Technology & Outsourcing 2024 Comparisons

Outsourcing is a commercial term, rather than a legal term, referring to the allocation of functions or services – or both – by a company to other companies, and the use of resources from outside the company to meet the company’s internal production and operation needs.

An entity (ie, a customer) may choose to outsource non-core activities, which may also require professional knowledge and skills, to an external specialist (ie, a service provider). In so doing, the customer can reduce its operating costs, concentrate its human resources and increase customer satisfaction, thereby maintaining its core competitive competencies and solving manpower shortages.

IT outsourcing is the business practice of having a service provider handle some IT functions instead of establishing an internal IT department or hiring IT staff. Outsourced IT services in China include programming, application development and technical support.

The revenue of the IT outsourcing market in China is growing gradually. Moreover, IT outsourcing in China is shifting from foreign to local outsourcing, mainly due to increased awareness of the need for data protection. The increasing capabilities of local IT service providers are also bolstering this trend.

From a macroeconomic perspective, China’s rapid economic growth and expansion of business in foreign territories has also increased the need for IT outsourcing, with more professional IT services being needed to meet customers’ demands.

IT outsourcing may cause some legal issues pertaining to the proprietary rights to data, restrictions on data transmission, data protection laws and regulations, revisions to cybersecurity law (influenced by the different IT outsourcing methods), etc. China has promulgated several rules and policies regarding IT outsourcing services (see 2.1 Restrictions on Technology Transactions or Outsourcing and 2.3 Restrictions on Data Processing or Data Security).

The business process outsourcing (BPO) market in China has been experiencing significant growth in recent years. Such growth is driven by various factors such as changes in business concepts, a large talent pool, cost advantages and favourable government policies.

Chinese companies have been increasingly outsourcing their non-core business functions to third-party service providers, allowing them to focus on their core competencies and improve operational efficiency. Meanwhile, foreign companies have also been outsourcing their business processes to China, attracted by China’s large pool of skilled workers and cost-effective labour. However, with the ever-growing labour costs in China, some outsourcing services in the manufacturing industry have gradually shifted from China to other Southeast Asian countries.

One of the key trends in the BPO market in China is the increasing adoption of automation and artificial intelligence (AI) technologies, especially for customer service. The customer service offered by banks, logistics and utilities companies is always 24/7. However, such companies do not have the staff to answer these calls; instead, they use digital robots to define some common questions and provide answers to solve customers’ simple questions, reduce the waiting time for customers to obtain answers and enable customers to solve their problems more efficiently.

China’s large and diverse talent pool is a major incentive to develop the BPO market; this may elevate the employment rate, especially for a large number of graduates in fields such as engineering, science and technology.

China’s Belt and Road Initiative (BRI) has created new opportunities for BPO service providers. This initiative encourages domestic companies to seek BPO services in foreign countries, and it also encourages foreign companies to seek BPO services in China. BRI is also driven by several governments, further developing BPO services.

BPO may also involve legal issues related to intellectual properties (IPs), trade secrets, personal information/data, privacy, cross-border data transmission, etc. Please refer to 2.3 Restrictions on Data Processing or Data Security for more details.

Not only has new technology been widely used across industries in recent years, but it has also been integrated into people’s daily lives. Enterprises use AI to optimise operational processes through automated data analysis, and they use robotics and robotic process automation for major infrastructure construction. People use AI and chatbots to improve work efficiency and quality of life.

The COVID-19 pandemic has certainly accelerated the development and application of new technology due to the need for no-touch devices and telecommuting.

In China, the most commonly outsourced services include IT, human resources, research and development, manufacturing, finance and accounting, customer relationship management and logistics.

Service outsourcing across different sectors can give rise to a number of legal considerations, including the stipulations and criteria for service delivery and possible breaches of contract provisions. In heavily regulated industries like healthcare, the complexity of rules and regulations is heightened, necessitating meticulous compliance to ensure that legal and industry standards are maintained.

There is no law or regulation that specifically regulates outsourcing transactions in China. The requirements are mainly set out in the Civil Code (2021) and the Anti-unfair Competition Law (2019).

The State Council issued the Opinions on Promoting the Accelerated Development of the Service Outsourcing Industry in 2014 to encourage the development of outsourcing services. Meanwhile, the relevant government departments and industry associations have also issued regulations and self-regulatory rules for outsourcing transactions in different fields (see 2.2 Industry-Specific Restrictions).

