Assessing the Risks Posed by China’s Extraterritorial Lawfare to Businesses
Executive Summary
In January 2026, the China Strategic Risks Institute (CSRI) published The PRC’s Extraterritorial Legal Architecture: Long-arm Jurisdiction as an Instrument of Transnational Repression and Statecraft. The report provided a comprehensive mapping of the extraterritorial legal toolkit of the People’s Republic of China (PRC) through the lens of transnational repression (TNR), identifying 15 laws with extraterritorial reach and how they are used toward the repression of individuals and organisations internationally.
This report outlines the impact of PRC’s expanding extraterritorial legal toolkit on the operations of businesses internationally. By exploring what obligations these laws place international businesses under – whether or not they have operations within China itself – this paper will explore the various security, ethical, financial, reputational, and other risks that arise for businesses. Amidst a rapidly changing legal and geopolitical landscape, businesses must understand these emerging trends to protect their commercial interests and avoid reputational damage.
Building out its extraterritorial toolkit is a key objective for China as it attempts to fight back against the growing trend of ‘de-risking’ from China, spurred by supply and cost shocks arising from China’s increased willingness to instrumentalise bottlenecks and monopolies over certain key industries. A spate of new regulations were introduced in March 2026 to strengthen Beijing’s ability to control foreign economic activity, intended to maintain control over strategic supply chains and strengthen restrictive measures against foreign entities on national security grounds. These measures have been introduced amid other high-profile news stories, such as Beijing’s blocking of the sale of AI firm Manus to Meta. These developments suggest that business and geopolitics stand to become ever more tightly entwined, continuing to put companies at odds between their international and China-specific obligations.
Key findings
Companies are at a growing risk of finding themselves in a ‘double bind’, caught between international standards and PRC law. Nowhere is this clearer than in the field of data protection. While a number of jurisdictions are developing increasingly aligned data protection safeguards, such as the General Data Protection Regulation in the EU and UK, the Personal Data Protection Act in Singapore, and Japan’s Act on the Protection of Personal Information, PRC law explicitly overrides such regulations by requiring companies to hand over private data to authorities when requested to do so. These contrasting standards and regulatory regimes may increasingly pull companies in opposite directions, placing them in ‘compliance dilemmas’. As tensions between China, the US and its allies grow, companies may also be caught in the cross-fire of conflicting sanctions regime – with the PRC recently introducing legislation to directly penalise those who comply with sanctions against China.
Companies are increasingly expected to enforce China’s ‘transnational repression’ campaigns globally. Since the advent of the Hong Kong National Security Law in 2020, foreign firms – particularly banks – are routinely pressured by PRC authorities to place restrictions on the ability of dissidents living overseas to access bank accounts and other financial services. Companies should be prepared for these requests to become more frequent, as the PRC intensifies ‘transnational repression’ against other groups, and through other means. For example, under extraterritorial clauses, PRC authorities may request access to the personal data of dissidents abroad held by foreign companies, or to remove social media accounts and content – which may put companies in breach of laws, regulations and ethical standards in their host countries.
China’s increasing use of extraterritorial measures and supply chain weaponisation places companies at the whim of political factors beyond their control. Vague and all-encompassing concepts of national security and national interest are increasingly used by the PRC to justify a broad range of policies and extraterritorial legal claims with impact beyond its borders. Intensifying geoeconomic competition places international firms with strong dependencies on PRC supply chains at particular risk, as exemplified by China’s sudden introduction of export controls on rare earth minerals in 2025. As China becomes more assertive and willing to internationalise its political and legal jurisdiction, the financial and security risks to international businesses only stand to deepen.
Key risks
By assessing a variety of PRC laws and regulations across four themes – National Security, Data and Cyber, Political Control, and Economics – this paper identifies five main categories of risk for international businesses arising from the PRC’s extraterritorial legal toolkit. These include:
Legal risks: Businesses may increasingly find themselves subject to legal measures by PRC authorities in response to activities that take place outside of the PRC, such as hosting content that the PRC considers seditious or transferring seemingly neutral economic data abroad.
Financial risks: Businesses may be forced into costly legal battles and face penalties if caught between conflicting demands between local jurisdictions and PRC extraterritorial law. Businesses may have assets frozen or lose access to China’s market under China’s counter-sanctions regime.
Security risks: China’s data protection frameworks increasingly empower authorities to demand and seize sensitive data from foreign companies, and to demand or request data held overseas. This has compelled some businesses to move data infrastructure overseas, owing to the stark data security concerns arising from these powers.
