On July 3, 2020, China’s National People’s Congress Standing Committee published the Data Security Law of the People’s Republic of China [Draft] (“Law”) to solicit public comment until August 16, 2020. Once finalized and passed (expected within this year), this new Law will be the first designated law in China that establishes and regulates the requirements and procedures relating to the collection, processing, control and storage of data involving national security, business secrets and personal data. Below is a summary of the key points in the Law.
The Law will be applied to all “data activities” within China. Unfortunately, it fails to provide a clear and precise definition as to what constitutes “data.” Under the Law, “data” is vaguely defined as “any record of information in electronic or non-electronic form.” “Data activities” are defined as actions including “collection, storage, processing, use, supply, trade and the publishing of data.”
Although the Law has a very broad coverage, it expressly provides that data activities involving state secrets and military information will not fall within its regulatory scope, which will be governed by the Law of the People’s Republic of China on Guarding State Secrets (effective October 1, 2010) Presidential Decree No. 28 and other relevant administrative laws and regulations.
The Law, as currently drafted, is applicable to all data activities carried out within China. In terms of its extraterritorial application, the Law provides that any organization or individual outside the territory of China will be investigated for legal liability if such an organization or individual harms the national security, public interests or legitimate rights and interests of the citizens and organizations of China in carrying out data activities. In other words, organizations and individuals outside of China will also be subject to this Law, if they conduct data activities which may harm China’s national security, public interests, or the rights of Chinese citizens.
Regulatory Framework Established Under the Law
- A unified, effective and official data security risk assessing, reporting, sharing, monitoring and warning mechanism will be established, and classified data protection will be applied based on the level of importance of the data;
- A data security emergency response mechanism will be developed and implemented;
- A data security review system will be established to examine any data activities that may be deemed to pose risks to national security. A security review will be a final decision. However, how such a security review system will interact with the other two existing security review systems, i.e., the foreign investment security review system as set out in the Foreign Investment Law of the People’s Republic of China (effective on January 1, 2020) Presidential decree No.26, and the security review system applicable to the key information infrastructure operator as set out in the Cybersecurity Review Measures (jointly adopted and promulgated by the Cyberspace Administration of China and other eleven Chinese government departments in April 2020 (effective on June 1, 2020) Cyberspace Administration of China Announcement No.6) remains unclear.
- Export controls will be applied to data that falls into categories of controlled items. The Export Control Law of the People’s Republic of China [Second Draft], promulgated by the Standing Committee of the National People’s Congress on December 12, 2019, which is still seeking public comments1, will set forth the requirements on the export control of goods, technologies, services and other items. How this data export control will play out under the security assessment system for the cross-border transmission of data under this Law awaits further clarification from the legislation.
- Countermeasures will be taken when faced with other countries’ prohibitions, restrictions or similar measures taken with respect to trading and investment relating to data and/or technologies of data development and usage.
Data Security Obligations on Entities Carrying out “Data Activities”
Entities carrying out “Data Activities” are required to establish data-security management systems, organize security trainings, take appropriate technical measures and monitor data incidents. Where important data are involved, periodical risk assessments must be conducted and reported to the authorities.
Organizations providing data-trade intermediary services must request that the party providing the data specify the sources and identify the parties providing and receiving the data. Organizations operating online data-processing services must obtain any required administrative licenses with authorities. The Ministry of Industry and Information Technology and other relevant authorities will designate the scope of these services and establish the applicable licensing requirements.
Government Data Security and Access
Pursuant to the Law, government authorities and law enforcement entities that collect data to maintain national security or to investigate crimes should comply with relevant laws and regulations. Individuals and organizations are obligated to comply with the request from the law enforcement entity.
Where a data access request is made by a foreign law enforcement entity to an individual or organization, such individual or organization shall, prior to disclosure, first report the request to a competent Chinese authority for approval. To the extent that China participates in international treaties which include provisions for foreign law enforcement access to data, the data shall be disclosed in accordance with such treaties.
Once adopted, the Law will have a significant and far-reaching impact on many sectors as it establishes the legal and regulatory framework for data protection and security in China. However, the Law only provides certain general principals and lacks clear definitions and guidelines. We expect the operational rules and implementing mechanisms to come soon after its adoption. If you have business or operations in China, this is an area that bears watching.