The regulatory framework for technology transactions and outsourcing in the PRC covers the following main aspects: foreign capital investment restrictions; technology export restrictions; privacy, data security and transfer; and taxation.

Foreign Capital Investment Restrictions

The following laws governs the restrictions on foreign investment access:

• the Foreign Investment Law (2020); and
• the Special Administrative Measures for Foreign Investment Access (Negative List) (2021 edition).

There are no general restrictions on foreign capital investment in outsourcing industries; however, there are some special administrative measures for investment in specific fields in China. If the technology transaction or outsourcing involves the fields/industries mentioned in the Negative List (2021), the investment should comply with the relevant restrictions.

Technology Export Restrictions

If technology outsourcing involves cross-border transactions, it is necessary to pay attention to issues related to technology import and export. The following laws and regulations apply to the foreign trade of technology, and to the protection of IP rights associated with technology import and export:

• the Foreign Trade Law (amended in 2022); and
• the Administrative Regulations on Import and Export of Technologies (amended in 2020).

China implements multilevel management of technology import and export, as follows.

• For technologies that are freely imported and exported, the transaction contracts should be filed and registered with the competent authority.
• For technologies that are restricted from import or export, application to and approval from the competent authority are required.

Privacy, Data Security and Transfer

Privacy, data security and data transfer are highly regulated in the PRC, as discussed in more detail in 2.3 Restrictions on Data Processing or Data Security.

Taxation

The practice of technology outsourcing and cross-border remote work may have cross-regional tax implications. Enterprises need to properly deal with the tax issues of service providers and contractors, as well as employees’ tax matters according to national tax regulations.

Financial Institutions

The China Securities Regulatory Commission (CSRC) and the China Banking and Insurance Regulatory Commission (CBIRC) have issued various measures and guidelines to regulate risk in outsourcing transactions in the financial sector.

These directives necessitate that banks and financial institutions establish a robust organisational structure, conduct thorough risk assessments and uphold strict information confidentiality during outsourced processes to ensure continuity and security across financial institution-related outsourced activities.

Banks and financial institutions in China primarily adhere to:

• the CBIRC Guidelines on the Management of Outsourcing Risk of Banking Financial Institutions (2010); and
• the CBIRC Measures for the Regulation of IT Outsourcing Risks of Banking and Insurance Institutions (2021).

Both sets of guidelines mandate that banking entities and financial institutions use effective systems for managing outsourcing risks alongside conducting routine assessments aimed at controlling or mitigating the potential risks.

Any delegation of IT and cybersecurity management responsibilities within the realm of financial services is explicitly barred – particularly noteworthy is that commercial banks are strictly forbidden from delegating critical facets related to pre-lending operations, loan disbursement procedures and post-loan servicing tasks, as well as their associated risk-management obligations.

In carrying out outsourcing activities, banks and other relevant finance bodies must regularly submit an outsourcing assessment report to the local banking authority. Furthermore, commercial banks (including custodian banks) shall distinguish between their core functions and those being delegated whilst prudently identifying, managing and monitoring attendant risks.

Public Offering Sponsorship

Where an issuer applies for the public offering of shares and adopts the underwriting method used in China, it shall employ a securities company as a sponsor.

Securities companies and securities service organisations, as the sponsor, must comply with the relevant requirements of the Securities Law (amended in 2019) in the course of outsourcing transactions.

The sponsor shall comply with business rules and industry norms, be honest, trustworthy, responsible and diligent, conduct due diligence review on the application documents and information disclosure materials of the issuer, and supervise the conduct of the issuer. It must not illegally purchase and sell, provide or publicise investor information.

The scope of sponsorship work that can be outsourced is regulated by the following rules and regulations:

• the CSRC Opinions on Strengthening the Risk Prevention and Control of Integrity-Related Practice Risks by Securities Companies Engaging Third Parties in Investment Banking Business (2018); and
• the CSRC Due Diligence Guidelines for Sponsors (2022).

During due diligence, the securities company, as the sponsor, shall perform its duties independently, diligently and legally, and reasonably use third-party services from an auditor, asset appraiser, legal consultant, financial consultant, consulting consultant, etc, in accordance with its objectives and needs; furthermore, it shall not outsource its statutory duties. The liability that the sponsor shall bear in accordance with the law will not be mitigated or exempted due to the engagement of a third party.

The sponsor shall investigate the basic information, qualifications and practice record of a third party, clarify the specific working practices of the third party and personnel, and review the work results and conclusions of the third party and personnel.

