- Recent Chinese regulations on personal data protection and standard contractual processes limit the cross-border transfer of personally identifying information.
- Reports of misconduct in a global whistleblower program could inadvertently involve an illegal transfer of personal data, leading to corporate liability and penalties for noncompliance.
- International corporations are required to use a local agency to screen whistleblower reports in mainland China. Specialized legal services can help companies navigate complex regulations and remain compliant.
Whistleblowers are a company’s best and earliest source of information for wrongdoing. A well-structured, confidential whistleblower hotline not only ensures compliance with relevant regulations, it can prevent corruption and avoid the PR nightmare of a public news story.
Yet as the world moves toward tighter regulations on cybersecurity and personal data protection, companies with global whistleblower programs face new logistical hurdles. This is particularly true in China, where whistleblower reports could inadvertently violate data protection laws and expose the company to additional liabilities.
NAVEX recently joined the international law firm Baker McKenzie for a webinar exploring the implications of new Chinese cybersecurity laws on whistleblowing policies. Keep reading for the key findings.
Every organization needs a whistleblower program
When an employee voluntarily steps forward to speak up about a perceived risk or malpractice, companies have an opportunity to address the problem internally before it gets out of control or is reported externally. With a whistleblower’s report, managers have better information to make decisions, and quick action can save a costly ordeal down the road.
Companies with active internal reporting systems see a 6.9% decrease in material lawsuits and a 20.4% decrease in aggregate settlement amounts. In many cases, companies never reach the point of having to negotiate a settlement because an internal investigation resolves the issue to all parties’ satisfaction.
Not only does a whistleblower program save money, but it can prevent irreparable damage to a company’s reputation. With reporting hotlines in place, organizations see an average of 46% fewer negative news stories. This is more than just saving face – a single public scandal can plummet the company’s stock price and destroy consumer trust.
Yet despite the value of raising these concerns internally, many employees still hesitate to speak up for fear of retribution. To create an open reporting culture, organizations need frequent encouragement, company-wide training, and a variety of confidential reporting channels. But when that reporting happens online, data protection becomes a concern.
New data protection regulations in China
China’s Personal Information Security Specification took effect in 2018, the same year as the General Data Protection Regulation (GDPR) in the EU. The new Chinese guidance was a follow-up to the 2017 Cybersecurity Law, clarifying how companies could collect, use and transmit personal data.
In the five years since, the Cyberspace Administration of China (CAC) introduced further regulations, notably the Personal Information Protection Law (PIPL) in 2021. The most recent update to the PIPL is the Standard Contract Measures for the Export of Personal Information, effective June 1, 2023, which lays out the legal requirements for companies to send personal information from mainland China to servers located in other countries. Failure to meet these requirements may result in fines, revocation of a company’s Chinese business license and – in extreme cases – criminal prosecution.
Companies doing business in China have six months to comply with the new measures once they take effect.
Comparing Chinese regulations with the GDPR
Global organizations are likely already familiar with the GDPR’s requirements for appropriate safeguards, binding corporate rules and standard contractual clauses for cross-border data transfer (CBDT). Personal data transfers to a country outside of the EU require adherence to a code of conduct and the certification of a supervising authority.
China’s Standard Contract Measures is in many ways similar to the GDPR, but a key difference is that Chinese regulations require data localization. Personal information collected in China must be stored and processed in mainland China. This creates a potential barrier for an organization’s internal reporting channels.
The effect on global whistleblowing programs
If an employee based in China reports a potential instance of wrongdoing, a regional or global compliance department will likely launch an investigation. But as soon as that investigation looks into the alleged misconduct of individuals in China – and reviews that personal data outside of the country – the company is potentially in violation of Chinese law.
Anything identifiable, from names and cell phone numbers to even screenshots of a WeChat conversation, is protected personal information. To comply with the regulation, overseas entities need a designated agency in mainland China to review and protect the personal information collected. While the agency can transmit some personal data once they’ve taken the proper safety measures, it’s in the company’s best interest to limit the personal CBDT.
“Minimizing cross-border data transfer is a general principle in terms of mitigating potential risk.”
A thorough internal investigation will include witness interviews, call transcripts, emails, documents and a host of other items that could contain personal information. Quick action on a whistleblower’s complaint can save the company from a much greater liability or public scandal, but at the same time, it could lead to a string of PIPL violations and possible blacklisting by Chinese regulators. Because of this, global organizations need local advocates to stay compliant.
How international enterprises can stay compliant
The clear solution is for global companies to partner with a qualified legal service in mainland China. Baker McKenzie offers local reporting channels to supplement international whistleblower programs. Employees in China can call a local office, and then the mainland China team will aggregate the details of the complaint. Once all personal information has been removed, the local team will send the report to the offshore company headquarters.
If the complaint leads to an investigation, Baker McKenzie’s team can help with data collection from local servers, interviews and document review. They then can share these findings along with their legal analysis in a PIPL-compliant package.
“We are not suggesting replacing the existing global whistle-blowing program with the China local reporting channel. The phone number as well as the email address we provide are to support and supplement a company’s global whistle-blowing system.”
It’s not just a matter of avoiding statutory liabilities in China. If a brave individual blows the whistle and there’s not an immediate investigation, the whole reporting culture can fall apart. Employees can lose trust in the system, and future issues will go unnoticed until they turn into a problem too large to ignore. Companies need active, well-supported whistleblowing programs, and, in China, that requires onshore representation.
The future of whistleblower programs
Approximately three-quarters of the EU’s member states have transposed the Whistleblower Protection Directive, creating a minimum threshold for companies with more than 50 employees. Japan’s Whistleblower Protection Act and the UK’s Whistleblowing Bill are other recent examples highlighting an increasing global awareness of the importance of protecting and encouraging whistleblowers.
In the United States, there was a 76% rise in whistleblowing reports to the SEC from 2020 to 2021, with online reporting identified as the preferred method for anonymity. In Europe, 68% of anonymous reports are made online. Whether they use web portals or mobile apps, Whistleblowers feel empowered to speak up, and they’re doing so online.
Simultaneously, China’s PIPL and the GDPR have shown the extended territorial scope of data privacy regulations. Personal information is already subject to a wide range of interpretations – anything that can relate to an identified or identifiable person can qualify, and it’s likely that future legislation will uphold this wide definition. Judicial procedures may start asking companies how they’re processing personal data as part of a whistleblowing system, and a lack of compliance could put those organizations in a precarious legal position.
“It doesn’t matter if [personal information] is electronic or in any other form … you’ll find the data that you’re processing covered.”
This puts global whistleblowing at a crossroads. If privacy regulations make it harder for organizations to promptly and sufficiently investigate internal reports, or if companies scale back reporting channels because they don’t have data protections in place, whistleblowers will be far less likely to raise the alarm. But if organizations put the safeguards in place to ensure compliance, provide frequent training in reporting best practices and work with trusted advisors in each of their business locales, healthy whistleblowing could continue to grow.
This post is based on a recent NAVEX webinar on new data regulations in China and their impact on whistleblowing: