The Data Security Law (“DSL”) was officially released by the Standing Committee of the Thirteenth National People’s Congress on 10 June 2021 and became effective on 1 September 2021. The key points of the DSL are as follows:
1. Scope of Application
According to the DSL, “data” refers to any record of information, whether in electronic or non-electronic form.“Data processing” includes the collection, storage, use, processing, transmission, provision and disclosure of data, etc.This means that DSL applies to not only internet or big data companies, but also traditional enterprises, government agencies, public institutions or other social organizations involved in the recording and processing of information. Therefore, in terms of data protection, the DSL is more extensive than the Cybersecurity Law of the People’s Republic of China (“CSL”) which took effect on 1 June 2017.
- Intraterritorial and Extraterritorial Effect
The DSL is applicable to data processing activities carried out within mainland China and the security supervision of such activities. However, the DSL does not govern data pertaining to state secrets and the military. It is worth noting that the DSL further stipulates that any organization or individual outside the territory of mainland China may also be held accountable to the law if such organization or individual harms the national security, public interests, or the lawful rights and interests of citizens or organizations of mainland China in carrying out data processing activities. In other words, the DSL has extraterritorial effect and entities processing data outside mainland China may also be governed by the DSL. This shows the mainland Chinese government’s determination to safeguard data security; the DSL provides a statutory basis for jurisdiction over multinational corporations which provide services to mainland China and whose data processing activities take place outside mainland China.
However, the DSL does not further elaborate which data processing activity would be considered as "detrimental to the national security, public interests, or the lawful rights and interests of citizens or organisations of mainland China". We believe that the mainland Chinese government will interpret this provision in conjunction with other Chinese laws on a case-by-case basis.
2. Data Protection System
- Hierarchical Data Classification and Protection Mechanism
Under the DSL, a greater amount of critical data, such as “important data” and “national core data”, is subject to stricter management and protection requirements.
- What is “Important Data” ?
While the definition of “important data” is not provided under the DSL, it remains to be determined whether it should be read in conjunction with the Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data (Draft for Comment) Administrative Measures for Data Security (Draft for Comment)to mean “data which is closely related to national security, national economic development and social public interest”. To facilitate practical application, the DSL provides for the establishment of a hierarchical data classification and protection mechanism that will categorize different types of data and organize it according to a hierarchy of importance in terms of economic and social development, and the degree of harm to national security, public interests, or the lawful rights and interests of individuals or organizations in the event that data is tampered with, destroyed, leaked, or illegally obtained or used. Once the data classification system has been established at the national level, each region or department is required to determine local catalogues of “important data” that are specific to that region or department involving various industries and sectors, and undertake to provide special protection for the “important data” listed in such catalogues.
- What is “National Core Data” ?
Data related to national security, the lifeline of national economy, people’s livelihoods and material public interests is considered as national core information and shall be subject to stricter regulations. It is worth noting that the DSL does not elaborate further in this regard, hence the definition of “national core data” is subject to further clarification in due course.
- Other Data Protection Mechanisms
The mainland Chinese government shall establish a centralized, efficient, and authoritative mechanism for data security risk assessment, reporting, information sharing, monitoring and early warning, as well as an emergency response mechanism.
Further, the mainland Chinese government shall also establish a data security review mechanism, under which data processing activities that affect or may affect national security shall be subject to national security review.
3. Cross-border Data Transfer
Cross-border data transfers could be of particular concern for foreign companies with mainland China-based operations. For example, current compliance programs of such companies would likely require changes to comply with the new laws, depending on existing levels of data protection and localization of data handling procedures.
- Critical Information Infrastructure Operators
The concept of "critical information infrastructure" (“CII”) was introduced by the CSL in 2017. The CII refers to the key network facilities and information systems in important industries and sectors such as public telecommunication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense, science and technology sectors, in which any destruction, loss of function or data leakage could cause serious harm to the national security, national economy, people's livelihoods and public interest. CII operators (“CII Operators”) are operators involved in processing data through such network facilities and information systems.
The competent departments and regulatory departments governing the key industries and sectors with respect to the CII shall serve as the departments in charge of the security and protection of CII.Such departments shall formulate the rules for identification of CII according to the practical conditions of the respective industries and sectors and submit such rules to the State Council for record-filing.Whilst there are no unified CII identification rules at present, the CII could be identified by referring to the draft Information Security Technology - Method for Determining the Boundaries of Critical Information Infrastructure issued by the National Information Security Standardization Technical Committee on 10 August 2020.
The management of cross-border transfers of “important data” collected and generated by CII Operators during their operations in mainland China is principally governed by the CSL which requires that personal information and “important data” which is collected and generated by CII Operators be stored within mainland China. Where it is necessary to provide personal information and “important data” to an overseas recipient due to business needs, a CII Operator shall conduct a security assessment in accordance with the measures formulated by the National Cyberspace Administration Authority in collaboration with relevant departments of the State Council. Failure to comply with the security assessment could be liable to fines or income confiscation, and/or suspension of business or revocation of business licenses, etc.
