At the 20th meeting of the 13th National People's Standing Committee held from 28th to 30th June 2020, the long-expected draft of the PRC Data Security Law ("Draft Data Security Law") received its first round of review by the legislative body and is now released for the public's comment.
The Draft Data Security Law, together with the Personal Data Protection Law (which is expected to be released shortly), represent the two most critical and highly anticipated laws in the area of data protection to be promulgated by the highest legislative body in China in the near future.
While both the PRC Cybersecurity Law ("CSL") and the National Security Law touch upon data security, they remain general and lack a focus on a framework for data security governance. According to the drafting notes of the Draft Data Security Law, as data has become the foundational strategic resource of the nation, it is paramount to put in place a piece of foundational law dedicated to data security.
Structure and Key Points
The Draft Data Security Law covers 51 articles and seven chapters in total. The key points of the Draft Security Law are summarized below.
National security is the focus
The Draft Data Security Law provides that national security is the key theme and consideration in formulating and establishment the data security system and related rules. The national security leading organ will be responsible for formulating and supervising the data security strategy.
Similar to the CSL, the Draft Data Security Law applies to all "data activities" carried out within the territory of the PRC. Interestingly, Article 2 further provides that the Draft Data Security Law applies to entities and persons located outside of the PRC if their data activities impair the national security, public interest and people's legitimate interest in China. Such extraterritorial reach appears to be even broader than that of the CSL, whose extraterritorial effect applies only when any entity or person outside of China attacks, intrudes or otherwise causes damage to the Critical Information Infrastructure of China and results in serious consequences.
A tiered system for data security
For the first time, the Draft Data Security Law introduces a tiered system of data protection according to (i) the data's degree of importance on the economic and social development and (ii) the data's degree of harm imposed on the national security, public interest or the legitimate interest of citizens and entities if and when the data is distorted, destroyed, leaked, illegally obtained or illegal utilized. The establishment of a "tiered system" of data security seem to echo with the tiered system of cybersecurity protections (more commonly known as "multiple-level protection scheme") set out in Article 21 of the CSL.
What data is covered?
The Draft Data Security Law makes it clear that the law does not govern data that constitute state secret and relate to the military. In addition, whilst the draft law does not expressly exclude its application on personal data, it expressly provides that the carrying out of data activities that involve personal information shall comply with relevant laws and regulations, which suggests that more specific rules and regulations governing personal data will be set out separately under the Personal Data Protection Law.
While the Draft Data Security Law does not provide any further clarification on the definition of "important data" (which was broadly and vaguely defined under the CSL), Article 19 provides that the catalogs of important data shall be formulated and developed by the local departments. In other words, the Draft Data Security Law delegates the legislative power of the scope of the important data to the local regulators. This also means if the draft is adopted in its current form, whether the data a company holds will constitute important data would be determined by (i) the industry the company belongs to and (ii) the region the company locates. Whether such approach may lead to, for instance, inconsistent treatment of the data held by companies within the same group and therefore compliance confusion remains to be seen.
Article 22 provides the State will establish the system of data security assessment and conduct national security review on data activities which may impact the national security. In particular, the security review is the final decision of the State, indicating no judicial review is permitted for the security review.
It is also noteworthy that, when discussing security assessment, the Draft Data Security Law does not touch upon the issue of cross-border transfer of important data - one of the matters that attract the most attention and concerns by the foreign-invested entities.
Data security protection obligations
Chapter 4 of the Draft Data Security Law is entirely dedicated to regulating data security protection by setting out specific obligations applicable to entities and persons conducting data activities. Among others, some key obligations in relation to data security include:
- Processors of important data are required to appoint a "data security officer" and "management body" ("管理机构") to carry out the data security responsibilities (Article 25). The requirement of appointing a data security officer is not unique, as similar requirements can be found in the CSL (which requires to appoint a "cybersecurity officer") and the draft Measures on Administration of Data Security (which requires to designate a data security responsible person if the network operator collects important data and sensitive personal information for operational purposes). However, it is not clear what the "management body" ("管理机构") under the draft law refers to and what members this body would comprise.
- In the event of a data security incident, the relevant entity is required to promptly inform the affected users and report to the supervision department in accordance with relevant regulations (Article 27).
- Processors of important data are required to regularly carry out risk assessments and submit the assessment report to the relevant supervision department in accordance with relevant regulations (such regulations are yet to be released) (Article 28).
- Public security and national security organs have wide powers to access data for purposes of protecting national security and investigation of crime, and all relevant entities and persons are required to "co-operate" (Article 32). On the other hand, if entities are requested by overseas law enforcement agencies to access data in China, such entities are required to report to relevant competent authorities and obtain approval before disclosing to such overseas law enforcement agencies (subject to provisions set out in international treaties and agreements acceded to by China) (Article 33).
One of the most significant and far-reaching elements of the Draft Data Security Law is the establishment of a tiered framework for data protection. However, given that the relevant provision in the draft law only sets out a "skeleton" of tiered system which lacks the requisite operational rules and implementing mechanisms, how the tiered system on data protection actually works in practice is far from clear from the reading of the Draft Law. What is clear, however, is that the Draft Law has a strong focuses on the governance of "important data" (the parameter of which has been left to be addressed by local regulators) while the protection of personal data will be left to other laws and regulations, including the yet-to-come-out Personal Data Protection Law.