Insurance

CBIRC regulates insurance companies’ outsourcing transactions through the following rules and regulations:

• the Measures for the Supervision and Administration of Insurance Group Companies (2021);
• the Administrative Measures on Critical Illness Insurance for Urban and Rural Residents by Insurance Companies (2021); and
• the Measures for Regulating the Informatisation Work of Insurance Intermediaries (2021).

Insurance companies and their subsidiaries are required to report to CBIRC before signing any service-outsourcing contract. CBIRC may, based on the risk assessment of the outsourcing arrangements, implement measures such as issuing risk warnings and scheduling discussions. It is prohibited for insurance companies to fully outsource any critical illness insurance services to other external entities.

In addition to defining the scope of each outsourcing arrangement – encompassing the delineation of responsibilities, ensuring security and confidentiality, and safeguarding personal information – insurance companies should employ effective methods aimed at guaranteeing secure management of – and continuous oversight over – data and information systems by their service providers.

With respect to insurance intermediaries, it is imperative that they engage in outsourcing activities to fully comprehend and prudently manage risks associated with aspects like data input/storage, data security and personal information protection.

Service Providers for the Public Sector

The Government Procurement Law (amended in 2014) and its implementing regulations govern the procedures for public tenders for outsourced services by government contractors. They outline the procurement methods, procedures, and contractual and monitoring standards for government outsourcing processes.

For example, specific compliance requirements for the procurement process must be met, including in relation to:

• how the outsourcing customer (the government) tenders for services, including the requirements for supplier qualifications;
• how the outsourcing customer (the government) selects service providers and manages the process; and
• how the outsourcing customer (the government) enters into procurement contacts.

Telecoms

Providers of telecommunications services should ensure that their services and activities comply with the relevant laws and regulations during any outsourcing. For example, under the Telecommunications Regulations (amended in 2016), operators of outsourced services must apply for a telecommunications business permit. In addition, if the outsourcing of the telecoms involves data security and personal information protection, it should also comply with the relevant laws and regulations (see 2.3 Restrictions on Data Processing or Data Security).

IT and Cloud Services

Outsourcing involving IT and cloud processes may be subject to specific requirements concerning data compliance, data privacy, and personal information protection. The customer and the service provider must ensure that the processing of data and personal information in the process of any IT and cloud services outsourcing complies with the requirements of laws and regulations such as the Personal Information Protection Law (2021), the Cybersecurity Law (2016) and the Data Security Law (2021) (see 2.3 Restrictions on Data Processing or Data Security).

The following PRC laws and regulations regulate data processing and data security in China:

• Several Provisions on the Business Information Protection of Domestic Enterprises’ Contracting of Outsourced Services (2009);
• the Cybersecurity Law (2017);
• the Data Security Law (2021);
• the Personal Information Protection Law (2021);
• the Cybersecurity Review Measures (2021);
• the Security Assessment Measures for Data Provision Abroad (2022);
• the Implementing Rules for the Certification of Personal Information Protection (2022);
• the Measures on the Standard Contract for Outbound Transfer of Personal Information (2023);
• the Provisions on Promoting and Regulating Cross-border Data Flows (2024);
• the Data Export Security Assessment Application Guide (second edition) (2024); and
• the Personal Information Export Standard Contract Filing Guide (second edition) (2024).

Data Security

The PRC has established a data-classification and -grading system that categorises and grades data based on its importance to economic and social development, as well as the degree of harm that may be caused to national security, the public interest, or the legitimate rights and interests of individuals and organisations if the data is tampered with, destroyed, leaked, or illegally obtained or used. Data related to national security and significant public interests is classified as “national core data” and is subject to more stringent management.

The PRC has also established a data security review system to conduct national security reviews of data processing activities that affect – or may affect – national security.

Data Processing

Data-processing activities should be carried out in accordance with the provisions of laws and regulations; a sound full-process data security management system should be established, along with other necessary measures, to ensure data security.

Entities providing data-trading intermediary services should request that data providers explain the data source, verify the identities of both parties involved in the transaction, and retain records of the verification and transaction.

Network operators must keep the user information they collect strictly confidential and establish a sound system for the protection of user information. Network operators must not disclose, alter or destroy personal information without the consent of the person whose information they have collected, and they must not provide personal information to others.

Cross-border Data Flows

Personal information and important data collected and generated by operators of critical information infrastructure during operations in China shall be stored within the territory of the PRC.

Data processors who provide data overseas shall apply for a data export security assessment. The data export security assessment focuses on evaluating the risks that the data export activities may bring to national security, the public interest, and the legitimate rights and interests of individuals or organisations.