- Other Data Processors
The administrative measures for cross-border transfers of “important data” collected and generated by non-CII Operators data processors during their operations in mainland China shall be formulated by the National Cyberspace Administration Authority in collaboration with relevant departments of the State Council.
Generally, transfers of data collected and generated by non-CII Operators data processors will be subject to regulation, commensurate with the volume, type and purpose of the data to be transferred. For example, according to the Personal Information Protection Law (“PIPL”), which will come into effect on 1 November 2021, where a data processor processes personal information collected or generated by it, if the amount of personal information reaches the threshold prescribed by the National Cyberspace Authority, such personal information shall be stored within the territory of mainland China. As with CII Operators, where it is necessary to provide such personal information to an overseas recipient, the data processor concerned should pass a security assessment organised by the National Cyberspace Administration Authority.For the avoidance of doubt, if the personal information processed by the data processor does not reach the prescribed threshold , in principle, such personal information is not required to be stored within mainland China; nevertheless, where it is necessary to transfer such personal information to an overseas recipient, the data processor concerned is required to comply with the relevant provisions of the PIPL.
It is worth noting that the data protection obligations of personal information and “important data” (including the management of cross-border transfer of “important data” collected and generated by the CII Operators in mainland China) under the DSL are interconnected with the CSL, PIPL (to be effective on 1st November 2021), and Administrative Measures for Data Security (Draft for Comment), etc.
It is therefore advised that data processors should take this opportunity to review all laws and regulations governing data protection in mainland China (including but not limited to the DSL) as a whole so as to assess whether data can be transferred outside of mainland China, and go through all necessary approval procedures. In particular, the identification, recognition and assessment of “important data” and personal information will be a crucial part of the management of cross-border data transfers.
- Cross-border Litigation and Other Legal Proceedings
The DSL’s express prohibition on providing any data stored in the territory of mainland China to foreign law enforcement authorities or judicial bodies without prior approval of the competent mainland Chinese authority may impede discovery in cross-border litigation and other legal proceedings.
Uncertainties remain as to how the mainland Chinese government may interpret and implement the provisions relating to this prohibition, including how requests for data stored in Hong Kong and Macau may be impacted, what data might be considered as “stored” in mainland China, and the specific approval process to go through before they may transfer data outside mainland China.
Further, if a company is faced with an order of Hong Kong court, or a request from Hong Kong’s supervisory authority to produce data or documents stored in mainland China, the company will need to evaluate a number of factors and potential consequences. For example, on the one hand, an application for approval from relevant mainland Chinese authorities may take a longer time for the relevant mainland Chinese authorities to process an application for approval for data transfer outside of mainland China or, in the worst-case scenario, the application could be ultimately unsuccessful, in which case if the company decides not to comply with the judicial order or request from Hong Kong, it may potentially breach applicable laws in Hong Kong. On the other hand, if, despite failing to obtain an approval from the relevant mainland Chinese authority, the company decides to comply with the judicial order or request from Hong Kong, it may face potential penalties or consequences for violating the DSL.
- Reciprocal Retaliatory Measures
The DSL enables mainland China to adopt reciprocal measures against any country or region which imposes discriminatory prohibitions, limitations, or other such similar measures against mainland China-related investments or trade activities relating to data and technology.
4. Data Protection Obligations
Key data protection obligations are highlighted below:
- All organizations or individuals shall collect data by lawful and proper means and shall not acquire data by theft or other illegal means, and cooperate with the public security and national security authorities in retrieving data for the purpose of safeguarding national security or crime investigations in accordance with the law;
- As regards data processing, all data processers are required to:
- establish a sound data security management system across the entire workflow, organize and conduct data security training, and adopt corresponding technical measures and other necessary measures to ensure data security, in accordance with applicable laws and regulations. In particular, where data processing activities are conducted on the internet or other information networks, the aforesaid data security protection obligations should be performed based on the hierarchical data protection mechanism;
- strengthen risk monitoring. Where risks, such as data security flaws and vulnerabilities, are discovered, one shall immediately adopt remedial measures. In the event of a data security incident, one shall take immediate measures to deal with it, notify users and report such incident to relevant authorities;
- where the handling of “important data” is involved, clearly specify the personnel and management bodies responsible for data security, fulfil data security protection obligations, conduct risk assessments periodically, and submit risk assessment reports to relevant authorities as and when required.
Further, as the DSL proposes the establishment of a data trading market to regulate and develop the management of data trading in mainland China, any entity providing data trading intermediary services must require the data provider to identify the sources of data, examine and verify the identities of all parties involved in the trading activities and transactions, and maintain proper records of all transactions.
5. Future Development
Although many implementation details remain unclear and require further clarifications by the mainland Chinese government, considering data security and privacy as one of mainland China’s area of focus, it is likely that the mainland Chinese government will further issue regulations, statutory interpretation, or more detailed guidance to clarify certain key requirements in the DSL in the near future. Given DSL has already come into effect since 1 September 2021, and given the comprehensive nature of data security requirements, foreign companies doing business in mainland China should take active and prompt actions to assess their current data processing activities within and outside mainland China against the DSL requirements so that necessary steps can be taken to rectify any deficiencies as soon as possible.