China is stepping up its game with the new Data Security Law (DSL) that passed on 10 June 2021 and will come into effect on September 1st this year. The new DSL, among with the Cybersecurity Law (implemented on June 1, 2017) and the Personal Information Protection Law (expected to be formally published during this year), will be the three essential and framework laws controlling cybersecurity and data security protection in China.
The Data Security Law classify data into three groups:
- state’s data
- important data
- general data
The law organizes a hierarchical data classification management and protection system that considers the importance of different types of information to national security, national economy, and public interest. In addition, the DSL further underlines the control of data localization and cross-border data transfer, mirroring the observation and restrictive conditions on cross-border transfer of information under the Cybersecurity Law and other applicable laws and regulations.
The Data Security Law states that organizations and individuals from China are forbidden to offer any information stored within China to the foreign judicial department and foreign law enforcement department unless approval has been obtained from the government department.
How has China changed its data security laws?
On June 10, 2021, the Standing Committee of the National People’s Congress (the highest legislative authority of China) passed the new Data Security Law of China two months after discharging the second draft of the law.
This is broadly applicable and will affect all parties doing business in or with China that engage in processing all types of information.
Business owners in China and multinational companies doing business within the country must pay attention to the requirements under the law and establish data safety and protection systems and safety evaluation schemes accordingly.
1. Scope of application and extraterritorial effect
The DSL applies to and establishes data processing activities and security supervision of such activities in China (Article 2, Paragraph 1). In addition, DSL also extends its extraterritorial effect (Article 2, paragraph 2) to control any data processing operations outside the territory that may harm China’s national security, public interest, or the legal interests of citizens and organizations in China.
Data under the DSL include any record of information in electronic or other forms. Therefore, information recorded in order forms, like, for example, hard records or information, also constitutes data. Data processing activities controlled by DSL include:
2. Data Classifications
According to Article 21 of the law, China will establish a data classification system and implement a multilevel protection scheme imposing various levels of security requirements based on the importance of particular data to China’s national security, national economy, public interest, and possible level of harm to be caused by a data breach.
Therefore, the processing of important data must be supervised by a specific person and company department charged with maintaining data security, risk evaluations, and reporting to the government authority. In addition, even stricter regulations and penalties will apply for misusing the core state data, which is seen as threatening the nation’s sovereignty, security, or development interests.
The DSL presents the new concept of national core data. It defines it as data related to national security, the lifeline of the national economy, and people’s livelihoods, which is important to major public interests. However, the data security law does not offer details regarding the specific reason for National Core Data and the protection requirement.
Violation of the national core data management system or endangering China’s national sovereignty, security and development interests will be fined up to 10 million yuan (approximately US$1.56 million), suspension of business, business license revoked, and in severe cases, criminal liability will be imposed. In addition, we expect that more detailed implementation rules will be issued in the future to guide what information will be stored as national core data and how to protect such core data.
The Cybersecurity Law first included the concept of important data (active since July 1st, 2017), under which network operators in China are required to classify data and formulate backup and encryption measures to protect significant data.
Neither the Cybersecurity Law nor the DSL offers details on the definition and scope of important data and the detailed protection mechanism. However, DSL authorizes the National Data Security Coordination Mechanism (established following Article 5 of the law) to formulate a national-level important data catalog in coordination with relevant departments.
Furthermore, DSL also authorizes different administrative regions and industry departments to formulate specific data catalogs with their own protection requirements. This means that business owners in different regions and industries will need to be careful and comply with the protection requirements and rules to be imposed not only by the national important data catalog but also the specific applicable regional or industrial catalog for important information when they process data during daily business.
3. Data localization and cross-border transfer
For the cross-border transfer of important data, the data security law distinguishes the requirements on operators of CII (critical information infrastructure) from those on non-CII data processing operators. CII relates to information infrastructure in important industries and sectors (for example, public communication, energy, transportation, information service, water conservancy, finance, e-government, and public service) and other information infrastructure that, once damaged or leaked, may seriously threaten the national security, national economy, and people’s livelihood and public interests.
CII operators need to comply with the cross-border transfer rules stipulated in the Cybersecurity Law, which require these operators to store locally important data collected or generated within China. If the cross-border transfer of specific important information is necessary for business, then the CII operator needs to carry out a security evaluation according to the measures commonly formulated by the CAC (Cyberspace Administration of China) and relevant departments of the State Council. However, for non-CII operators, CAC and other government authorities will formulate separate implementing rules for the cross-border transfer of important information.
Failure to obtain such a prior approval for cross-border transfer may subject the business owner to a fine of up to 1 million Yuan (roughly US$156.000), as well as additional fines for the responsible individual. Furthermore, if an unapproved cross-border transfer causes serious effects, the business owner might be subject to fines up to 10 million yuan (approximately US$1.56 million), suspension of business, and business license revoked.
4. Key obligations of business owners
When managing data processing activities, a business operator must comply with the applicable laws and regulations, organize data security education and training, establish and improve whole-process data security management systems, and take corresponding technical and other needed measures to ensure data security. Furthermore, every company or individual that collects data shall do it legitimately and shall not obtain data by stealing or other illegal manners (Article 27).
Where laws and administrative regulations contain provisions on the purposes and scope of data collection and use, business operators must collect and use data within the purposes and scope prescribed by laws and administrative regulations (Article 29).
A processor of important data must regularly carry out risk assessments of its data processing activities and submit risk assessment reports to the relevant competent department. Such a risk assessment report shall cover the types and volume of important data processed; data processing activities carried out, the data security risks faced, the measures taken in response, etc. (Article 30).
Any individuals or companies that fail to perform the data security protection obligations described earlier may be subject to an order to correct, a warning, and/or a fine of not less than 50.000 Yuan (about US$7.500) but no more than 500.000 Yuan (about US$75.000).
In the meanwhile, CRO (China’s Cybersecurity Review Office), which is under the CAC, announced that it had initiated a cybersecurity review against Didi Chuxing, a leading Chinese vehicle-for-hire company that just went public on June 30, 2021, on the NYSE.
According to the official announcement of the CRO, the cybersecurity review against Didi started based on requirements under the National Security Law, the Cybersecurity Law, and the Measures on Cybersecurity Review and for the purpose of “preventing national data security risks, maintaining national security and safeguarding public interests.”
The DSL provides a further legal basis for the Chinese authorities to enforce data security needs. Therefore, as advice, companies should start reviewing and updating data collection and management systems to meet the new compliance obligations in accordance with Data Security Law.