In China, there is no universally mandated or statutory contract model specifically for outsourcing transactions, with direct outsourcing emerging as the predominant approach.

Direct Outsourcing

The customer and the service provider enter into a direct outsourcing contract, which typically outlines the outsourcing scope, service standards, pricing terms, and respective rights and obligations of both parties. While there is no specialised legislation governing outsourcing agreements, the Civil Code (2021) serves as the general legal benchmark.

This outsourcing model is streamlined and user-friendly, enabling the customer to concentrate on their core competencies while leveraging the specialised knowledge of service providers and achieving cost efficiency through economies of scale in ancillary business sectors. Nonetheless, use of the model may necessitate additional time and lead to higher administrative expenses in managing the outsourcing partnership. This is to ensure the delivery of high-quality outsourced services and to mitigate potential risks to the customer’s reputation.

Indirect Outsourcing

Indirect outsourcing, also known as third-party or subcontracted outsourcing, is a business arrangement where a service provider contracts with another entity to perform part or all of the services they have agreed to provide to the original customer.

While there is no specific law dedicated solely to indirect outsourcing, the contractual relationship is governed by the general principles of contract law, as outlined in the Civil Code (2021) and other relevant regulations. The Civil Code (2021) upholds the principle of freedom of contract, allowing parties to freely negotiate and determine the content of their contracts, including indirect outsourcing agreements, although subcontractors must also comply with any industry-specific regulations that apply to the services being provided.

Indirect outsourcing can be prohibited in specific fields. For example, a banking financial institution can state in the outsourcing contract that the service provider may not assign/subcontract the outsourced service to others, openly or covertly.

When the original contract between the customer and the primary service provider does not explicitly allow for subcontracting, the service provider may also need the customer’s consent to engage in indirect outsourcing.

Multisourcing

Multisourcing is a strategic procurement model where a client entrusts different yet interrelated functions and tasks to a variety of service providers. This method presents numerous advantages, including:

• stimulating competition among providers, thereby enhancing pricing, quality and innovation;
• gaining access to a broader spectrum of expertise;
• mitigating risks through the distribution of service dependencies;
• lowering operational costs;
• reducing reliance on any single service provider; and
• enhancing the safeguarding of sensitive information.

Despite these benefits, effective co-ordination is essential to ensure seamless collaboration among the different providers and meet the company’s specific requirements.

In the PRC, multisourcing arrangements are governed by the overarching principles of the Civil Code (2021), as well as by all pertinent sector-specific regulations and legislation concerning national security, secrecy and data security.

Joint Venture or Partnership

Once a joint venture or partnership is established between a customer and a service provider, the co-operation is governed by the respective laws of joint ventures and partnerships. Such arrangements transcend the conventional definition of “outsourcing” under the PRC legal framework. Therefore, the joint venture and partnership-based outsourcing models are deemed inapplicable within the purview of PRC laws.

Captive Entity

In light of the same considerations mentioned in the foregoing, captive-entity outsourcing is not relevant to PRC legal constructs. Consequently, under the PRC’s laws, the captive-entity outsourcing model is considered inapplicable.

The robust development of IT outsourcing and technology outsourcing is based on trends in digital transformation. PRC laws stipulate the service provider’s obligations during outsourcing transactions, especially in relation to information security and IP protection.

PRC laws require the service provider to sign confidentiality and non-compete agreements with employees, especially those involved in confidential matters, and to sign confidentiality agreements with third-party personnel involved in confidential information to ensure information security.

If a service provider fails to perform its obligations, the remedial measures available to the customer depend on the types of outsourced service, the agreed terms of the outsourcing contract and the provisions of PRC laws (mainly the Civil Code (2021)) on contractual remedies or remedies for breach of contract.

Pursuant to the Civil Code (2021), possible remedies for customers mainly include:

• continuous performance;
• repair, reworking or replacement;
• compensation for losses and damages for breach of contract (see 4.3 Liability);
• the right of subrogation – because the service provider neglects to exercise its rights, affecting the realisation of the customer’s due claims, the customer may request the court to exercise the service provider’s rights against the obligor in the customer’s own name, except for the rights that are exclusively the service provider’s own; and
• termination of the contract (see 4.2 Termination).

If the outsourcing contract stipulates the liabilities for breach of contract, then those liabilities will be borne in accordance with the agreement between the parties. In the absence of any agreement in the contract, or where the agreement is unclear, the customer can, in light of the nature of the subject matter and the degree of loss, reasonably choose to request that the other party assume its liability for breach of contract in accordance with the remedies mentioned in this section.

