China recently published the second version of the draft Data Security Law (DSL) with the purpose of seeking public opinions. According to the legislative plan of its legislative authority, China will formally enact the DSL within 2021. Hence the legislative authority is expected to perform a final review on the DSL and then pass the bill into law in the next few months. Considering the immediate and significant implications of the DSL on the PRC data protection and data security legal regime, in this article we provide you with some highlights of this new version of DSL (New Version of DSL).
1. Establishment of Important Data Catalogue
The New Version of DSL required the establishment of data protection system based on the category and security level of the data. It authorized the Chinese government to determine the security level of the data based on the significance and potential damages caused to the society in case of any data breach and to publish the Important Data Catalogue in order to strengthen the protection to the important data. The New Version of DSL also stated that there would be specific important data catalogues for different regions and different sectors.
The Cybersecurity Law of China, which has been in force since 2017, has already briefly mentioned that the network operators shall categorize the data and adopt back-up and encryption measures for the important data. This law also requires that, in principle, the Critical Information Infrastructure Operators (CIIO) shall store important data within the territory of China. However, it has not provided a clear definition for the “important data”.
Therefore, it is obvious that the New Version of DSL will authorize the data protection authority to set official standards for the “important data” instead of allowing data processors to decide the scope of important data at their own discretion. Furthermore, the data processors in different administrative regions or different sectors will have to check the specific important data catalogues in order to define their specific compliance obligations. However, it is not clear to what extent the specific catalogues would be aligned to or differ from each other and whether such approach would leave any possibility for the forum shopping in data processing.
2. MLPS - Fundamental Data Security System
The New Version of DSL newly added the multi-level protection scheme (MPLS) as the fundamental ground of data processing. MPLS is a system established under the Cybersecurity Law of China, under which all the network operators are required to perform relevant security protection obligations in accordance with the requirements of the MPLS system to protect the network from interference, destruction or unauthorized access, and prevent network data from being leaked or stolen or tampered. Specifically, network operators need to evaluate their own networks according to their importance, determine its security level from the five security levels according to relevant national standards, and formulate and implement corresponding technical and organizational measures for network security and data protection according to the security level. When necessary, it shall also file the MPLS result before the cyber police department of the public security authority. Currently the application of the MPLS is being advanced progressively. We believe that, with the DSL, the enforcement of MPLS is likely to be accelerated.
3. International Data Transfer
The New Version of DSL also expressly mentioned that the cross-border transfer of important data by CIIOs will be carried out in accordance with the provisions of the Cyber Security Law of China. As for the other data processors, it will be the task of the cybersecurity authority to work with relevant departments of the State Council to formulate relevant regulations on international transfer of important data. The Cybersecurity Law of China stipulated that, as a principle, the personal information and important data collected and generated by CIIOs during operations in China should be stored within Chinese territory. If it is really necessary to transfer any important data overseas due to business needs, a security assessment should be carried out first. It is also worth noting that the DSL also intends to establish data national security review and export control system to restrict the cross-border transmission of data from the perspective of national security.
It seems that, under the DSL, not only the CIIOs but also all types of companies transfers data in daily management or business activities will need to have solution to ensure legal compliance in the international data transfer. However, the absence of detailed implementation rules for the security review, national security review and export control over international data transfer may cause practical obstacles, and may thus bring uncertainties to the business that heavily rely on cross-border data transfer, in particular those of the multinational companies.
4. Enhanced Administrative Penalty
The New Version of DSL significantly increased the legal liabilities for breach of data protection compliance obligations. It increased the maximum fines that law enforcement agencies are authorized to impose from RMB 1 million to RMB 5 million, and added other types of penalties including suspension of related businesses, suspension of business for rectification, and cancellation of specific operation license or business license. It should be noted that, combined with the Cybersecurity Law and Personal Information Protection Law (currently a draft bill), non-compliance with personal information and data security laws will not only bring significant fines, but also lead to business interruption or termination.
Taking into account the wide coverage of the DSL, after its official promulgation, it will undoubtedly be deemed as comprehensive guidelines for data processing activities in China, and may affect various types of enterprises, especially those dealing with important data, in terms of the management and business models. In the meantime, so far it is still not clear how this law will be applied together with other legislations on data and personal information protection, in particular, the Cybersecurity Law and the Personal Information Protection Law (which is also expected to be enacted within this year). Garrigues will continue to pay close attention to the legislative progress of the DSL and other developments in China in terms of data security and data protection.