Multinational companies with operations or major investments in China are worried, and who could blame them? Daily headlines in major international media paint a very grim picture about the state of relations between Beijing and the West and the future of western businesses in China. Here are some recent examples: “‘Australia embraces US and pays price with China as trade war hits bottom line”; and “China’s new anti-foreign sanctions law sends a chill through the business community”.
Certainly, any multinational company hoping that a Biden administration would end strategic rivalry with China is sadly mistaken. G7 statements about countering China or China’s introduction of a new law to neutralize foreign sanctions show that geopolitics will continue to impact our clients in notable ways. It’s unsurprising then that we get many questions from anxious executives: will Chinese authorities retaliate against my business because the US government went after my Chinese competitor in the US? Will I be detained when I travel to China? Will my company be placed on an “unreliable entities” list?
Over the years that we have supported our clients in China, one thing that has stood out is the difficulty they have in determining whether a government action is (a) political or (b) regulatory in nature. Even more worryingly, many of our clients did not see these developments coming. But knowing how to make these distinctions (or even better, understanding where the emphasis lies) and projecting enforcement timelines are both very achievable.
Our years tracking government enforcement shows that the vast majority of cases have clear regulatory drivers that flow from political imperatives. The consistent problem we see is that our clients lack the people and processes to understand and manage emerging political and regulatory developments. Many of our MNC clients came to China when industrial politics was relatively simple – when it was all about growth – and regulations were few and enforcement was lax. If they did have someone to manage risk and compliance, they were almost always exclusively focused on compliance with anti-bribery and corruption laws (and not even China’s emerging anti-corruption regime). Times have changed. China’s bureaucracy is significantly more professional and transparent than it was even a few years ago. And they have been given a strong mandate to improve the business environment.
A great example is the newly finalized Data Security Law (DSL), set to take effect on September 1. The DSL outlines a globally unique approach to managing data that is tied to national security, so unsurprisingly headlines about the DSL are quite scary: “China’s new Data Security Law promises steep punishments” and “China’s new power play: more control of tech companies”.
Looking at the law, there certainly are aspects that are worrying for business – particularly the possibility of data localisation – but is it all concerning? Using the DSL as an example, here are the practical steps we take to help our clients see the bigger picture, understand if this is about them, and embark on managing the actual risks:
- What is this about?: The DSL is a part of a broader political, legal and regulatory framework that started with China’s Cyber Security Law (CSL) in 2017. The CSL launched the government’s all-out effort to ensure that all organisations, including government, critical infrastructure, and businesses, have a minimal baseline level of cyber security and data privacy protection practices. The cyber security situation in China, where our entire lives are lived online – more so than in many other countries – was and continues to be very grim. Rampant online theft of personal and financial information. Critical infrastructure, such as hospitals, banks, and airlines, with little to no cyber security processes in place, leaving it exposed to hacks and breaches. The CSL, the DSL and the incoming Personal Information Protection Law (PIPL) are aimed at closing these gaps, meeting a critical societal (and therefore political) need.
- Who are the targets?: The authorities typically take a triage approach – the targets are usually the worst violators. According to Control Risks data, over the past four years, nearly 80% of CSL-related enforcement has been against Chinese firms in sectors that are, unsurprisingly, the major holders of data or operate a critical organisation. Foreign companies with similar business models eventually become a focus.
- What is the timing?: DSL particulars are still vague, but the government has been flagging the possibility of data localisation since the CSL entered into force over four years ago. The next step for them will be to issue draft regulations and standards that outline targeted data. Once those are out, regulators will likely announce the onset, duration, and target of DSL enforcement campaigns.
- How do I prepare?: Now that we know the drivers, we can look at your business through the lens of the regulators: How would they view your business, its data, and how well you handle that data? If your firm could be a focus, the first crucial step is to undertake a data review process – examine where your data is stored, whether authorities potentially consider it sensitive, the current security processes surrounding that data and the implications and costs of having that data stored in China.
Beyond the DSL, there are multiple other examples of sustained, regulatory enforcement that aim to solve broader political, societal and economic issues: Anti-trust and the crackdown on free-wheeling big tech companies, environmental enforcement and the cleaning up of heavy polluting industries, anti-corruption and the high prices of drugs, for example. China’s social credit scheme, focused on ensuring compliance, is going to amplify regulatory risks across the board.
But here’s the good news: while companies may be unable to influence geopolitical and political dynamics, companies can address their regulatory issues. In most cases, companies can achieve compliance with regulations, lowering their risk of enforcement, or “targeting”. Companies should focus on these three things:
- Stop believing everything you read in the newspaper: The headlines are giving our clients whiplash. And from our perspective, many are misleading or worse, factually incorrect. Be cautious about over-extrapolating profound operational implications from these high-level statements. Don’t lose sight of the reality on the ground.
- Devote more resources to keeping up with the ever-changing political and regulatory environment: Companies often do not have the right people or processes in place for monitoring risks, understanding them and then ensuring that the right people are responsible for mitigation. Time and time again our clients find themselves neck deep because they failed to see the regulatory tidal wave headed their way. In almost every major government-led investigation we have supported, the signs were clear – but no one at the company was looking for them.
- Give compliance a seat at the strategy table: Compliance is your strongest defense for mitigating both political and regulatory risk. In these tense times, do not give the authorities any excuse. Compliance professionals need to be senior to direct strategic business goals and they need to have a broad focus.
The ongoing politicisation of areas such as data and social credit, particularly in US-China relations, is only going to continue amplifying the noise, making it harder for executives to distinguish between regulatory and political drivers of risk. But just remember, that multinational companies can significantly lower the odds of major disruption – including from political factors – by understanding, responding and adapting to the changing regulatory landscape.