Internal Investigations in China: Collecting and Reviewing Digital Evidence
Internal investigations can be highly risky and exceedingly difficult in China. The threshold problem is that “investigations” are generally the nearly exclusive right of the state, and companies—even companies’ lawyers—are sometimes restricted from carrying out many activities that might overlap with those carved out and reserved solely for the government.
Historically, attempts to operate in this grey area have been harshly penalized. After an explicit ban and crackdown on private investigation agencies in 1993, there were signs that regulation of the services had been loosening more recently, and many investigation firms began to work more openly and to speak out for legalization of their industry. However, starting in 2012 with the imprisonment of four investigators from a global research firm, and continuing with this summer’s sentencing of a British and an American citizen who operated an investigation firm on charges of illegally obtaining personal private information of Chinese citizens (reportedly including household registration records, automobile registrations, real estate information, phone logs and travel records), the government has been sending a clear message that even well-established investigation firms conducting what had come to be viewed as routine work may face steep penalties.
In addition to the general difficulties of conducting an internal investigation or audit with a scope narrow enough to be legal but broad enough to be effective, these projects will almost certainly involve the handling of protected information. During the course of internal audits, personal private information of employees might be obtained, handled or processed. The personal private information of customers or other third parties is also often involved in internal audits. For certain industries and certain types of companies, proper handling of Chinese “state secrets” can be a paramount concern, especially in matters involving China’s state-owned entities.
WHAT CAN COMPANIES DO TO PREPARE NOW?
Developing a proactive strategy for handling digital evidence during a crisis situation is crucial to avoiding legal liability, ensuring that internal audit findings will be admissible in court and successfully protecting the company’s interests. Obtaining appropriate consent, in advance, can be the key to unlocking the value of large-scale data resources that might otherwise be inaccessible. Having carefully planned procedures and protocols for handling information that might be high risk for state secrets is essential to ensuring that, in the pressure of a crisis situation, there are no missteps or violations.
To properly handle employees’ personal private information, the most important thing companies can do proactively is obtain consent to collect and review digital evidence. In China, the key documents for securing this consent are employee handbooks and labor contracts. Both should include clear provisions that prohibit employees from using company e-mail addresses or hardware for personal private information, as well as clear language stating that employees explicitly consent to allowing the company to access all documents, files and any other information stored on company hardware, as well as all e-mails sent from or received on the company’s domain. Yearly training on these policies with signed certificates from all employees adds an additional layer of protection. Using personal private information of customers and third parties is more complex, but comparable forms of consent and careful contract drafting can help shield companies from liability and allow internal audits to proceed when necessary.
Insulating a company from liability related to state secrets requires similar levels of advanced preparation and proactive crisis management planning. First, a company should identify any employees, customers, departments, products or services that might be at high risk for obtaining or handling, even accidentally, state secrets. After any high risk areas have been identified, strict protocols and procedures should be established that isolate these areas during an internal audit to ensure that no state secrets are improperly exposed, handled or transferred out of the country.
WHAT SHOULD COMPANIES DO DURING AN INTERNAL AUDIT?
When an audit is already underway, one of the most valuable things that a company can do to ensure that it handles data properly is to receive help from experienced, local law firms. A “do it yourself” or “learn as you go” approach can result in serious violations arising out of the investigation itself, and companies might actually create new legal exposure in the effort to uncover existing issues. Experienced, PRC-licensed lawyers will advise clients to be as transparent as possible with employees and third parties about data collection, and to obtain specific consent for collection and review wherever possible without undermining the investigation. Seasoned counsel will also be able to guide companies through the complex technical details of accessing and collecting information while still preserving a forensically sound and legally admissible version of the evidence for potential later use during a trial or court proceeding. During the review of the material, strong procedures and protocols must be in place so that protected information is isolated and dealt with appropriately if accidentally handled or disclosed.
Protected information concerns are easy to overlook during the rush of an investigation, but violations can create significant liability for individuals and the company, and may taint the admissibility of any evidence collected for later offensive or defensive use. Early preparation, before an investigation is even being contemplated, is key to limiting liability and ensuring proper access to relevant information for any potential future project. Hiring experienced local law firms during an investigation will help reduce risk exposure and increase the chances of a successful review.
This article was written with contributions from Jared T. Nelson, foreign counsel for MWE China Law Offices in Shanghai. His practice focuses on antitrust and compliance.