- Recent Chinese privacy regulations and standard contractual processes restrict the cross-border transfer of personal information.
- Reports of misconduct in a global whistleblowing program may inadvertently involve the unlawful transfer of personal data, resulting in corporate liability and penalties for non-compliance.
- International corporations are required to use a local agency to investigate reports of wrongdoing in mainland China. Specialized legal services can help companies navigate complex regulations and stay compliant.
Whistleblowers are the best and earliest source of information about abuse. A well-structured, confidential whistleblower hotline not only ensures compliance, but can prevent corruption and avoid the PR nightmare of a public news story.
Yet as the world moves toward tighter regulations on cybersecurity and privacy, companies with global whistleblowing programs are facing new logistical hurdles. This is especially true in China, where whistleblower reports can inadvertently violate data protection laws and expose the company to additional liabilities.
NAVEX recently joined international law firm Baker McKenzie for a webinar exploring the implications of China’s new cybersecurity laws on whistleblowing policies. Read on for the key findings.
Every organization needs a whistleblowing program
When an employee voluntarily steps forward to speak about a suspected risk or abuse, companies have an opportunity to address the issue internally before it gets out of control or is reported externally. With the whistleblower report, managers have better information to make decisions, and quick action can save a costly trial down the road.
Companies with active internal reporting systems saw a 6.9% reduction in material lawsuits and a 20.4% reduction in total settlement amounts. In many cases, companies never get to the point of needing to negotiate a settlement because an internal investigation resolves the issue to the satisfaction of all parties.
A whistleblowing program not only saves money, but can prevent irreparable damage to a company’s reputation. With reporting hotlines in place, organizations see an average of 46% less negative news. It’s more than just saving face—a public scandal can dramatically crash a company’s stock price and destroy consumer confidence.
Yet despite the value of raising these concerns internally, many employees are still hesitant to speak up for fear of retribution. To create an open reporting culture, organizations need frequent encouragement, company-wide training, and a variety of confidential reporting channels. But when this reporting happens online, data protection becomes an issue.
New data protection regulations in China
China’s Personal Information Security Specification came into effect in 2018, the same year as the EU’s General Data Protection Regulation (GDPR). The new Chinese guidelines were a follow-up to the 2017 Cybersecurity Law, clarifying how companies can collect, use and share personal data.
In the five years since, the Cyberspace Administration of China (CAC) has introduced additional regulations, notably the Personal Information Protection Law (PIPL) in 2021. The most recent update to the PIPL is the Standard Contractual Measures for the Export of Personal Information, effective 1 June 2023, which sets out the legal requirements for companies to send personal information from mainland China to servers located in other countries. Failure to comply with these requirements can result in fines, revocation of a company’s Chinese business license and – in extreme cases – criminal prosecution.
Companies doing business in China have six months to comply with the new measures once they take effect.
Comparison of Chinese regulations with GDPR
Global organizations are likely already familiar with GDPR requirements for appropriate safeguards, binding corporate rules and standard contractual clauses for cross-border data transfers (CBDT). The transfer of personal data to a non-EU country requires compliance with a code of conduct and certification by a supervisory authority.
China’s Standard Contractual Measures are in many ways similar to GDPR, but a key difference is that Chinese regulations require localization of data. Personal information collected in China must be stored and processed in mainland China. This creates a potential barrier to the organization’s internal reporting channels.
The effect on global whistleblowing programs
If an employee based in China reports a potential breach, a regional or global compliance department will likely initiate an investigation. But as soon as that investigation looks at the alleged wrongdoing of individuals in China — and reviews that personal data outside the country — the company is potentially in violation of Chinese law.
Anything that can be identified, from names and mobile phone numbers to even screenshots of a WeChat conversation, is protected personal information. To comply with the regulation, overseas entities need a designated agency in mainland China to review and protect the personal information collected. While the agency may transmit some personal data after they have taken the proper security measures, it is in the best interest of the company to limit the personal CBDT.
“Minimizing cross-border data transfer is a general principle in terms of mitigating potential risk.”
A thorough internal investigation will include witness interviews, transcripts of conversations, emails, documents, and a host of other items that could contain personal information. Acting quickly on a whistleblower’s complaint can save the company from much greater liability or public scandal, but at the same time could lead to a series of PIPL violations and possible blacklisting by Chinese regulators. Because of this, global organizations need local advocates to stay aligned.
How international businesses can stay compliant
The clear solution is for global companies to partner with a qualified legal service in mainland China. Baker McKenzie offers local reporting channels in addition to international whistleblowing programs. Employees in China can call a local office and the Mainland China team will then summarize the details of the complaint. Once all personal information is removed, the local team will send the report to the offshore company’s headquarters.
If the complaint leads to an investigation, the Baker McKenzie team can assist with data collection from local servers, interviews and document review. They can then share these findings along with their legal analysis in a PIPL-compliant package.
“We are not proposing to replace the existing global whistleblowing program with the local reporting channel in China. The phone number as well as the email address we provide are in support of and in addition to the company’s global whistleblowing system.”
It’s not just about avoiding legal obligations in China. If a brave individual whistles and there is no immediate investigation, the entire culture of reporting could fall apart. Employees can lose confidence in the system and future problems will go unnoticed until they become a problem too big to ignore. Companies need active, well-maintained whistleblowing programs, and in China this requires onshore representation.
The future of whistleblowing programs
Around three-quarters of EU member states have transposed the Whistleblower Protection Directive, creating a minimum threshold for companies with more than 50 employees. The Japanese Whistleblower Protection Act and the UK Whistleblower Bill are other recent examples highlighting the growing global awareness of the importance of protecting and encouraging whistleblowers.
In the United States, there was a 76% increase in whistleblowing to the SEC from 2020 to 2021, with online reporting identified as the preferred method of anonymity. In Europe, 68% of anonymous reports are made online. Whether using web portals or mobile apps, whistleblowers feel empowered to speak up and do so online.
Simultaneously, China’s PIPL and GDPR have shown the expanded territorial scope of data privacy regulations. Personal information is already subject to a wide range of interpretations – something which may relate to an identified or identifiable person may qualify and future legislation is likely to maintain this broad definition. Legal proceedings may begin to ask companies how they handle personal data as part of a whistleblowing system, and a lack of compliance could put these organizations in a precarious legal position.
“It doesn’t matter if [personal information] is electronic or in any other form… you will find that the data you process is covered.’
This puts global whistleblowing at a crossroads. If privacy regulations make it difficult for organizations to timely and adequately investigate internal reports, or if companies cut reporting channels because they lack data protections, whistleblowers are much less likely to raise the alarm. But if organizations put the safeguards in place to ensure compliance, provide frequent training on reporting best practices, and work with trusted advisors in each of their business locations, healthy whistleblowing can continue to grow.
This post is based on a recent NAVEX webinar on China’s new data regulations and their impact on whistleblowing:
Watch the webinar on demand
See the original article at Risk & Compliance Matters