The 20th session of the Standing Committee of the 13th National People’s Congress released the full texts of the Law of the People’s Republic of China on Data Security 数据安全法（草案）》 for public comments on July 3. Comments are due by August 16, 2020. The Draft has 7 chapters and 51 articles, which set forth national policies and measures to secure data security and development; obligations and responsibilities for data security; and related penalties.
Most noticeably, the Draft has a retaliation provision, which authorizes China to take corresponding measures if any country or region discriminates against China in investment or trade with regard to data or data related technology (Article 24). The scope of this provision is very broad and the application is vague. The provision allows China to retaliate if the United States or other countries discriminate against China with regard to data or data-related technology, but the details are left to future legislation.
Export controls on data may apply pursuant to other laws and international obligations (Article 23). This means exports of data related to technology that is subject to export controls will be restricted or banned.
The Draft sets forth requirements to create a class system of data management based on the level of damages to national security, public interests and legal rights of individuals and entities once the data is compromised (Article 19 ). In this regard, agencies at all levels shall create catalogs for critical data and protect such data with priority. It also sets forth the establishment of a united data safety review, report, information sharing, supervision and warning mechanism (Article 20), and a national security review system to review data activities that do or may affect national security (Article 22). The Draft does not clarify which data will be subject to security review, or what the review process will be. The Draft also has language to promote data infrastructure, encourage foundational research and innovative application of data in all fields (Article 13 and 14), and promote the establishment of data safety standard (Article 15).
In addition, the Draft sets out the legal responsibility to improve on data safety and punishment for failing to take necessary measures to protect data. Penalties include warning, revocation of business license, a fine of up to 1 million RMB, and criminal punishment (Article 42-44).
Overall, the Draft sets out the main principles of data protection without offering many details. It is likely to undergo more revisions during the legislative process.