On October 21, 2020, the Standing Committee of the National People’s Congress (NPC) of the People’s Republic of China (PRC) released the draft PIP Law for public comment.
On June 10, 2021, the highest legislative authority of China, the Standing Committee of the National People’s Congress, passed the new Data Security Law (DSL) of the People’s Republic of China (the PRC or China), two months after releasing the second draft of the law. The DSL will become effective as of September 1, 2021, and it is broadly applicable to and will impact all parties doing business in or with China that engage in the processing of all types of data. Business operators in China and multinational companies doing business with China must pay attention to the requirements under the law and establish data safety and protection systems and safety assessment schemes accordingly. Below is a summary of the key highlights of the law.
Scope of Application and Extraterritorial Effect
The DSL applies to and regulates data processing activities and security supervision of such activities within the territory of China (Article 2, paragraph 1). Furthermore, DSL also extends its extraterritorial effect (Article 2, paragraph 2) to regulate any data processing activities outside the territory of China that would be detrimental to the national security or public interest of China or the lawful rights and interests of any Chinese citizen or organization.
Data under the DSL covers any record of information in electronic or other forms. This means that in addition to digital and cyber information, information recorded in other forms (such as hard copywritten records of information) also constitute data. Data processing activities regulated by DSL include, without limitation, the collection, storage, use, processing, transmission, provision and disclosure of data.
Data Categorization and Multilevel Protection System
Under Article 21 of the law, China will establish a data categorization and classification system and implement a multilevel protection scheme imposing different levels of security requirements based on the importance of specific data to China’s national economy, national security, public interest, and possible level of harm to be caused by a data security incident. This means that more important data will be subject to stricter management and protection requirements. In particular, national core data and important data will be subject to stricter protection and supervision.
The DSL introduces the new concept of national core data and defines it as data that is subject to stricter regulation and protection—data related to national security, the lifeline of the national economy and people’s livelihoods and that is important to major public interests. The DSL does not provide details regarding the specific scope for National Core Data and the protection requirement. Violation of the national core data management system or any activities that endanger China’s national sovereignty, security and development interests will be subject to fine up to RMB10 million (approximately US$1.56 million), suspension of business, revocation of business licenses, and in certain severe cases, criminal liability. We expect that more implementing rules will be released in the future to provide guidance regarding what information will be conserved as national core data and how such core data will be protected.
The concept of important data was first raised in the Cybersecurity Law (effective as of July 1, 2017), under which network operators in China are required to categorize data and formulate backup and encryption measures for the protection of important data. The DSL further requires that business operators that process important data must appoint a responsible person and establish a specific internal department for important data protection, carry out risk assessments on a regular basis and report the risk assessment results to the competent authorities.
Neither the Cybersecurity Law nor the DSL provides details regarding the definition and scope of important data and the detailed protection mechanism. The DSL authorizes the national data security coordination mechanism (to be established under Article 5 of the law) to coordinate with the relevant departments to formulate an important data catalogue at the national level. The DSL also authorizes different administrative regions and industrial sectors to formulate their own specific important data catalogues with protection requirements. This means that business operators in different regions and industries will need to watch out and comply with the protection requirements and rules to be imposed not only by the national important data catalogue but also the specific applicable regional or industrial catalogue for important data when they process data during daily business.
Data Localization and Cross-Border Transfer
For the cross-border transfer of important data, the DSL distinguishes the requirements on operators of critical information infrastructure (CII) from those on non-CII data processing operators. CII refers to information infrastructure in important industries and sectors (such as public communications, information service, energy, transportation, water conservancy, finance, public service and e-government) and other information infrastructure that, once damaged, disabled or subject to a data leak, may severely threaten the national security, national economy, people's livelihood and public interests.
