On June 10, China’s Standing Committee of the National People’s Congress passed China’s first Data Security Law (数据安全法). The Data Security Law (the Law) was heavily influenced by the United States’ Clarifying Lawful Overseas Use of Data Act (the CLOUD Act) and the European Union’s General Data Protection Regulation. It, along with the National Security Law, the Cybersecurity Law, the upcoming Personal Information Protection Law, Measures on Cybersecurity Review, and Measures on Data Security Management (in draft), will serve as guidance for both Chinese and foreign companies in dealing with China-related data. In particular, the Law:
- Establishes a classification system for data management and protection.
- Provides for rules on data processing, data transactions, risk assessment, and data security review.
- In contrast with previous drafts, it includes a provision on national core data management (without providing any details), establishes a national data security working mechanism to coordinate major data security work, and enhances the level of penalties.
The Law will take effect on September 1, 2021.
The Law provides definitions for some key terms. It defines data as “any record of information in electronic or other means”; data process as “collection, storage, using, processing, transmission, provision and disclosure of data”; and “data security” as “to ensure data is effectively protected and legally used with necessary measures and maintain secure status persistently.” (Article 3)
Article 21 defines “national core data” as data that is related to: national security, the lifeline of the national economy, the major welfare of citizens, and major and public interests.
The Law provides for the establishment of a classification system for data management and protection, and data shall be protected at a commensurate level, based on the level of importance in economic and social development, and the level of damages to national security, public interests, or legal rights and interest of individuals or entities once the data is compromised or obtained/used illegally. (Article 21) The Law also notes that national core data will be subject to stricter management. While it provides a definition of national core data, the Law does not set out specific rules on its management. (Article 21) With regard to other critical data, the Law requires the State to create a national data security working mechanism, which coordinates with relevant agencies to formulate the cataloging of critical data. (Article 5 and 21)
Such cataloging work has already started. For instance, back in 2017, the National Information Security Standardization Technical Committee issued the draft of Guidance of Security Assessment of Cross-Border Data Transfer (信息安全技术 数据出境安全评估指南（征求意见稿）), which catalogs critical data in 27 sectors, including in finance, electricity, telecom, and digital trade. Overall, defining critical data is still an ongoing process.
The Law also requires the State to create a data security review mechanism and the decisions of this review will be final. (Article 24)
The government is bound by other data protection obligations, including protecting government data (Article 39), as well as protecting personal data, trade secrets and confidential business information, which they may have obtained through performing government duties. (Article 38)
The Law inevitably overlaps with some other laws. Article 53 states that the data process activities related to national security will comply with the Guarding State Secrets Law, and data processing of personal information will comply with other relevant laws. The laws referred to here likely include the Law on Personal Information Protection, which is currently in the legislative process (the first draft is explained here).
Obligations of data processors
The Law also sets forth various obligations for data processors. For instance, the data processors shall:
- Collect and use data in legal ways (Article 32);
- Process data in accordance with laws and regulations, including creating data management rules, adopting technical measures, organizing data security training, and designating the personnel and management institution responsible for the data security (Article 27);
- Take remedial measures when there is a data risk. In the event of a data breach, data processors shall adopt immediate measures, disclose to users and report to the authorities in a timely manner. (Article 29);
- With regard to critical data, conduct regular risk assessments and file the report with relevant agencies (Article 30).
Most of these obligations need further elaboration. For instance, the Law is not clear about the procedure or the time frame regarding the regular data security assessment and reports for critical data. More details will have to come from future implementing documents.
The Law does not explicitly ban cross-border data transactions, nor does it require data localization; rather, it singles out critical data and refers to other legislation. (Article 31)
There are two types of critical data according to the Law: Data generated by critical information infrastructure (CII) operators and by non-CII operators. For the highest level of critical data—data generated or collected by the CII operators—the rules in the Cybersecurity Law would apply. The Cybersecurity Law requires data generated by the CII operators to be stored in China unless assessed and approved otherwise. The cross-border transitions of other critical data collected or generated by non-CII operators will follow other measures formulated by the Cybersecurity Administration of China (CAC) and other agencies. The CAC has finalized rules on cybersecurity review and is in the process of developing rules on personal data cross-border transactions.
