Operating as a multinational organisation in China presents major growth opportunities, but it also comes with a rapidly evolving compliance and regulatory environment. The regulatory landscape, particularly regarding data privacy and national security, has shifted dramatically in the last few years, forcing global companies to rethink how they handle internal investigations and whistleblowing reports.
To unpack these challenges, industry experts came together for a dedicated webinar on managing reputational risk and crisis response in China. The discussion brought insights from Chi Chen, Partner in Forensic and Integrity Services at EY China; Leon Liu, Partner at JunHe Law Offices and former prosecutor; and Charles Boulo, Sales Lead APAC at Whispli.
The discussion highlighted what organisations must rethink to manage whistleblowing investigations and reputational risk in mainland China.
A New Regulatory Reality Shaped by PIPL
China’s Personal Information Protection Law (PIPL), enacted in November 2021, has significantly impacted how investigations are conducted. Privacy awareness among employees has increased sharply, changing long-established practices.
As highlighted by Chi Chen, investigators can no longer assume automatic access to company-issued devices. Employees are increasingly requesting legal counsel before granting access or refusing to sign consent forms altogether. Even when devices belong to the company, the expectation of personal data protection has become central to investigations.
This shift requires organisations to rethink evidence gathering, consent management, and internal investigation protocols from the outset.
The Critical Challenge of Cross-Border Data Transfer
One of the most complex challenges for multinational organisations is whistleblower data management. By nature, these reports contain sensitive personal information and allegations that may relate to fraud, bribery, or other criminal conduct.
The experts emphasized that transferring this data outside of mainland China is now highly restricted, especially if it could be relevant to criminal proceedings overseas. As Charles Boulo explained, legal data transfer often requires consent. However, seeking consent from an alleged wrongdoer risks alerting them prematurely and undermining the investigation.
"If you need consent from the alleged person to transfer data overseas, you have already jeopardised the investigation." - Charles Boulo, Whispli
For many organisations, the most pragmatic approach is data localisation. Keeping whistleblower and investigation data hosted within mainland China helps reduce regulatory risk and avoids cross-border compliance barriers before they arise.
Did you know? Whispli is the only platform to allow you to comply with Chinese regulations regarding data residency requirements, thanks to our trusted hosting partners.
➡️ Access our documentation on Data Hosting in China
Regulatory Expectations, Beyond Written Policies
While global compliance frameworks and codes of conduct remain essential, Chinese regulators increasingly focus on how individual cases are handled in practice rather than just systemic policies, as highlighted by Chi Chen.
In the event of a compliance failure, authorities focus on whether the company took sufficient action in that specific case.
For example, verbal conflict of interest checks during third-party onboarding may not be considered sufficient. Without written records, questionnaires, or documented controls, regulators may conclude that governance measures were inadequate, even if the organisation believed it had acted responsibly.
Documentation, traceability, and defensible decision-making are now critical components of compliance in China.
Practical Guidance for Investigations and Crisis Response
When a whistleblower report is received, process discipline matters. The panelists outlined best practices for managing the process from intake to conclusion.
1. The "Start and End" Rule for Legal Counsel
Leon Liu of JunHe Law Offices offered practical advice: while not every case involves state secrets, the geopolitical environment requires caution. He advises consulting local legal experts at two critical junctures:
- The very beginning: Before starting an investigation, have a quick consultation to assess potential sensitivities.
- The very end: Before closing a case or attempting to move any necessary data out of the country, double-check compliance.
"At the very beginning, even a short conversation with local experts can determine whether a case may become sensitive or criminal." - Leon Lui, JunHe Law Offices
2. Stick rigidly to SOPs
Audits by headquarters or regulators often focus on whether the local team followed their own Standard Operating Procedures (SOPs). Deviating from established protocols regarding investigation steps or disciplinary actions creates significant risk.
3. The Social Media Factor
Whistleblowers in China are increasingly turning to social media platforms like Xiaohongshu or Douyin to air grievances publicly. Companies must have crisis communication plans ready for both internal stakeholders and external media to manage reputational fallout when a story goes viral.
"When people feel unheard internally, they go to regulators or social media, and that is ten times worse." - Chi Chen, EY China
Encouraging Internal Reporting and Building Trust
The goal of any whistleblowing program is to handle issues internally before they become public crises or regulatory matters.
The experts shared tips on promoting these programs effectively in China:
- Be vocal and visible: Market the program aggressively through posters in common areas, compliance weeks, and training.
- Guarantee non-retaliation: Explicitly communicate that whistleblowers, including third-party vendors who often provide valuable tips, will be protected.
- Responsiveness builds trust: The "48-to-72-hour rule" is vital. Acknowledge receipt of a report quickly. If a whistleblower feels ignored, they are far more likely to escalate their report to external regulators or social media.
- Go mobile: With high mobile usage rates in China, reporting channels must be mobile-friendly to ensure accessibility.
Responsiveness and transparency are essential to maintaining trust in the system.
Conclusion
China’s regulatory environment continues to evolve, moving toward stricter enforcement and even "long-arm jurisdiction" concepts similar to the US FCPA.
Successfully navigating this landscape requires a combination of deep local legal expertise, disciplined investigation processes, and robust technology that supports data residency requirements.
For multinational organisations, the ability to manage whistleblower reports confidently and compliantly in China is no longer optional. It is a core component of protecting reputation, maintaining trust, and sustaining long-term operations in the region.
➡️ Talk to our team to see how Whispli enables secure and compliant reporting in China
