China’s new Data Security Law will come into effect on 1 September 2021. It will have a profound impact on data security practices in China, as well as on those foreign organisations and persons processing data from China. In this e-bulletin we highlight the key provisions of the law and set out our observations.
Since its first reading in June last year, the Data Security Law has undergone an additional two readings before its enactment by the Standing Committee of the 13th National People’s Congress on 10 June 2021. Notably, the second reading only took place in late April 2021, and it was expected that it would be voted through in the second half of this year. To almost everyone’s surprise, the third reading in early June, just a month after the second, suggests that the legislative process has been accelerated, highlighting the importance of this legislation.
KEY PROVISIONS AND OUR OBSERVATIONS
I. Key concepts and regulatory bodies
The key definitions in the Data Security Law include:
data, defined as electronic or non-electronic records of information;
data activities, includes the collection, storage, processing, use, transfer, provision, trading and public disclosure of data; and
data security, defined as the capability, by taking necessary measures, of ensuring that data is effectively protected and legally used and continues to be secure.
Different authorities are given jurisdiction over data based on their administrative regions and industries. However, the law does not clearly delineate the boundaries of these powers which are bound to overlap.
The National Security Commission is in charge of making decisions and is to be consulted on matters relating to state data security, and is responsible for directing the strategies and policies. Notably, the final draft of the law introduced a coordination mechanism for national data security to be established by the Commission. It is not yet clear how this mechanism is to be constituted and how it will function. The Data Security Law currently only provides that the mechanism will coordinate relevant ministries to (i) draft the catalogue of important data; and (ii) strengthen the tasks of the acquisition, analysis, research and early warning relevant to risk information.
Local governments will have responsibility for data security in their regions, with industry regulators responsible for their respective industries. Public security authorities (namely the police) and national security authorities will have supervisory responsibilities. Overall responsibility for coordinating data security efforts and supervising compliance sits with the Cyberspace Administration of China (CAC). There seems to be an overlap between the roles of CAC and the Commission’s coordination mechanism mentioned above in the sense that both take on coordination responsibilities.
II. Protection of important data and core data
Multi-level classified protection regime
The Data Security Law proposes a multi-level classified data protection regime depending on (i) the importance of the data to social and economic development; and (ii) the harm caused to national security, public interest and a person’s rights and interests by its loss, disclosure or misuse. Local governments and industry regulators are each required to draft a catalogue of important data that should be afforded a higher level of protection.
Both the Ministry of Industry and Information Technology (MIIT) and the China Securities Regulatory Commission currently publish guidelines on determining the levels and classes of data. Under the MIIT guidelines, data is generally classed according to its use in the relevant business functions, whilst the protection levels are determined by the operational and economic impact to the industry of the loss, disclosure or misuse of the data.
It is not clear if the multi-level classified data protection regime under the Data Security Law will follow the MIIT approach, nor how the classification and levels will interplay with the catalogue of important data drafted by the regulatory bodies and local governments. Additionally, catalogues published by local governments and industry regulators could conflict and the law does not currently deal with how any such conflict should be resolved.
Important data and core data
The final draft of the Data Security Law does not define important data or lay down any guidelines for determining the level or class of data. Notably, it introduces an additional new concept of “core data” of the state, which is defined as data relevant to national security or national economic lifeblood, important to people’s livelihoods or of significant public interest. Core data will be subject to an even more rigorous protection regime.
The new concept of core data renders the concept of important data even less clear. A number of draft regulations and standards have attempted to define important data. For example, the draft Administrative Measures on Data Security, defined important data as data that, once leaked, may directly impact national security, social stability, public health and security, excluding the business and management information of a company and personal information. However, this definition has not yet been officially adopted.
There appears to be substantial overlap between the definition of core data in the Data Security Law and the proposed definition of important data above. It is imperative that the legislature or the government clarify the boundaries between important and core data. One important question arising from the overlap is whether important data will be defined to cover certain less important data not categorised as core data, which may extend its scope from that caught under the existing proposed definition of important data.
Processors of important data are required to conduct a periodical assessment of data activities and submit the report to the regulatory bodies. The report should include information on the types and volume of important data; the collection, storage, processing and use of such data; and the data security risks and corresponding measures to address these.
The Data Security Law defines data activities but unfortunately does not define processor or process. We hope this will be defined in the implementing rules in a manner consistent with other laws such as the Civil Code.
Data security officer and management department
Processors of important data are required to appoint a data security officer and designate a management department to take responsibility for data protection. The new law currently lacks further details on how such positions should be staffed or their duties.
