China's national security laws: implications beyond borders

The People's Republic of China (PRC), under Chinese Communist Party (CCP) leadership, uses national security laws to assert PRC interests including modernizing China's military and controlling critical technology.

• From 2014 to 2023, the PRC government passed or revised over a dozen laws related to national security.
• PRC leaders use these laws to justify a range of restrictions, demands, and punitive actions against PRC and foreign firms and individuals.
• These laws are vaguely worded and could be expansively interpreted by PRC officials.
• These laws could pose risks for foreign governments, companies, and individuals in China and abroad.

PRC national security laws justify an expansive range of possible actions

For example, these laws provide justification for China to:

• Access data or encryption keys held by foreign firms with operations in the PRC (Cybersecurity Law, Data Security Law, Cryptography Law)
• Detain foreign nationals living, working, or traveling in China, Hong Kong, or Macau and possibly beyond (National
• Security Law, Counterespionage Law, Law on Safeguarding National Security in Hong Kong)
• Prevent PRC entities and individuals from sending “sensitive” data abroad (Data Security Law, Counterespionage Law)
• Require PRC citizens to assist in intelligence-gathering activities (National Intelligence Law)

National security laws impose obligations upon individuals and companies, including data handling obligations

As the examples on the next page illustrate, multiple PRC national security laws and policies target both PRC and foreign citizens, companies, and other groups as well as the data these individuals and groups possess. To exert control over theseindividuals and groups, these laws impose strict requirements on the handling, storage, and export of sensitive information.

PRC and foreign citizens must avoid a vaguely defined list of behaviors Beijing deems harmful to its security interests. They must actively cooperate with PRC officials, and in some cases, they can be held liable for actions outside PRC territory.

PRC and foreign companies face a host of requirements related to cybersecurity and data management and storage. Companies must report to and cooperate with PRC authorities, and they must assist with state-directed intelligence and counterintelligence efforts.

Data may fall under the broad definition of information “related to national security and interests” and be treated as a state secret even if commercial in nature. Some data are also subject to restrictions on cross-border transfer.