disruptive and often leads to the dissatisfying result of inconclusive evidence ending in a negotiated (and usually paid) resignation for suspected employees.
The rise of digital due diligence, and new data compliance techniques, offer a powerful new tool to complement and strengthen traditional methods for legal and compliance departments to close the gap and obtain more effective results.
CHALLENGES OF DIGITAL DUE DILIGENCE IN CHINA
The development of e-discovery has had the unanticipated ancillary benefit of creating a robust and powerful set of tools for quickly finding evidence of compliance violations. Just as litigants must quickly sort through millions of e-mails to identify and produce responsive documents while retaining privileged materials, modern investigators must undertake a similar digital needle in the haystack exercise to quickly identify key pieces of electronic evidence.
Digital due diligence is the combination of traditional computer forensic methods and the application of e-discovery tools in order to identify, collect, review, and analyse data to verify potential misconduct. Electronic evidence has the significant advantages of being detailed, objective, and contemporaneously recorded and fixed in a medium without loss over extended periods of time. Unfortunately, it also has the distinct disadvantage of often being grouped together with billions or trillions of other pieces of data that have similar characteristics and traits but are not relevant to the case.
In China, digital due diligence has emerged from the services grey market of “consultants” and underground investigators to become a legitimate legal practice that can provide crucial insights and value for companies facing a compliance crisis or attempting to determine legal risk levels in other areas. In particular, law firms with local licenses have developed this solution into a mature, professional and effective service that no longer holds the risks and clouds of illicitness found with the grey market of investigators.
CHALLENGES OF DIGITAL DUE DILIGENCE IN CHINA
China’s infamous “Great Firewall” prevents some information from coming into China, but what is less well known is that the legal system also prevents certain categories of information from leaving China. Most famously, “state secrets” are prevented from being transferred outside China, but an assortment of minor laws also protect some forms of health information, accounting records, certain types of archives and a variety of other information from leaving the borders. The result is that it is not possible to follow the usual e-discovery default of moving data to large off-site data centres in India, the United States, or even Hong Kong.
Although outside China the country has a reputation for being the world’s factory and having challenging working conditions, those who spend time in the country quickly become aware of how favourable its laws are towards employees. Both in the letter of the law and through enforcement efforts, there are strong protections of employees’ job security, limits on working hours and other general rights, including privacy, which can create an issue when conducting internal digital due diligence on employees.
In an internal investigation, employee privacy can be a high-risk pitfall. Overstepping legal limits can lead to a variety of issues, from inadmissibility of evidence and tort actions, to criminal penalties in some extreme cases. In the urgency and chaos of normal internal investigations, the need to find immediate answers and control the crisis can often result in accidental violations by investigators unaware of the laws relating to employee rights or the sensitivity of the information being collected.
Other Types of Protected Information
In addition to regulations relating to the export of data and the protection of employees’ personal private information, China has other regulations aimed at protecting a variety of additional types of information, all of which are potential landmines for digital due diligence. In typical M&A due diligence, for example, buyers tend to focus on the shareholders, especially in a country like China where a disproportionately large number of people could be considered “government officials,” for the purposes of the US Foreign Corrupt Practices Act, due to the historical systems that existed under China’s planned economy. Obtaining personal details of shareholders, however, especially if they are connected to the government, and cross-referencing these with other databases in order to assess risk levels, can be an extremely delicate process that may touch on a variety of protected information issues.
OVERCOMING THE CHALLENGES OF DIGITAL DUE DILIGENCE IN CHINA
Data Export: Keep the Sensitive Data in the Mainland At all stages of any digital due diligence project in China, there may be a perceived need to send the data outside the country. Immediately after collection, it may be considered beneficial to process and store everything at an offshore data centre, as these are often more advanced, reliable, and in some ways more secure than counterparts in the mainland. Similarly, during the analysis of the data, it may seem necessary to give counsel in other jurisdictions access to the data in order to perform their due diligence or prepare their case. The legal risks of these moves can, however, be high, especially in certain industries traditionally dominated by the state, and the penalties can be severe.
Screening data for export out of the country is still in its infancy. The early definitions for “state secrets” were so broad and ambiguous that any screening was likely to be an ineffective compounding of a series of highly subjective acts of guesswork that would be costly but most likely do little more than provide some procedural comfort. New rules and regulations, especially those issued in 2014, have helped to clarify the definition of state secrets, but there is still considerable ambiguity and risk in this and other areas.
Given the necessity of the screening procedures, the question of applying the export filters is not “if”, but “when”, and the answer is clearly “as late as possible”. In all forms of digital due diligence, from internal investigations to acquisition risk assessment, there is a dramatic funnelling process that winnows down the data to a relatively small set of information at the very end. Performing the export filter at the final stages, and keeping everything in the mainland prior to that can ensure the most efficient and cost-effective solution to this difficult problem.
Employee Privacy: Obtain Consent
Clear and explicit consent is the key that unlocks nearly every employee privacy issue in China. If not already in place, all companies can and should immediately update standard employment contract templates with specific clauses (or better yet an entire appendix); update employee handbooks (often called the labour law “bible” in China because of their power in resolving disputes); hold routine annual training about acceptable use of electronic information; and have separate policies about electronic devices, especially for the two most troublesome issues: personal data on company devices and company data on personal devices.
In addition to these prophylactic policies, a best practice during due diligence is to always obtain specific collection and use consent from each custodian.
KNOW YOUR LIMITS AND USE LEGAL MEANS
The information age and the exciting intersection of big data and artificial intelligence presents one of the greatest value explosions of our lives. Data continues to emerge as a new natural resource, and the frameworks and methodologies involved in dealing with data trigger the need to address previously un-thought-of social, moral and legal problems. Companies hoping to harness this power through legal means will continuously run into difficult challenges, and China, possibly more than any other country in the world, is likely to continue to present unique issues that require careful and tailored solutions before the true value of data can be discovered.