Roughly one year and three reviews after its initial introduction, the Data Security Law of the People's Republic of China was officially passed on June 10, 2021. Coming into full force on September 1, 2021, the Data Security Law (DSL) demonstrates China's efforts to address the protection and processing of different types of data and strengthen the foundation of their national security.
Along with a sweeping scope, tightened restrictions on data transfers, and severe penalties for noncompliance, the DSL will also include a hierarchical data classification system, which will categorize and protect data based on its importance. Together with China's Cybersecurity Law (CSL), which was implemented on June 1, 2017, and the Personal Information Protection Law (PIPL), which was passed on August 20, 2021 and goes into effect November 1, 2021, China aims to build a comprehensive regulatory system for both cybersecurity and data protection governance.
With its focus on the security of data itself, this new law is expected to have a significant impact on data processing activities and business operations in China, especially targeting native technology giants. Keep reading to understand the significant features of the Data Security Law and prepare to meet the compliance obligations under this new law.
Background of China's Data Security Law
With the growing dependence on technology, data security has taken center stage in countries around the globe. The spotlight is on China after the Standing Committee of the National People's Congress, the highest legislative authority of China, passed the Data Security Law in June 2021. Despite only providing a two-month implementation period, the DSL aims to regulate how data is used, collected, developed, and protected in China, and applies to all types of data processing activities, including the collection, storage, processing, usage, transmission, publication, and disclosure of data within China.
The DSL places an emphasis on the core interests of China (i.e., national economy, national security, public interest) and any data relating to these interests is subject to heightened processing restrictions. To aid in these efforts, the new law institutes a top-down coordination on data processors and among local governments to protect the public's data.
Before its July 2021 passing, the DSL was released for public comments in July 2020 and April 2021. Although many of the provisions remained unchanged during these reviews, additions were made to include the protection of "national core data" on top of "important data." Penalty amounts for violations were also increased, along with other minor language changes. The DSL is set to take effect on September 1, 2021.
Highlights of China's Data Security Law
The Data Security Law largely focuses on governing the processing and collection of data within China. Below, is a summary of the key highlights of the Data Security Law.
The primary purpose of the Data Security Law is to ensure data security, promote data development and usage, protect the lawful rights and interests of citizens and organizations, and safeguard national sovereignty, security, and development interests. The law's primary focus is to regulate data processing activities within China and the security supervision of these activities.
The DSL broadly defines data to cover any record of information created in an electronic or other form, which would include digital and cyber information as well as additional forms such as hard copywritten records of information. The DSL's definition of data processing activities is comprehensive and would include the data collection, storage, processing, usage, transmission, publication, and disclosure of data. In addition, data security refers to the ability to ensure that data is effectively protected and lawfully used through the necessary measures, thereby remaining in a secure state.
Under the DSL, China establishes a data categorization and classification system that imposes varying levels of security requirements based on the importance of the specific data to China's national economy, national security, public and private interests, and the damage that would be caused in the event of a data security incident. The more important the data, the stricter the management and protection requirements and the harsher the penalties for a breach. There are two special categories that specifically provide for the stricter regulation of data:
National Core Data
The DSL defines national core data in a variety of ways. It can impact national security, affect the lifelines of the national economy, be an important factor in a person's livelihood, or be important to the public interest. While national core data is subject to stricter regulations and more enhanced processing restrictions than important data or general data, its scope is broad to allow for its flexible interpretation. However, with fines of upwards of RMB 10 million ($1.56 million), there is much confusion over what constitutes as national core data, how it will be implemented, and the proper ways to protect it.
The concept of important data was first introduced in the Cybersecurity Law, in which network operators in China are required to categorize data and create backups and encryption measures for the protection of important data. For important data under the DSL, business operators must appoint a responsible person, establish a specific internal department for the protection of important data, carry out risk assessments on a regular basis, and report the results to the relevant authorities. Similar to national core data, details have not been released regarding the scope of important data and neither has specific guidance for how to comply with the rules and data protection requirements.
Data Security Systems
Under the DSL, the state is to establish a data security emergency response and handling system to carry out when a data security incident occurs. The relevant regulatory departments will be in charge of initiating the corresponding emergency response plans in order to prevent the harm from increasing and eliminate any security risks. Relevant alerts should also be promptly issued to the public.