The amount of compensation for losses should be equal to the losses caused by the breach (including any interest due to be received after the performance of the contract), provided that the compensation does not exceed the probable losses caused by the breach that could have been foreseen, or ought to have been foreseen, by the breaching party when the contract was concluded. Please refer to 4.3 Liability for details.

Reasons for Termination

Pursuant to the Civil Code (2021), the parties may terminate the contract if they reach consensus through consultation. The parties may agree on the reasons for termination of the contract by one party. When the cause of termination occurs, the termination right holder may terminate the contract.

Pursuant to the Civil Code (2021), the parties may terminate the contract under any of the following circumstances:

• force majeure renders the contract’s objective unattainable;
• before the expiration of the performance period, one party explicitly states or indicates through their conduct an intention not to fulfil their main obligations;
• one party delays performance of their main obligations and then fails to perform them within a reasonable period after being urged to do so;
• one party’s delay in performing their obligations or some other breach of contract prevents achievement of the contract’s purpose; or
• other circumstances prescribed by law.

For an indefinite contract with ongoing obligations, the parties may rescind the contract at any time but should provide reasonable advanced notice to the other party.

Procedures for Termination

Pursuant to the Civil Code (2021), a party that legally seeks to terminate the contract shall notify the other party; the contract is considered terminated when the notification reaches the other party. If the other party has objections to the termination of the contract, either party may request that a court or an arbitration institution confirm the effectiveness of the termination.

Post-termination Arrangements

After the contract is terminated, the performance of any unfulfilled obligations can cease; for those that have been performed, depending on the circumstances of the performance and the nature of the contract, the parties may request a return to the original state or take other remedial measures, and have the right to claim compensation for losses. If the contract is rescinded due to a breach, the party with the right to rescind may request that the breaching party assume liability for the breach, unless the parties have agreed otherwise.

The Civil Code (2021) specifies post-termination obligations, requiring parties to:

• adhere to the principles of good faith and fulfil obligations such as notification, assistance, confidentiality and the return of used items, in accordance with customary trading practices; and
• recognise that the termination of the contractual rights and obligations does not affect the validity of the settlement and liquidation clauses within the contract.

If any breached post-contractual obligation causes losses to the other party, the breaching party is liable for compensation.

Beyond statutory duties, parties may also negotiate and include post-termination stipulations in their contracts, such as:

• a continuing duty of confidentiality for commercial secrets and materials during the transitional phase;
• non-compete restrictions for the service provider’s personnel, prohibiting employment/co-operation with the customer’s competitors; and
• extended access rights to the service provider’s proprietary knowledge after the termination of the outsourcing contract.

Direct/Indirect Loss

The laws of the PRC follow the principle of full compensation for breach of contract, which includes both direct and indirect losses. Direct losses are the natural and direct consequence of a breach of contract. Indirect loss refers to the loss of benefits that were expected to arise from the performance of the contract. According to the nature of the contractual transaction, the purpose of the contract and other factors, compensable profit loss includes three major types: production profit loss, operating profit loss and resale profit loss.

When calculating and determining the compensable profit loss, the principle of foreseeability, impairment losses, the loss-profit balance and fault balance shall be comprehensively considered. That is, the unforeseeable losses of the breaching party, the unduly enlarged losses of the non-breaching party, the benefits obtained by the non-breaching party due to the breach, the losses caused by the negligence of the non-breaching party and the necessary transaction costs shall be deducted from the total amount of compensation for the available benefits claimed by the non-breaching party.

As long as the contract is silent on the exclusion of indirect losses and liability limitation, the party performing the contract can claim compensation for the loss of expected benefits, and the breaching party is liable for damages that were foreseeable when it entered into the contract.

Limitation of Liability

The parties are also free to negotiate the liability limitation clauses in contracts, subject to the respective bargaining positions of the parties. Common clauses include a cap on the liability of compensation for breach of contract and exemption from compensation for indirect losses.

Nonetheless, as per the Civil Code (2021) and associated regulations, certain liabilities cannot be contractually excluded. Any attempt to do so, even with mutual consent, may render such clauses legally invalid, specifically:

• those causing personal injury to the other party; and
• those resulting in property damage to the other party due to wilful action or gross negligence.

The liability limitation provisions in a contract that exclude liability for indirect losses or limit the maximum compensation may be recognised as valid by the PRC courts, provided they do not contravene mandatory provisions of the law.

