This year’s historic stock market rise and crash was only the most visible sign of overall economic turmoil in China. Other key indicators  include China’s lowest annual growth rate in decades, concerns about stagnating real estate prices  and the first ever bond default by a state- owned enterprise. As a by-product of these significant  and rapid economic changes, China’s already high instances of bribery, embezzlement, kickback  schemes, insider trading, theft of trade secrets and other white collar crimes may see a further  rise as dramatic and swift as that of stock prices this spring.

China’s current compliance challenges are a continuous source of concern for multi-national companies operating in China. The  government’s most recent campaign against corruption has made progress in this area, but in the  near future these issues will remain a high priority for compliance professionals. Identifying and  remedying these  violations can be expensive and disruptive and often leads to the dissatisfying  result of inconclusive evidence ending in a negotiated (and usually paid) resignation for suspected  employees.

The rise of digital due diligence, and new data compliance techniques, offer a powerful new tool to  complement and strengthen traditional methods for legal and compliance departments to close the gap and obtain more effective results.

CHALLENGES OF DIGITAL DUE DILIGENCE IN CHINA

The development of e-discovery has had the unanticipated ancillary benefit of creating a robust and powerful set of tools for quickly finding evidence of compliance violations. Just as litigants must quickly sort through millions of e-mails to identify and produce responsive documents while retaining privileged materials,  modern investigators must undertake a similar digital needle in the haystack exercise to quickly  identify key pieces of electronic evidence.

Digital due diligence is the combination of traditional computer forensic methods and the  application of e-discovery tools in order to identify, collect, review, and analyse data to verify potential  misconduct. Electronic evidence has the significant advantages of being detailed, objective, and contemporaneously recorded and fixed in a  medium without loss over extended periods of time. Unfortunately, it also has the distinct  disadvantage of often being grouped together with billions or trillions of other pieces of data that have similar characteristics and traits but are not relevant to the case.

In China, digital due diligence has emerged from the services grey market of “consultants” and  underground investigators to become a legitimate legal practice that can provide crucial insights  and value for companies facing a compliance crisis or attempting to determine legal risk levels in  other areas. In particular, law firms with local licenses have developed this solution into a mature, professional and effective service that no longer holds the risks and clouds of illicitness  found with the grey market of investigators.

CHALLENGES OF DIGITAL DUE DILIGENCE IN CHINA

Data Export

China’s infamous “Great Firewall” prevents some information from coming into China, but what is  less well known is that the legal system also prevents certain categories of information from  leaving China. Most famously, “state secrets” are prevented from being transferred outside China,  but an assortment of minor laws also protect some forms of health information, accounting records, certain types  of archives and a variety of other information from leaving the borders. The result is that it is not possible to follow the usual  e-discovery default of moving data to large off-site data centres in India, the United States, or even Hong Kong.

Employee Privacy

Although outside China the country has a reputation for being the world’s factory and having  challenging working conditions, those who spend time in  the country quickly become aware of how  favourable its laws are towards employees. Both in the letter of the law and through enforcement  efforts, there are strong protections of employees’ job security, limits on working hours and other general rights, including privacy, which can create  an issue when conducting internal digital due diligence on employees.

In an internal investigation, employee privacy can be a high-risk pitfall. Overstepping legal limits can lead to  a variety of issues,  from inadmissibility of evidence and tort actions, to criminal penalties in some extreme cases. In the urgency and chaos  of normal internal investigations, the need to find immediate answers and control the crisis can often result in accidental violations by investigators unaware of the laws relating to employee  rights or the sensitivity of the information being collected.

Other Types of Protected Information

In addition to regulations relating to the export of data and the protection of employees’ personal  private information, China has other regulations aimed at protecting a variety of additional types  of information, all of which are potential landmines for digital due diligence. In typical M&A due diligence, for example, buyers tend to focus on the shareholders, especially in  a country like China where a disproportionately large number of people could be considered “government officials,” for the  purposes of the US Foreign Corrupt Practices Act, due to  the historical systems that existed under  China’s planned economy. Obtaining personal details of shareholders, however, especially if they are connected to the government, and  cross-referencing these with other databases in order to assess risk levels, can be an extremely  delicate process that may touch on a variety of protected information issues.

OVERCOMING THE CHALLENGES OF DIGITAL DUE DILIGENCE IN CHINA

Data Export: Keep the Sensitive Data in the Mainland At all stages of any digital due diligence project in China, there may be a perceived need to send  the data outside the country. Immediately after collection, it may be considered beneficial to  process and store everything at an offshore data centre, as these are often more advanced, reliable, and in some ways more secure than  counterparts in the mainland. Similarly, during the analysis of the data, it may seem necessary to  give counsel in other jurisdictions access to the data in order to perform their due diligence or prepare their case. The legal risks of these  moves can, however, be high, especially in certain industries traditionally dominated by the state, and the penalties can be severe.

Screening data for export out of the country is still in its infancy. The early definitions for  “state secrets” were  so broad and ambiguous that any screening was likely to be an ineffective compounding of a series of highly subjective acts of  guesswork that would be costly but most likely do little more than provide some procedural comfort.  New rules and regulations, especially those issued in 2014, have helped to clarify the definition  of state secrets,   but there is still considerable ambiguity and risk in this and other areas.

Given the necessity of the screening procedures, the question of applying the export filters is not  “if”, but “when”, and the answer is clearly “as late as possible”. In all forms of digital due  diligence, from internal investigations to acquisition risk assessment, there is a dramatic  funnelling process that winnows down the data to a relatively small set of information at the very end. Performing the export filter at the final stages, and  keeping everything in the mainland prior to that can ensure the most efficient and cost-effective  solution to this difficult problem.

Employee Privacy: Obtain Consent

Clear and explicit consent is the key that unlocks nearly every employee privacy issue in China. If  not already in place, all companies can and should  immediately update standard employment contract templates with  specific clauses (or better yet an entire appendix); update employee handbooks (often called the labour law “bible” in China because of their power in resolving disputes);  hold routine annual  training about acceptable use of electronic information; and have separate policies about  electronic devices, especially for the two most troublesome issues: personal data on company devices and company data on personal devices.

In addition to these prophylactic policies, a best practice during due diligence is to always obtain specific collection and use consent from  each custodian. 

KNOW YOUR LIMITS AND USE LEGAL MEANS

The information age and the exciting intersection of big data and artificial intelligence presents  one of the greatest value explosions of our lives. Data continues to emerge as a new natural  resource, and the frameworks and methodologies involved in dealing with data trigger the need to  address previously un-thought-of social, moral and legal problems. Companies hoping to harness this  power through legal means will continuously run into difficult challenges, and China, possibly more  than any other country in the world, is likely to continue to present unique issues that require careful and tailored solutions before the  true value of data can be discovered.