China has released a new Data Security Law that adds to the existing web of data security regulation.
The Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) released its new Data Security Law (‘DSL’) on 10 June 2021, with the new law coming into effect on 1 September 2021.
The official Chinese version is available here and Covington’s unofficial English translation is available here.
This law can be treated as another pillar of China’s legal framework on information security and data (privacy) protection, together with the Cybersecurity Law (CSL) from 2017 which is focused on network security and the Personal Information Protection Law (PIPL), which is at the second reading stage and expected to be published later this year.
The DSL contains 7 chapters and 55 articles in total with many of the key provisions primarily relating to data security systems and how they will be regulated.
Under the DSL, the definition of data includes any information recorded in an electronic, or any other form, and is similar to the data regulated under the CSL. Given the similarities in their application further clarifications is still needed to identify how DSL will be implemented in conjunction with the CSL and data privacy legislation generally. This is especially necessary regarding security for network data and personal data particularly where differences between the existing laws.
Data is to be classified as “important data”, “core data” and general data, with the classification based on its sensitive nature, impact on national security, and potential damage in case of data breach. These different types of data are not defined in the legislation, although the framework for coming up with the definition has now been provided.
As per Article 21 of the DSL, ‘important data’ will be defined within three regulatory ecosystems:
Care will need to be taken with these three different sources. While it is possible that the CAC will centralise such catalogues, that has not yet been decided which means that each of the relevant authorities will need to be considered.
The DSL is expressly not applicable to state secrets or military data.
The DSL imposes three core obligations on organisations that process important data:
The new DSL applies to businesses that operate within China as well as extraterritorially.
In particular, the DSL applies to and regulates any data processing outside of China (as long as the data had been transferred from the PRC) if these activities are considered to be in the public interest, national security or in the interests of any Chinese citizen or organisation.[1] Therefore businesses within Australia that process data collected or procured from China may need to consider whether the DSL applies to their activities.
Unfortunately, the DSL does not provide a unified approach to China’s data localisation and cross-border data transfer requirements and instead includes even more confusing requirements that conflict with other legislation. When considering their data localisation and cross-border data transfer strategies, organisations collecting data in China must continue to refer to an amalgamation of rules (in the CSL, DSL and draft Personal Information and Protection Law (‘PIPL’)) which comprise the current regulatory scheme.
DSL introduces separate frameworks for the cross-border transfer of “important data” by operators of Critical Information Infrastructure (“CII”) and other non-CII data processing entities. (CII operators are defined as operators which have been identified by Chinese authorities as being such. Being identified as a CII operator means that their data will be subject to the cybersecurity review process.)
The DSL re-emphasised the localisation requirements in the Cybersecurity Law for CII operators. Under the DSL, CII operators must follow the Cybersecurity Law rules which require CII operators to locally store “important data” that is collected or generated in China and, if a cross-border transfer is necessary for business needs, undergo a security assessment conducted by designated agencies. If a CII operator fails to comply with the DSL’s localisation requirements and transfers critical data to a foreign jurisdiction then the authorities can suspend, cease or revoke the businesses operational certificate/ business license.[2]
Non-CII operators must follow separate cross-border data transfer rules to be published by the Cyberspace Administration of China in collaboration with relevant departments.[3]
More information on localisation and cross-border transfer restrictions is here.
Entities that carry out data processing activities iva the internet or other information networks[4] must comply with the data security requirements under the Multi-Level Protection Scheme (‘MLPS’), which is a mechanism mandated by the Cybersecurity Law. This allows the government to ‘classify’ a companies network according to its potential impact on national security, social order, and economic interests if the system is damaged or attacked. Data deemed more critical and of higher classification “will be subject to stricter management and protection requirements.”[5]
The DSL also imposes specific security requirements on entities that carry out data processing activities such as requiring those entities to adopt technical and necessary measures to safeguard data security.[6]
The DSL also introduces a form of mandatory data breach notification. If an entity discovers data security defects or breaches, it must inform users and unspecified ‘competent authorities’ immediately.[7] As covered above, there are additional responsibilities for entities that process ‘important data,’ including the appointment of a responsible person and internal department for data security and carrying out regular risk assessments and reporting on risk to competent authorities.[8]
The DSL specifically refers to China’s public security bureaus (China’s police) and national security agencies being able to request data for national security and criminal investigations as long as proper procedures are followed. Individuals and organisations are obliged to comply with such requests or receive large penalties.[9]
Companies that are incorporated in China therefore should exercise caution when attempting to rely on any privacy shields from other jurisdictions.[10]
Overall the DSL will have significant impacts on data transfers and data collection as weill as giving Chinese agencies extensive rights of access to data held. It is another part of the complex maze of data security legislation that impacts businesses in China.
data-security-law-bilingual.pdf (cov.com)
Data Security Law | Fieldfisher
China: The DSL and the concept of important data | Insights | DataGuidance
China’s Data Security Law: Some Expert Observations and Comments (china-briefing.com)
[1] https://www.reedsmith.com/en/perspectives/2021/06/china-passes-new-data-security-law.
[2] https://www.nortonrosefulbright.com/en/knowledge/publications/91893454/china-issues-new-draft-regulations-on-cybersecurity-review-for-public-comment.
[3] Article 31.
[4] http://www.npc.gov.cn/npc/c30834/202106/7c9af12f51334a73b56d7938f99a788a.shtml (Article 27).
[5] China: The DSL and the concept of important data | Insights | DataGuidance.
[6] Article 27.
[7] Article 29.
[8] Article 31.
[9] Article 35
[10] Ibid.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
