The new China data security law: key features
Introduction: Significance of the DSL
The DSL is the first nationwide law on data security enacted from the perspective of national security protection in China. Before the promulgation of the DSL, the framework for data protection in China was laid down by the Cybersecurity Law ("CSL")1 which imposes cybersecurity requirements on network operators. The data protection framework will be supplemented by the Personal Information Protection Law ("PIPL") with a focus on personal information protection, which will come into force on 1 November this year.
The DSL is a primary legislation that lays down the overarching legal framework and high-level principles on data usage, collection, storage, processing, disclosure, transaction and protection. Detailed guidance is expected to be provided in subsidiary and local regulations, judicial interpretations and opinions.
The application of the DSL is broad – it will affect companies and individuals processing data in China, as well as any data originating from or relating to China if its processing impairs national security, public interest or private rights in China.
Key feature: Three-tier classification of data
The DSL will regulate various stages of data processing including collection, storage, use, transmission and disclosure of different types of data, and is anticipated to become a key supplement to the CSL.
"Data"2 is broadly defined in the DSL to refer to "any record of information in electronic or other form", and is categorised by the DSL into three classes, namely (i) national core data, (ii) important data (or critical data), and (iii) general data. The DSL ranks the different categories of data with regard to the significance of such data to national security, public interest and potential harm arising from breach. National core data and important data will be subject to a higher level of protection and use supervision.
"National core data" is only defined at a high level to refer to data related to national security and the national economic lifeline, as well as substantial civil life and public interests. Whilst more details on the management requirements are awaited by way of implementation regulations, one message is crystal clear – harsh penalties will be imposed for a national core data related breach. According to the DSL, an offender guilty of, for example, illegal transfer of national core data outside of China and which endangers China’s national sovereignty will be subject to a fine of up to RMB 10 million and penalties including suspension of businesses or revocation of licenses.
"Important data" is a key concept in the DSL, which lays down various requirements on the processing of such data by busines operators:
- appointing a data officer;
- setting up a data protection department responsible for security of important data; and
- carrying out regular risk assessment of data processing to be reported to relevant authorities.
The DSL leaves it to State Council departments and local authorities to formulate their own classification to reflect what is considered "important data" within their respective industries or regions, to be coordinated by the central government. The promulgation of such categories will shed light on what constitutes important data allowing corporations to plan ahead during collection and usage.
Important data being subject to localisation and assessment requirements
Under the existing CSL, Critical Information Infrastructure (CII3) operators are required to store important data in China and the intended export is subject to security assessment. The DSL now expands the requirement to non-CII operators – i.e. all data processors will be subject to similar requirements. Separate rules on the requirements under the DSL have been drafted but have not been finalised. It remains to be seen exactly what requirements will apply to the export of important data by non-CII operators.
The DSL imposes fines for breach (whether by a CII operator or non-CII operator), for a company, in the amount of RMB 10 million and, for persons directly responsible and in charge of export of important data in a company, RMB 1 million, which respectively are 20 and 10 times more than the fines under the CSL.
Restriction on cross-border transfer to foreign judicial and enforcement authorities
An important restriction to pay attention to is that the DSL prohibits the provision by entities or individuals in China of data stored in China to any foreign judicial and enforcement authority without approval from a competent Chinese authority.4 Violations can lead to fines of up to RMB 5 million for a company and RMB 500,000 for the person directly in charge of cross-border data transfer in the company. The DSL does not provide specific rules on the approval procedure, and we expect relevant implementation rules to be announced at some point in the future.
The potential personal liability highlights the importance for companies to identify and appoint professionally qualified individuals who are conversant with the law and local practice to oversee the company's data transfer and processing. It is crucial to consider and have internal guidelines in place not only regarding data transfer but also the options of data storage in any jurisdiction.
Empowering Chinese authorities to conduct national security reviews
Companies and individuals are required to cooperate with security authorities to give them access to data for the purpose of safeguarding national security or investigating potential crimes. Such a cooperation requirement is not new – the CSL has similar requirements for network operators to provide technical assistance, which may include requests for data access.
In addition, the DSL stipulates that any data processing activities that affect or may affect China’s national security will be subject to a national security review, which decision is final and not subject to judicial examination. Again, we await implementation regulations to provide further details.
Apart from national security, general directions are also laid down on the building of the digital economy. One of the key directions is that competent authorities are empowered to establish data trading management systems and cultivate a data trading market in China. In connection with data trading, companies engaging in data trading intermediary services are required by the DSL to collect the source of data, examine the identity of all parties involved in the trading activity and transaction, and maintain proper records of all transactions.
Extraterritorial effect of the DSL
Although the restrictions mainly target data processing activities in China, companies or individuals outside of China may be subject to the DSL if their activities are detrimental to Chinese national security or the lawful rights of any Chinese citizen or organisation. Hence, multinational companies outside of China which transmit any data collected in China to their overseas offices need to pay particular attention to the potential extraterritorial effect of the DSL, subject to the practical ability of Chinese authorities and courts to exercise jurisdiction over overseas companies.
The DSL also authorises the adoption by competent authorities of reciprocal measures against countries or regions with discriminatory prohibitions or other sanctioned measures pertaining to any China-related investment or trading activity involving data.
Summary
The enactment of the DSL is expected to have a far-reaching impact on data processing activities and business operations or investments in China. The DSL will bring challenges for companies that have a global business presence as they are faced with increasingly complex local regimes on data processing and security requirements in multiple jurisdictions. Companies or individuals with investment strategies in China should consider the impact of China's data protection regime on their investment objectives including access and sharing of data and ensuring the compliance of the requirements by their investment targets.
With the DSL giving us a glance of the general principles, the practical enforcement implications will depend on the implementation regulations and standards to be promulgated by the relevant Chinese authorities. We will be closely monitoring regional and trade-specific regulations to be issued in the future and will provide updates in due course.
1 Effective since June 2017.
2 Which is not defined in the PIPL.
3 The list of CII operators is currently in draft and refers to industries such as energy, finance, social security and public healthcare.
4 A "competent Chinese authority" includes departments of different industries under the State Council such as the public security department, national security department, and national cyberspace administration office.