Clauses about liability limitation are generally valid if they are established through fair negotiation between the parties on an equal and voluntary basis and do not violate public interests, though full compensation is the statutory compensation principle for breach of contract under PRC law.

In practice, the courts respect the principle of party autonomy in contract law and consider the clauses limiting the liability for breach of contract as a measure to control business risks. Even if the performing party has provided evidence that the actual loss does not exceed the agreed compensation limitation by a substantial amount, the court may still recognise the liability limitation agreed in the contract. This is because, from a judicial viewpoint, the scope of foreseeable losses under the contract is limited to the agreed clauses on liability exclusion, maximum compensation or any other limitation when forming the contract.

However, in cases of severe imbalance of interests, such as when the actual losses are much higher than the agreed liability cap, the PRC courts have discretion to surpass the agreed compensation limits and determine compensation based on the actual loss proven by the performing party.

There are no statutory implied terms in China that are relevant to technology or outsourcing contracts. The terms and conditions of contracts and their performance are fully subject to the autonomy of the parties, provided the outsourcing contract does not touch on situations where the contractual terms may be invalid or create other defects in validity.

The data protections and security measures in China are mainly discussed in 2.3 Restrictions on Data Processing or Data Security, while the Cybersecurity Law (2017) mainly covers the general rules regarding network operation security and cybersecurity.

The PRC implements a cybersecurity-level protection system. Network operators should fulfil their security protection obligations in accordance with the requirements of the cybersecurity-level protection system, ensuring that the network is protected from interference, destruction or unauthorised access, and preventing network data from being leaked, stolen, tampered with or altered.

When network operators handle user registration procedures, or provide users with services such as information release or instant messaging, they should require users to provide real identity information when confirming the provision of services. If the user fails to provide real identity information, the network operator shall not provide the relevant services.

Network operators should formulate emergency plans for cybersecurity incidents and promptly deal with security risks such as system vulnerabilities, computer viruses, network attacks and network intrusions.

General Introduction

The specifics of performance measurement and management agreements might be incorporated into the service-outsourcing contract, whereas compliance matters are governed by particular legal and regulatory frameworks (see 2 Regulatory Environment).

Compliance

The customer and service provider may reach an agreement on extensive compliance clauses in their outsourcing contract to ensure that all outsourced service activities comply with PRC laws and regulations. These clauses can relate to (among others):

• arrangements to ensure the protection of personal information and data security;
• arrangements to ensure confidentiality and security for outsourced services;
• prohibitions on tax evasion;
• commitment to integrity and anti-corruption; and
• commitment to labour compliance.

Warranties and Indemnities

The outsourcing service contract will generally contain the following warranty and indemnification agreements:

• a quality warranty and after-sales service agreements for products or services;
• non-infringement and use and transfer warranties for IP;
• personal information protection and data security assurance (where service providers should comply with the provisions of relevant laws and regulations; see 2.3 Restrictions on Data Processing or Data Security);
• the necessary licences and qualifications for outsourcing (see 2.1 Restrictions on Technology Transactions or Outsourcing and 2.2 Industry-Specific Restrictions); and
• anti-corruption, anti-bribery and personnel integrity warranties.

Please refer to 2.3 Restrictions on Data Processing or Data Security for details of the legal regulatory systems pertaining to digital transformation.

Technology outsourcing and cloud services are closely connected to the collection, processing and cross-border flow of data. Article 9 of Security Assessment Measures for Data Provision Abroad (2022) stipulates that a PRC data processor and an overseas recipient shall expressly agree on the responsibilities and obligations related to data security protection in the finalised legal documents, which shall include at least the following contents:

• the purpose, method and scope of data going abroad, as well as the purpose and method of data processing by the overseas recipient;
• the location and duration of data storage overseas;
• the binding requirements for the overseas recipient to further transfer the data going abroad to other organisations or individuals; and
• remedial measures, liability for breach of contract and dispute resolution methods in the case of violation of the obligations for data security protection stipulated in the legal document.

Workforce Engagement Models

In China, the employment landscape is characterised by diverse engagement models, each overseen by distinct legal and regulatory standards, as follows.

• The standard labour relationship is the traditional employment model, with legal protections and benefits as defined by labour legislation.
• Labour dispatching involves a tripartite relationship, where a dispatch company provides labour to a client company under a specific legal framework.
• Non-labour relationships, such as personal service contracting and service outsourcing, are not classified as formal labour relationships and are governed by civil law, focusing on service agreements between service providers and businesses.