Ethical risks: Businesses may be compelled to support acts of transnational repression, such as denying services to or providing personal information to PRC authorities on overseas dissidents and critics of the PRC government, contravening ethical guidelines, local laws and international human rights obligations.
Reputational risks: Connected to ethical risks, businesses may be subjected to intense political, public, and media scrutiny if discovered to be complying with government demands or requests that facilitate human rights abuses.
Recommendations for Business and Policymakers
To address these risks, businesses and policymakers in all countries must undertake effective actions to understand threats, protect against risks, secure their commercial interests and uphold human rights standards.
Recommendations for Businesses
Conduct regular ‘risk audits’ with particular attention to the PRC’s extraterritorial reach, assessing assets and personnel in China that may be vulnerable, dependencies on China-based suppliers, data which may be vulnerable to subpoena by Chinese authorities, and any other areas where authorities may attempt to claim jurisdiction. Vet potential partners in China for political and governmental influence, to help anticipate where pressure points may originate.
Establish ethical protocols to proceduralise the refusal of sharing sensitive data on human rights or political grounds, preventing companies from becoming complicit in PRC authorities’ efforts to harass, monitor, and limit access to services for overseas critics and dissidents. This may include prima facie protection designation of particular groups (e.g. Hong Kong BNO status holders) who are known to be targeted for harassment.
Develop clear internal protocols for managing PRC demands, such as requests from PRC authorities for access to sensitive data, or to remove sensitive conduct. Companies should develop a clear ‘code of conduct’, allowing staff to be informed on the risks of complying with such requests, and ensuring that such decisions are escalated and dealt with appropriately.
Avoid storing sensitive data on PRC-linked servers, including sites within the PRC or with PRC firms that are operating abroad, and do not send employees to the PRC with devices that contain sensitive data that could be subject to seizure. Prioritise data storage with trusted suppliers located outside of the PRC, based on factors such as legal compliance, commitment to ethical standards, and adherence to industry best practice. Notify relevant embassies within the PRC about any demands by authorities for sensitive information.
Protect data rights and specify jurisdiction rights within contracts. When entering into business with PRC entities, companies should state clearly in contractual agreements where data is to be stored and how it can be accessed, with choice of law, forum selection, and arbitration clauses specifying a trusted, non-PRC jurisdiction.
Reduce supply chain dependencies on China by building relationships with suppliers in other jurisdictions, maintaining stockpiles of key materials and resources to help endure geopolitical shocks (e.g. the unexpected introduction of export controls). Review and map supply chains in their entirety to identify key points of vulnerability and build short- and long-term strategies for diversifying supply bases. Identify specific sectors and suppliers that may be vulnerable to sanctions and counter-sanctions, and identify third-country alternatives to avoid supply chain disruption and penalties.
Recommendations for Policymakers
Publish guidance to businesses on resisting transnational repression. Governments should give robust guidance to businesses to ensure they understand the ethical, financial, reputational and legal risks posed to their businesses by transnational repression and extraterritorial lawfare. This should be shared both as a standalone advice sheet and incorporated into country-specific risk profiles maintained by national governments. Such guidance should include information on understanding business’ political rights obligations; recognising signs of transnational repression; establishing meaningful reporting mechanisms; and providing necessary support to employees, clients, and other stakeholders experiencing transnational repression.
Establish inter- and intra-government task forces, bringing together relevant ministries and departments, to share intelligence and best practice about China’s evolving use of extraterritorial lawfare, with close consultation with business. This will ensure businesses have continually updated intelligence and support about the methods used, and ways to insulate against them.
Introduce mandatory human rights due diligence legislation to ensure businesses do not comply with extraterritorial demands to support the perpetration of transnational repression. Calls for such legislation have long been supported by leading voices in civil society and business, including major companies and investors. International standards on business and human rights require businesses to uphold all rights, including those set out in the International Covenant on Civil and Political Rights, which includes such rights as freedom of expression, association, and the right to privacy. Foreign governments’ efforts to monitor and silence overseas critics are a direct violation of these rights.
Bolster supply chain resilience and critical resource access: Significantly ramp up funding and resource for diversification initiatives in key industries, building on recent strategies to diversify strategic resources such as critical minerals, providing state support for industry to develop sources of strategic resources outside of the PRC. This can be measured through specific sourcing limits, for example, allowing no more than 40% of a given strategic resource to be sourced from a single country, and a more strategic focus on ‘friendshoring’. Deepen strategic stockpiles of key resources, including energy, critical minerals, pharmaceuticals, and others, to insulate against foreign coercion or supply shocks. These steps will help build national resilience against the extraterritorial application of export controls and counter-sanctions, as seen through repeated occurrences throughout 2025.