China passes Data Security Law

China - 

China Data Protection Alert

On June 10, 2021, China's National People’s Congress Standing Committee passed the Data Security Law (DSL). The DSL will become effective as of September 1, 2021, leaving less than three months for companies to adapt to the new data security regime. Garrigues has been closely following the legislative process of such law[1] and we hope this article will help you to better understand the key contents of the DSL and its major implications on your business:

1. Scope of Application

The DSL defines the “Data” as any record of information in digital form or other forms. “Data Processing” includes but not limited to the collection, storage, use, processing, transmission, provision, public disclosure of data. Due to the wide coverage of subject matter, in case the Data is related to a natural person, it may also be deemed as “Personal Information” and subject to the Chinese personal information protection laws and regulations.

As for the territorial scope, the DSL mainly applies to the data processing activities in China but also have certain extra-territorial application since it states that any data processing performed outside of the Chinese territory but harms China’s national security, public interest, or legal rights and interest of its citizens and organizations shall be imposed with legal liabilities.

2. Special Categories of Data

The DSL has established a regulatory regime that provides stricter regulatory measures for special categories of data, i.e. important data and core state data, than ordinary data.

1. Important Data

According to the DSL, Chinese government shall determine the security level of the data based on the significance and potential damages caused to the society in case of any data breach and to publish the Important Data Catalogue in order to strengthen the protection to the important data. The DSL also stated that there would be specific important data catalogues for different regions and different sectors.

The Cybersecurity Law of China, which has been in force since 2017, has already briefly mentioned that the network operators shall categorize the data and adopt back-up and encryption measures for the important data. The Cybersecurity Law also requires that, in principle, the Critical Information Infrastructure Operators (CIIOs) shall store important data within the territory of China. However, such law has not provided a clear definition for the “important data”.

Therefore, according to the DSL, the Chinese government will be authorized to set official standards for the “important data” instead of allowing data processors to decide the scope of important data at their own discretion. Furthermore, the data processors in different administrative regions or different sectors may have to check the specific important data catalogues in order to define their specific compliance obligations.

2. Core State Data

Comparing to the previous draft version, DSL further added that the data concerning national security, lifeline of the national economy, people’s livelihoods, and major public interests shall be deemed as “Core State Data” and a more stringent regulatory system shall be implemented.

3. MLPS - Fundamental Data Security System

The DSL stated that the multi-level protection scheme (MLPS) will be the fundamental ground of data processing through information network such as the Internet, which is more reasonable comparing to the previous draft Law, which treats MLPS as a generally applicable requirement.

MLPS is a system established under the Cybersecurity Law of China, under which all the network operators are required to perform relevant security protection obligations in accordance with the requirements of the MLPS system to protect the network from interference, destruction or unauthorized access, and prevent network data from being leaked or stolen or tampered. Specifically, network operators need to evaluate their own networks according to their importance, determine its security level from the five security levels according to relevant national standards, and formulate and implement corresponding technical and organizational measures for network security and data protection according to the security level. When necessary, it shall also file the MLPS result before the cyber police department of the public security authority. Currently the application of the MLPS is being advanced progressively.

4. International Data Transfer

The DSL also expressly mentioned that the cross-border transfer of important data by CIIOs will be carried out in accordance with the provisions of the Cyber Security Law of China. As for the other data processors, it will be the task of the cybersecurity authority to work with relevant departments of the State Council to formulate relevant regulations on international transfer of important data. The Cybersecurity Law of China stipulated that, as a principle, the personal information and important data collected and generated by CIIOs during operations in China should be stored within Chinese territory. If it is indeed necessary to transfer any important data overseas due to business needs, a security assessment should be carried out first. It is also worth noting that the DSL also intends to establish data national security review and export control system to restrict the cross-border transmission of data from the perspective of national security.

It seems that, under the DSL, not only the CIIOs but also all types of companies that transfer data in daily management or business activities will need to have solution to ensure legal compliance in the international data transfer. However, the absence of detailed implementation rules for the security review, national security review and export control over international data transfer may cause practical obstacles, and may thus bring uncertainties to the businesses that heavily rely on cross-border data transfer, in particular those of the multinational companies.

5. Administrative Penalty

Comparing to the last draft version, the DSL has adjusted and further detailed the legal liabilities for breach of data protection compliance obligations in different scenarios. Below we give you some examples:

1. Breach of data security obligations: the authority may impose a fine up to RMB 2 million and order the suspension of related business, suspension of business for rectification, revocation of related operation licenses, or revocation of business license, and also may impose a fine up to RMB 200,000 on responsible persons;

2. Violation of regulations on Core State Data: the authority may impose a fine up to RMB 10 million and order the suspension of related business, suspension of business for rectification, revocation of related operation licenses, or revocation of business license;

3. Illegal overseas transfer of Important Data: the authority may impose a fine up to RMB 10 million, and may order the suspension of related business, suspension of business for rectification, revocation of related operation licenses, or revocation of business license, and impose a fine of less than RMB 1 million on related responsible personnel; and

4. Unauthorized provision of data to overseas law enforcement/judicial authorities: the authority may impose a fine up to RMB 5 million on entities, and the penalty for individuals is up to RMB 500,000.

It can be expected that in the next months the Chinese government authorities will issue a series of ancillary regulations and policies to interpret, supplement and enforce the DSL, which will include particularly the regulations to define the Core State Data, Important Data Catalogue and the regulations for non-CIIOs to perform international data transfer. In the meantime, so far it is still unclear how the DSL will interact with other legislations on data and personal information protection, in particular, the Cybersecurity Law (currently in force) and the Personal Information Protection Law (which is also expected to be enacted within this year). Garrigues will continue to pay close attention to the developments in China in terms of data security and data protection. In the meantime, we recommend our clients to review their existing data security system and start making adaptations to meet the compliance obligations under the DSL.

[1] See here our previous article on the second draft of such Law.