Standard Labour Relationship

Standard labour relationship refers to the relationship between the employee and the employer (which must be a legal entity or organisation in China) in respect of labour rights and obligations, and it is mainly regulated by:

• the Labor Law (amended in 2018);
• the Labor Contract Law (amended in 2012); and
• the Implementation Regulations for the Labor Contract Law (2008).

Labour Dispatching

Labour dispatching is a tripartite employment model that engages a dispatching company acting as the employer, the employee and the dispatched company (ie, customer), the latter of which utilises the employee’s labour to accomplish specific tasks. This model is governed by a set of PRC laws and regulations that clarify the rights and obligations of each party involved, including:

• the Labor Contract Law (amended in 2012);
• the Implementation Regulations for the Labor Contract Law (2008); and
• the Interim Provisions on Labor Dispatching (2014).

The labour-dispatching company recruits the employee, establishes the labour relationship and concludes employment contracts with the dispatched employee. The dispatching company shall conclude the dispatching agreement with the customer before the employee is dispatched.

The dispatching company must obtain a business permit for the dispatching service. Dispatching is only applicable to provisional, ancillary or substitutive positions, and the proportion of dispatched employees cannot exceed 10% of the total employees of the dispatching company.

The dispatched employee is managed by the dispatching company with respect to routine work and is subject to the internal rules of the dispatching company. Where the employee causes injury to a third party during working hours, the dispatching company shall bear the responsibility, and the customer only bears supplementary responsibility if it has any culpability.

Personal Service Contracting

In personal service contracting, there is a contractual relationship between a business and an individual outlining their respective rights and duties in relation to the individual’s rendering of specific services or completing particular tasks for the business. The recipient of the service makes payments to the individual provider, as stipulated by the contract.

Distinct from labour relationships, such legal agreement is often project-specific and does not imply a long-term, stable employment relationship, offering a flexible approach to workforce engagement. Personal entrustment and personal contracting are examples of this arrangement.

Service Outsourcing

Service outsourcing is a form of workforce engagement in which an enterprise (ie, the customer) outsources certain business to a contractor, concludes the service-outsourcing contract and pays the service provider for its services in accordance with the contract. Unlike the standard labour relationship and labour dispatching, service outsourcing is not a statutory employment model.

Under this model, the contractor (ie, the service provider) arranges – on its own – to complete the relevant outsourced business or tasks according to the requirements of the customer. The service provider may send its employees or subcontractors to the office of the enterprise to complete the service, if needed.

It is worth noting that the “object” to be outsourced is not the person (if applicable), but rather the service. There is no direct employee-employer legal relationship between the customer and the employees/subcontractors of the service provider. The customer has no right to manage the workforce, which works for the service providers and is employed/contracted by the contractor. The customer can only determine whether the service provided by the service provider complies with the service-outsourcing contract.

Secondments, assignments and shared staffing arrangements are practices that exemplify service outsourcing when they are not conducted through labour dispatching.

Employment Transfer

All of the foregoing models of workforce engagement may involve a transfer of employees. However, whether the labour relationship per se is changed depends on the actual circumstances.

Where there is a merger, acquisition or demerger of a company, a change to the legal status and economic structure of the company occurs, which in turn may cause a transfer of employees and even a change in labour relationships.

If the employer still exists after such transaction, the original labour contract remains valid and must continue to be performed by both the employer and the employees.

If the employer changed after such transaction, the original employer, the new employer and the employee may sign an amendment to the original labour contract to update the employer’s information. Alternatively, the parties may negotiate to terminate the original labour contract, and the new employer may enter into a new labour contract with the employee.

If the employer unilaterally terminates the labour relationship with the employee after such transaction, it shall pay economic compensation to the employee in accordance with the relevant laws and regulations.

After Employment Transfer

Where the employer and the employee mutually agree to terminate the labour contract, the employer settles any unpaid salary, unused annual leave and economic damages, issues a certificate of termination of the labour relationship and “winds up” all the employee’s social security accounts.

Where employee transfer takes place in a company group, the former employer terminates the labour relationship with the employee. It may be a requirement to pay economic damages to the employee. The employee’s length of service for the former employer may be transferred to the new employer, if it is to be calculated consecutively. When the new employer and the employee mutually agree to terminate the labour contract, the new employer shall also pay economic damages, including the portion that the former employer shall pay at its termination.

Where the employer decides to terminate the labour relationship unilaterally, in accordance with Article 40 of the Labor Contract Law (amended in 2012), it shall notify the trade union to seek opinions on such termination. Upon receipt of the trade union’s agreement, the employer shall notify the employee.