CII operators must comply with the cross-border transfer rules established under the Cybersecurity Law, which require CII operators to locally store important data that is collected or generated in China; if the cross-border transfer of certain important data is necessary for business, the CII operator must carry out a security assessment in accordance with the measures jointly formulated by the Cyberspace Administration of China (CAC) and relevant departments of the State Council. For non-CII operators, CAC and other government authorities will formulate separate implementing rules for cross-border transfer of important data.
For the cross-border transfer of data for legal proceedings, the DSL explicitly prohibits business operators from providing any data stored in China to foreign law enforcement authorities or other foreign judicial departments without obtaining prior approval from the Chinese government. Failure to obtain such a prior approval for cross-border transfer may subject the business operator to a fine of up to RMB1 million (approximately US$156,000), as well as additional fines for responsible individuals, and if an unapproved cross-border transfer causes severe impacts, the business operator might be subject to fine up to RMB10 million (approximately US$1.56 million), suspension of business and revocation of business licenses. It is important to note that this requirement would significantly impact cross-border transfer of data for litigation and other legal proceedings outside China (such as document productions for litigation in foreign courts and responses to foreign government’s investigation).
Key Obligations of Business Operators
In carrying out data processing activities, a business operator must comply with the applicable laws and regulations, establish and improve a whole-process data security management system, organize data security education and training, and take corresponding technical and other necessary measures to ensure data security. Any organization or individual that collects data shall do so in a lawful and legitimate manner, and shall not obtain data by stealing or other illegal means (Article 27 and Article 32).
Where laws and administrative regulations contain provisions on the purposes and scope of data collection and use, business operators must collect and use data within the purposes and scope prescribed by laws and administrative regulations (Article 32).
A processor of important data is required to regularly carry out risk assessments of its data processing activities and submit risk assessment reports to the relevant competent department. Such a risk assessment report shall cover the types and volume of important data processed, data processing activities carried out, the data security risks faced, the measures taken in response, etc. (Article 30).
Any individuals or organizations that fail to perform the data security protection obligations described under Articles 27, 29 and 30 of the DSL may be subject to an order to correct, a warning and/or a fine of not less than RMB50,000 (about US$7,500) but not more than RMB500,000 (about US$75,000). The person-in-charge and other personnel directly liable may be subject to a fine of not less than RMB10,000 (about US$1,500) but not more than RMB100,000 (about US$15,000). If the said organization or individual refuses to make correction or causes the leakage of a large volume of data or other serious consequences, the organization or individual shall be subject to a fine of not less than RMB500,000 (about US$75,000) but not more than RMB 2 million (about US$300,000) and may be ordered to suspend relevant businesses or stop doing business for internal rectification, and the relevant operation license or business license may be revoked.
As we write this alert, on July 2, 2021, China’s Cybersecurity Review Office (CRO) which is under the CAC, announced that it had initiated a cybersecurity review against Didi Chuxing (Didi), a leading Chinese vehicle-for-hire company that just went public on June 30, 2021 on the NYSE. According to the official announcement of the CRO, the cybersecurity review against Didi was initiated based on requirements under the National Security Law, the Cybersecurity Law and the Measures on Cybersecurity Review and for the purpose of “preventing national data security risks, maintaining national security and safeguarding public interests.” Didi is required to stop registration of new users during the review period and was removed from the app stores two days later due to material violations on the company’s collection and usage of personal information. This is the first time that CRO has announced the initiation of cybersecurity reviews against companies.
Furthermore, the General Office of the Communist Party of China Central Committee, along with the General Office of the State Council, issued a notice on July 6, 2021 to speed up revising regulations on data security regarding companies’ issuance and listing shares overseas and stressed on improvement of laws and regulations of cross-border data flow and management of confidential information. These steps show the Chinese government’s strengthened monitoring and regulations of collection, use and cross-border transfer of data, especially when national security and protection of personal information are involved.
The DSL, which will take effect on September 1, 2021, provides a further legal basis for the Chinese authorities to enforce data security requirements. We suggest that companies start reviewing and updating data collection and management systems to meet the new compliance obligations under the DSL. We will monitor the developments of implementing rules under the DSL.