In brief

On 27 February 2024, China published the amended Law on Guarding State Secrets (“Amended SSL“), which will take effect on 1 May 2024. The Amended SSL enhances state secrets protection from multiple aspects, together with the Counterespionage Law amended in 2023, the National Security Law, and other national security related laws and regulations. The highlights of the Amended SSL are summarized as follows:

a. More resources dedicated to state secrets protection

The Amended SSL requires both government agencies and relevant entities that involve state secrets to set aside budget for state secrets protection, emphasize protection of IP rights in relevant technologies, and promote talent management in this regard. We expect that state secrets protection is likely to be a more relevant topic for business operators in China, especially in the high-tech sector.

b. Tightening up secrecy classification and labeling requirements

While the definition of “state secrets” remains to be broad and vague, the Amended SSL stipulates the principles of necessity and reasonableness in classifying state secrets. It also proposes to mark out the secret contents if conditions permit, requires the clear labeling of electronic files containing state secrets, and requires government agencies and entities to conduct annual review on the state secrets classified and to de-classify relevant matters in due course. These measures will help increase certainty in determining the scope of state secrets.

c. Improving security management of relevant products, technologies and personnel

The Amended SSL calls for the establishment of a government-led or -driven mechanism to sample and inspect the products and technical devices used for state secrets protection. The IT system storing or processing state secrets is also required to go through regular risk assessment. Personnel with access to state secrets should obtain prior approval before traveling abroad and is restricted from re-employment and traveling abroad according to applicable rules in a stipulated time period upon departure.

d. Additional obligations of government agencies and entities

Government agencies and entities that access state secrets are required to set up a dedicated work function on confidentiality work or designate a dedicated in-charge person. They are also required to protect “work secrets,” which refer to the information they generate or acquire through performing their duties, which are not state secrets but may cause certain negative impact, in accordance with the “Measures for the Management of Work Secrets” to be issued separately.

e. Expanded investigative powers

The Amended SSL expands investigative powers of the National Administration for the Protection of State Secrets and its local counterparts, including seizing relevant files and devices, interrogating relevant personnel, and carrying out technical surveillance as needed. The regulators will establish a cross-departmental security monitoring mechanism to prevent the leakage of data that would constitute state secrets after being aggregated or correlated. Internet operators are explicitly required to cooperate with the investigations conducted by various regulators by taking various measures such as ceasing transmission, keeping records or deleting information, on top of the general cooperation obligation imposed on all individuals and entities.

Practical implications

The Amended SSL aims to strengthen state secrets protection under the new context involving various geopolitical, business and technology considerations. It is also amid the efforts to strike a balance between safeguarding national security and promoting economic development. We take the view that its impact on the ordinary course of business operation for most multinational companies should not be substantial. Still, it is advisable for companies to improve awareness of state secrets protection and adopt operational measures to strengthen data management, especially for those companies who are in strategic sectors (e.g., high-tech, healthcare and financial industries), those who interact frequently with state-owned enterprises, or those who are critical information infrastructure operators and other strategic players.

Baker & McKenzie FenXun (FTZ) Joint Operation Office is a joint operation between Baker & McKenzie LLP, an Illinois limited liability partnership, and FenXun Partners, a Chinese law firm. The Joint Operation has been approved by the Shanghai Justice Bureau. In accordance with the common terminology used in professional service organisations, reference to a “partner” means a person who is a partner, or equivalent, in such a law firm.  This may qualify as “Attorney Advertising” requiring notice in some jurisdictions.  Prior results do not guarantee a similar outcome.

This client alert has been prepared for clients and professional associates of Baker & McKenzie FenXun (FTZ) Joint Operation Office. Whilst every effort has been made to ensure accuracy, this client alert is not an exhaustive treatment of the area of law discussed and no responsibility for any loss occasioned to any person acting or refraining from action as a result of material in this presentation is accepted by Baker & McKenzie FenXun (FTZ) Joint Operation Office.