Highlighted importance of MLPS
The Data Security Law stresses that the cybersecurity multi-level protection scheme (MLPS), the key cybersecurity protection regime contemplated under the Cyber Security Law, will form the basis for discharging data security protection obligations for data processing activities using informatin network. With the enactment of the Data Security Law, we anticipate that enforcement actions in relation to the MLPS will also be stepped up.
III. Measures affecting foreign persons and foreign investment
National security review
The Data Security Law introduces a data security review regime, under which data activities affecting (or likely to affect) national security will be subject to national security review. The new law does not specify the authority which is to conduct the security review, nor does it provide any guidance on how the impact of data activities on national security is to be assessed. Interestingly, given such regimes are usually designed to scrutinise data activities by foreign persons, the national securities review provisions do not exclude data activities by Chinese persons. The relationship between this review and other national security review regimes is also not covered in the legislation.
Data will be subject to export control if it falls within the scope of items restricted from export either due to the country’s performance of its international obligations or for the protection of national security. The Export Control Law came into force on 1 December 2020, under which the controlled items include the relevant data, such as technical documents.
Countermeasures against unfair treatment
The law grants the government the power to take countermeasures if any country or region takes restrictive, prohibitive or similar discriminatory measures against Chinese investment or trade relating to data or data technologies.
Providing data to foreign judicial or law enforcement bodies
The law provides that the competent authorities in China will deal with any request for data from foreign judicial or law enforcement bodies in accordance with international treaties and agreements or pursuant to the principle of equality and mutual-benefit. Organisations and individuals are not permitted to provide data stored within China to foreign judicial law enforcement authorities without the prior approval of the Chinese authorities. This applies to any data stored in China irrespective of the nationality of the organisation or individual that controls the data.
Cross-border data transfer
The Data Security Law adds a requirement for operators of critical information infrastructure (CII) to comply with the Cyber Security Law when exporting important data. The CII operators are required under the Cyber Security Law to store within China any important data collected and generated within the Chinese territory. Further, CAC and other ministries will promulgate regulations on the export of important data by processors that are not CII operators. We note that the scope of CII is yet to be defined.
Under the Data Security Law, the Chinese government has the power to hold liable any organisation or individual outside of the Chinese territory who conducts data activities that jeopardise China’s national security or public interest or harms the legal rights and interests of Chinese citizens or organisations. The law does not specify how the law is to be enforced against foreign organisations or individuals or which authority will enforce it. The extraterritorial effect provision appears to be too far reaching for it be implemented in practice, but the concept has been retained in the final version of the law.
IV. Blurred boundaries with personal information protection laws
The previous draft of the Data Security Law stated that personal information processing activities must comply with personal information protection laws and regulations, which clearly carved out personal information activities from the jurisdiction of the Data protection law.
However, this was changed in the final draft which states that personal information processing activities must “also” comply with relevant laws and regulations. It seems that the Data Security Law intends to bring personal information under its jurisdiction. Although the definition of data under the law implicitly includes personal information, it is critical that the legislature and government clarify the interplay between the Data Security Law and the existing personal information laws and regulations, and in particular the upcoming Personal Information Protection Law.
V. Requirements for data business
Data processing service providers are required to obtain a relevant license. It is unclear what businesses will be caught as data processing services under the law, which could potentially cover a broad range of services that process data. The first draft of the new law provided that the telecom regulator would administer the licensing, but this was removed from the second draft. It remains to be seen which ministry will be responsible for the licensing issues.
The law also regulates data trading activities and markets. Providers of data trading intermediary services must require data providers to explain the sources of data, review the identity of the trading parties, and keep a record of the reviews or transactions.
VI. Centralised data security regimes
The new law establishes a unified mechanism for assessing and reporting data security risks, sharing relevant information, and providing early-warnings across the country. The government will also establish a data security contingency response mechanism, under which relevant regulatory bodies will implement the contingency plan to eliminate the security risks, contain the damage and publish warnings to the public.
Penalties for violations of the Data Security Law can include an order for rectification, a warning, fines on the entities and their personnel, and, in serious cases, an order for suspension of operations, cessation of business or revocation of operating permits or business licenses. The upper limit on fines for entities and personnel violating general provisions is RMB 2,000,000 and RMB 200,000 respectively.
Notably, violating core data protection obligations can give rise to a fine of between RMB 2 million and RMB 10 million, as well as an order for suspension of business or revocation of operating permits or business licenses.
More severe penalties apply for violations of data export provisions and restrictions on providing data to foreign judicial or law enforcement bodies. For example, a serious violation of the data export obligations can result in a fine of up to RMB 10 million.