Data export restrictions may also apply pursuant to the Export Control Law, which governs export controls of technology-related data. (Article 25)
Under the Law, it is prohibited to provide any data stored in China to a foreign judicial agency or law enforcement, unless with administrative approval. (Article 36)
Chinese police or security agencies, when needed to retrieve data, are also required to follow an approval procedure. Individuals and entities shall cooperate if such approval is granted. (Article 35)
The Law also illustrates the obligations of data transaction service providers: They shall request data providers to disclose the source of data, inspect the identities of transaction parties, and maintain a record of the transaction. (Article 33)
The Law seems to try to draw a balance between restricting and encouraging the transactions of data. In addition to the abovementioned restrictions, the Law requires the State to encourage the legal use of data, safeguard the legal free flow of data, and promote the development of the digital economy. (Article 7) It also states that the State supports and encourages the development and promotion of technology, products, and industrial systems related to data and data security. (Article 16) It requires the State to move forward with the standardization of technology and products related to data use, development and security(Article 17) and to establish and improve rules governing data transactions, so it can regulate and cultivate the data transaction market at the same time. (Article 19)
Article 26 of the Law allows the State to take countermeasures if other countries or regions discriminate against China and adopt prohibitions, restrictions, or similar measures in trade or investment that are related to data or technology for data development and use. Countermeasure provisions are included in many new pieces of Chinese legislation, including the Export Control Law and Anti-Foreign Sanctions Law. In particular, the Anti-Foreign Sanctions Law offers more details on the circumstances of countermeasures and applicable countermeasures.
Enforcement and penalties
The Law provides for extraterritorial jurisdiction if the data processing activities abroad “damage national security, the public interest of the legal rights of Chinese citizens or entities.” (Article 2) However, the Law does not offer many details.
The Law is more clear about any violations within China. In particular, it sets forth various punishments for violating obligations regarding data protection, data transaction, and data provision. Such penalties include rectification orders, warnings, fines, suspension of business, or revocation of licenses. It is noticeable that throughout the drafting process (there were two previous drafts), the level of punishment has increased, indicating the seriousness of the government in tackling data security risks.
According to the Law, if data processing organizations violate data processing obligations, they will receive warnings, rectification orders, and possibly up to a 500 thousand yuan fine, as well as up to a 100 thousand yuan fine for responsible individuals. If the violators refuse to rectify their behavior, or their violation leads to serious consequences, the fine could rise to 2 million yuan along with the suspension of business or revocation of license. At the same time, the fine for responsible personnel also increases to 200 thousand yuan maximum. (Article 45)
Violators of the national core data protection mechanism that damages national sovereignty, security, and development interest will receive up to a 10 million yuan fine along with other administrative punishment, and possibly criminal charges.(Article 45)
Entities that transfer critical data overseas in violation of Article 31 will receive rectification orders, warnings, and possibly fines for up to 1 million yuan. If the circumstances are serious, the entities will receive up to a 10 million yuan fine and possible suspension of business and revocation of license. Responsible personnel will also be fined up to 1 million yuan. (Article 46)
In addition, entities that provide data to foreign juridical agencies or law enforcement without approval under Article 36 will receive up to a 5 million yuan fine along with the suspension of business or revocation of license, if the data transaction leads to serious consequences. Individuals in charge will also receive a fine of up to 500 thousand yuan. (Article 48) Any violation of the cooperation obligation in Article 35 will receive warnings and fines of up to 500 thousand yuan and 100 thousand yuan for entities and individuals, respectively. (Article 48)
Data transaction service providers, if violating the obligations under Article 33, will receive rectification orders, suspension of business, revocation of license, confiscation of illegal gains， as well as fines of up to 10 times the amount of illegal gains or 1 million yuan. Responsible personnel will also be fined. (Article 47)
The Law also regulates administrative punishment for government agencies or officials that violate their obligations to protect data security. (Article 49 and 50)
Right before the Law’s passage, on June 3, China’s preliminary court in Henan Province ruled on a case of data leakage. Two Chinese men were found guilty of illegally collecting more than 1 billion data items of personal information of Taobao users since 2019. The two men were sentenced to more than three years and fined a total of 450,000 yuan.