China approved a Data Security Law (DSL) which will take effect on September 1, 2021.
DSL, together with two other laws known as the PRC Cybersecurity Law (CSL) and the Personal Information Protection Law (PIPL) are three pillars that will form China’s data privacy and security legal regime.
DSL will primarily govern the data security of any record of information in any form including paper, while CSL and PIPL focus on network data and personal information.
DSL defines data more broadly and is not limited to electronic data from or in the network. DSL’s data protection focus differs from that of PIPL, which mainly focuses on data privacy from a personal information perspective. DSL focuses on protecting data that has national or other security implications from a regulatory perspective.
Significance to Multinational Companies
DSL has both domestic and extraterritorial jurisdiction. It governs data processing activities within and outside of China that may jeopardize the national security, public interests or the legal rights and interests of Chinese citizens and companies. Multinational companies with a presence in China or who interact with Chinese entities or individuals must take note of this new legislation and its implications.
The underlying purpose of DSL is to regulate big internet or high-tech companies that create, collect and process an enormous volume of data on or in China on a daily basis. The aim is to control the development of the digital economy in China. As a matter of policy, data is treated as a key production factor and a national security issue by the Chinese government. DSL is a fundamental law for China to pursue its data security agenda, as it establishes a comprehensive regulatory framework and provides a legal basis for a variety of ancillary implementing regulations and rules to be issued. No regulations or implementing rules have been released under DSL yet. As with all Chinese laws, DSL provides a general statement of guiding principles. Its implementing regulations, rules and the practice of authorities will provide legal guidance.
DSL’s noteworthy provisions include:
Classified and graded data protection system
DSL lays out a classified and graded data protection system that categorizes data into different groups and assigns different levels of importance to the data within each group. The data protection requirements for data in different groups with different importance may vary. This suggests that data in different groups or produced across different industries will be regulated differently.
For instance, provisions on automotive data security management draft immediately provoked heated discussions. It defines the important data in the automotive industry very broadly. Self-driving solution providers and service providers of high definition maps for driving are subject to this draft though they are not typically considered to be in the automotive industry.
Other industry-specific rules may follow.
Local storage requirement
DSL provisions that lay out local data storage requirements interrelate to CSL’s provisions.
Under CSL, an operator of critical information infrastructure in China is required to locally store personal information and important data gathered and produced during its operation China. The CSL does not define important data but defines critical information infrastructure very broadly.
DSL affirms this local storage requirement and provides catalogues of important data. Under DSL, the national data security coordination mechanism makes overall planning for and coordinates relevant departments of the State Council in formulating the important data catalogues and strengthening the protection of important data.
Important data processed by a critical information infrastructure operator in China will be subject to the local storage requirement. Companies handling this data will need to implement special protection measures to ensure compliance with the laws.
Cross-border data transfer
Cross-border data transfers remain a major concern of multinational companies with businesses or employees in China since CSL took effect in 2017. DSL and CSL govern data transfer from China from different angles.
CSL previously required an operator of critical information infrastructure to go through government-performed security assessments before transferring personal information and important data overseas. CSL is silent on the regulation of cross-border data transfer conducted by network operators and participants that not involved in any critical information infrastructure operations.
To fill this gap, DSL says any important data collected and processed in China is also subject to a security assessment mechanism which will be formulated by the relevant government agencies. Failure to comply with the data transfer rules under DSL may lead to a fine of up to about US$1.56 million, as well as the revocation or suspension of a company’s business license if the non-compliance leads to severe consequences.
The security assessment mechanisms have yet to be laid out.
One noteworthy issue involves data related to national security and interests or the performance of international obligations. This data is also regulated by the PRC Export Control Law. Once so classified, it will have to go through export control formalities and companies may be prohibited by virtue of this law from transferring data so classified overseas.
Restriction on cooperation with foreign judicial and law enforcement bodies
DSL requires that, without the prior approval of Chinese authorities, any company or individual in China shall not provide any data to foreign judicial bodies or law enforcement bodies. This could affect multinational company data submission to the U.S. Securities and Exchange Commission, the Department of Justice, or similar foreign law enforcement bodies or regulators.
DSL says such data sharing or transfer requests should be handled by China’s relevant authorities in accordance with the provisions of any international treaty or agreement that China has concluded or acceded to, or in line with the principle of equality and reciprocity. Failure to comply may lead to a fine of up to about US$781,250 if the non-compliance leads to severe consequences.
DSL says for any country or region that adopts discriminatory prohibitions, limitations, or other measures related to data and the data development and use technology against China in investment, trade and other areas, China may, depending on circumstances, adopt countermeasures against such country or region.