As one of the most populated countries in the world and with many companies either headquartered or with branches in China, transferring data across borders will be inevitable. The DSL has strengthened the management of cross-border data transfers and has set out various specifications.
Cross-Border Transfers of Data for Important Data
The cross-border transfers of important data collected and generated by critical information infrastructure operators (CIIOs) within China are governed by the Cybersecurity Law. CIIOs are information infrastructures in certain industries and sectors (e.g., public communications, energy, transportation, water conservancy, finance, public service, etc.) that if damaged or exposed to a data leak, could threaten national security or public interests. The CSL specifies that data collected and generated by the CIIOs are bound to be stored within the territory of China by principle. If data would need to be transferred overseas, a security assessment designed by the Cyberspace Administration of China (CAC) and relevant departments of the State Council would need to be performed. The DSL adopts these similar requirements.
Cross-Border Transfers of Data for Legal Proceedings
Under the DSL, sharing any data that is stored in China with law enforcement authorities or to judicial bodies outside of China without the approval of the Chinese government is strictly prohibited. However, this provision significantly impacts cross-border litigation and other legal proceedings. Failure to obtain approval before the transfer of this data can result in large fines, or even the suspension of the business and revocation of the business licenses.
This provision is expected to create significant confusion for many companies that are established in China, offer their goods and services to data subjects in the European Union (EU), and are subject to the General Data Protection Regulation (GDPR). That is because the GDPR allows the EU authorities to request data when exercising their enforcement powers. However, the DSL now requires such companies to obtain Chinese government approval before transferring data in response to these requests. Companies are now caught between the requirements of the DSL and the GDPR. Currently, no further information has been released clarifying this situation.
Obligations for Business Operators
Business operators have a variety of obligations to fulfill under the DSL. Business operators must comply with the applicable protection requirements and laws imposed, establish a data security management system, organize data security education and training, and take any technical or otherwise necessary measures to ensure data security.
If a business operator carries out data processing activities for important data, a risk assessment must be carried out and submitted to the applicable department. The risk assessment report should include the types and volume of important data processed, the data processing activities carried out, the data security risks faced, and the measures taken as a response.
There are various penalties under the DSL, including the suspension of the business, revocation of the business licenses, potential criminal penalties, and fines up to RMB 10 million ($1,560,000). If an individual is directly responsible for a violation, they can be subject to fines up to RMB 1 million ($156,000), as well as potential criminal penalties. Failure to cooperate with the Chinese authorities' data requests and providing data to foreign judicial or law enforcement authority without approval from China could both invoke these penalties.
In addition, an individual or organization may be ordered to correct a violation, subject to a warning, or presented with a fine between RMB 50,000 ($7,500) and RMB 500,000 ($75,000), if they fail to perform certain data security protection obligations. In such a case, the individual in charge and those directly liable would be subject to a fine between RMB 10,000 ($1,500) and RMB 100,000 ($15,000). If the same organization or individual then refuses to make the correction or causes the leakage of a large amount of data, the entity would be subject to a fine between RMB 500,000 ($75,000) and RMB 2 million ($300,000). Business operations might then be suspended, and the relevant licenses could also be revoked as a result.
The Data Security Law was only recently passed, so it might be too soon to tell how far reaching its impact will be on data security around the world. However, there will likely be a shift of data being moved away from Hong Kong as requests for how data is stored in the country may be impacted as a result.
The DSL is also expected to impact technology giants; however, the law is likely targeted at China's homegrown technology companies (e.g., Alibaba, ByteDance, and Tencent) rather than the foreign companies that operate there. Since the emphasis of the DSL is on the data that flows out of the country, it creates a time-consuming compliance process for those entities who don't want to face hefty penalties, like the $2.8 billion fine against Alibaba.
China's Data Security Law is the newest addition to the growing list of data protection standards. The new law will provide a more comprehensive framework for information and data security, however certain clarifications and further updates will not be released until after the September 1, 2021 effective date. Given the DSL's expansive compliance obligations and strict cross-border transfer restrictions, it is critical to closely monitor this new law for any further developments and perform the necessary security assessments, which includes assessing your data processing activities to evaluate for non-compliance risk.
Want more insights into the latest privacy news?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.