General Principles

Pursuant to the Trade Union Law (amended in 2021), the basic duties of trade unions are to safeguard the legitimate rights and interests of – and serve – employees. Trade unions organise employees to participate in democratic activities through an employee representative assembly or other forum.

A trade union has the following rights and powers under the Trade Union Law (amended in 2021), the Labor Contract Law (amended in 2012) and other relevant regulations.

Right of Participation

Where an employer formulates, revises or decides on rules or major matters pertaining to salary and welfare, working hours and rest periods, labour safety and health, social insurance, labour discipline, etc, which directly involves the vital interests of employees, such matters shall be discussed by the employee representative congress or all staff – who shall make proposals and give their opinions – and the employer shall carry out equal negotiation with the trade union or employee representatives before making a decision.

Where an employer genuinely needs to reduce staff during a period of statutory rectification due to bankruptcy or major difficulties in its production and business operations, it shall, 30 days in advance, explain the situation to the trade union, or all workers, and seek the opinions of the trade union or workers. It may also lay off employees after reporting to the labour authority.

Power of Supervision

When deciding on and implementing rules and major matters, the trade union or staff shall have the right to raise their concern with the employer on any inappropriate issues, and such issues shall be addressed and rectified through negotiation.

Where an employer violates the employee representative congress system and other systems of democratic management, the trade union has the right to demand redress and to protect employees exercising their right to democratic management in accordance with the law. Where the employer violates the provisions of laws and regulations or the labour contract, the trade union shall have the right to require the employer to make corrections. Trade unions have the right to investigate infringements of employees’ legal rights by the employer.

Where an employer penalises an employee and the union believes that the punishment is inappropriate, the union has the right to raise objections. An employer that unilaterally rescinds a labour contract shall notify the trade union of the reason beforehand. The employer shall study the opinion of the trade union and notify the trade union in writing of the outcome.

With the development of globalisation, the outsourcing industry in China has developed rapidly.

PRC Entities as Outsourcing Customers

Offshore outsourcing in China has seen a steady rise in demand in recent years. This is particularly evident among Chinese entities that are establishing subsidiaries or branches abroad to tap into new international markets. Offshore outsourcing facilitates swift understanding of local customs and compliance with the regional regulations for these entities. Additionally, it helps minimise the costs associated with the learning curve.

BRI has stimulated demand for nearshore outsourcing, and onshore outsourcing within China continues to grow in popularity as many organisations seek to curtail labour expenses and access more specialised services. By offloading certain business activities or processes to third-party providers, these entities aim to enhance operational efficiency.

PRC Entities as Outsourcing Service Providers

China’s outsourcing sector has demonstrated robust growth across various domains. The manufacturing, financial, and medical and biotechnology industries stand out as three key areas experiencing a surge in outsourcing.

From 2016 to 2022, there has been a consistent annual increase in the proportion of offshore information technology outsourcing (ITO), BPO and knowledge process outsourcing (KPO), reflecting a positive trend in the diversification and expansion of the country’s outsourcing services.

Currently, there are no specific laws or regulations that directly govern remote work. Nonetheless, remote work can give rise to several key issues, including data transfer, privacy protection, IP and taxation matters. Additionally, compliance requirements in certain industries, such as pharmacy, banking and securities, must be considered.

Data Security and Privacy Protection

In accordance with the Data Security Law (2021) and Personal Information Protection Law (2021), employers must handle data during remote work while adhering to PRC legal frameworks, particularly when dealing with sensitive personal information and critical data that could have implications for national security. For multinational corporations, intercompany data sharing might also be governed by the Security Assessment Measures for Data Provision Abroad (2022).

IP and Trade Secrets Protection

Remote work can heighten the risk of leakage of trade secrets or other confidential information, such as designs, formulas, financial data, strategic plans and accounting information. To mitigate these risks, employers should prioritise compliance training for employees to enhance their awareness and commitment to safeguarding confidential information.

Business Compliance

Employers are responsible for ensuring that remote workers receive adequate training and support to comply with all relevant laws and regulations, with special attention paid to industries that are under stricter supervision and heavily regulated sectors.

Taxation Compliance

Remote workers may face the complexity of double taxation or more intricate tax-filing processes. Employers are obligated to handle tax declarations on behalf of their employees in line with legal and regulatory requirements. Additionally, employers should offer increased support to employees who have concerns regarding their tax obligations.