China’s amended Law on Guarding State Secrets (“SSL”) took effect on May 1, 2024. This amendment is part of a broader legislative push to enhance national security and data protection, aligning with other recent laws such as the Data Security Law (“DSL”), the Counterespionage Law, and the amended National Security Law.

The SSL amendments primarily impact PRC government agencies as well as enterprises that have access to state secrets (collectively “Regulated Entities”). However, multinational companies (“MNCs”) that may encounter state secrets or other sensitive information in their interactions with Regulated Entities also need to think about the requirements of the SSL, the DSL, and other legislation when handling China-based data, both in routine operations and when conducting due diligence and internal investigations.

This client alert provides an overview of the key changes introduced by the amended SSL and outlines best practices for MNCs operating in China.

Key Updates

• Expansion of Protected Information. The scope of the SSL now covers not only state secrets but also “work secrets,” a category that covers a broader range of sensitive information generated by Regulated Entities where its disclosure could have adverse effects. Other existing regulations already protect work secrets so the concept is not new, but including work secrets within the ambit of the SSL further codifies and strengthens their protection.

• Classification and Declassification. The amended SSL provides clearer guidelines and procedures for classifying and declassifying state secrets, and labelling documents to highlight the sensitivity of the information.

• Digital Information and Cybersecurity. The amendments modernize the SSL by including electronic files among the types of media that can contain state secrets. They also impose specific duties on internet companies to manage user-generated information and delete information in cases of suspected breaches.

• Institutional Changes. Regulated Entities are now required to set up dedicated bodies or designate specific personnel responsible for secrecy work. The SSL also now requires both local governments and Regulated Entities to allocate funds for state secret protection within their budgets.

• Decentralization of Authority to Define State Secrets. Central government authorities may delegate to lower-level authorities the authority to define what constitutes a state secret in limited circumstances, such as when the urgency of a situation requires it.

• Export Controls. The amendment provides for a new mechanism for overseeing the export of state secrets to overseas parties. Implementing regulations can be expected in due course, potentially adopting the framework already governing exports of data governed by the DSL.

• Regulation of Data Aggregation. A new provision requires Regulated Entities to adopt security measures in its handling of data that might constitute state secrets where aggregated or connected with other data.

Compliance Best Practices for MNCs

For MNCs operating in China, the SSL amendment further underscores the growing need to have robust data handling policies and practices to mitigate regulatory risk. Data generated or acquired through business operations or used in due diligence and internal investigations may fall within either the scope of state secrets or work secrets under the SSL or so-called “important data” under the DSL. Risks of this are higher with data related to government agencies, SOEs, and sensitive sectors.

An MNC’s data handling policies and practices can be tailored, taking into account the nature of their business in China. Those that interact with Regulated Entities, or for other reasons, are more likely to receive sensitive information through their business operations; the following strategies could be adopted:

• Data Security and Handling. Implement a formal data protection program as part of the MNC’s daily operations, which might:
  • Classify, based on its level of sensitivity, data received from government agencies, state-owned enterprises, and other relevant external sources, and apply appropriate levels of controls based on that classification.
  • Seek where possible to store and process data collected or generated within China.
  • Provide for regular employee trainings on the data protection program and on the SSL, the DSL, and other relevant legislation, to enhance their compliance awareness.
• Due Diligence or Internal Investigations. Strategize with counsel and other advisors on data collection and review processes to limit access to state secrets and other sensitive information and avoid inadvertent sharing or export of the information.
  • Ensure compliance with Chinese regulatory requirements when providing information to foreign regulators.
  • Localize due diligence and internal investigations of China-based activities within China as much as possible.
  • Carefully evaluate external data sources and limit reliance on external data sources as much as possible.
  • Implement robust data security protocols when collecting data from external parties, seeking external counsel’s assistance in identifying and redacting sensitive information where appropriate.

[View source.]