China’s new Data Security Law (DSL): Another piece in a complex puzzle
China has released a new Data Security Law that adds to the existing web of data security regulation.
The Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) released its new Data Security Law (‘DSL’) on 10 June 2021, with the new law coming into effect on 1 September 2021.
This law can be treated as another pillar of China’s legal framework on information security and data (privacy) protection, together with the Cybersecurity Law (CSL) from 2017 which is focused on network security and the Personal Information Protection Law (PIPL), which is at the second reading stage and expected to be published later this year.
The DSL contains 7 chapters and 55 articles in total with many of the key provisions primarily relating to data security systems and how they will be regulated.
What’s Covered by the DSL?
Under the DSL, the definition of data includes any information recorded in an electronic, or any other form, and is similar to the data regulated under the CSL. Given the similarities in their application further clarifications is still needed to identify how DSL will be implemented in conjunction with the CSL and data privacy legislation generally. This is especially necessary regarding security for network data and personal data particularly where differences between the existing laws.
Data is to be classified as “important data”, “core data” and general data, with the classification based on its sensitive nature, impact on national security, and potential damage in case of data breach. These different types of data are not defined in the legislation, although the framework for coming up with the definition has now been provided.
As per Article 21 of the DSL, ‘important data’ will be defined within three regulatory ecosystems:
- on a regional basis, meaning that the definition of important data could vary between the region of the Sichuan and the Shaanxi;
- on a department of the state council basis, meaning that the definition of important data could change depending on which department is relevant to a company; and
- on an industrial basis, meaning that important data could further vary depending on the sector or industry.
Care will need to be taken with these three different sources. While it is possible that the CAC will centralise such catalogues, that has not yet been decided which means that each of the relevant authorities will need to be considered.
The DSL is expressly not applicable to state secrets or military data.
Application of DSL to important data
The DSL imposes three core obligations on organisations that process important data:
- personnel and management bodies with responsibility for implementing data security protection for that important data must be specified;
- a periodic risk assessment report must be provided for important data handling activities and submitted to the relevant governmental department; and
- cross-border transfers restrictions will apply. This is covered further below.
Extra-territorial operation of DSL
The new DSL applies to businesses that operate within China as well as extraterritorially.
In particular, the DSL applies to and regulates any data processing outside of China (as long as the data had been transferred from the PRC) if these activities are considered to be in the public interest, national security or in the interests of any Chinese citizen or organisation. Therefore businesses within Australia that process data collected or procured from China may need to consider whether the DSL applies to their activities.
Restrictions on localisation and cross border transfers
Unfortunately, the DSL does not provide a unified approach to China’s data localisation and cross-border data transfer requirements and instead includes even more confusing requirements that conflict with other legislation. When considering their data localisation and cross-border data transfer strategies, organisations collecting data in China must continue to refer to an amalgamation of rules (in the CSL, DSL and draft Personal Information and Protection Law (‘PIPL’)) which comprise the current regulatory scheme.
DSL introduces separate frameworks for the cross-border transfer of “important data” by operators of Critical Information Infrastructure (“CII”) and other non-CII data processing entities. (CII operators are defined as operators which have been identified by Chinese authorities as being such. Being identified as a CII operator means that their data will be subject to the cybersecurity review process.)
The DSL re-emphasised the localisation requirements in the Cybersecurity Law for CII operators. Under the DSL, CII operators must follow the Cybersecurity Law rules which require CII operators to locally store “important data” that is collected or generated in China and, if a cross-border transfer is necessary for business needs, undergo a security assessment conducted by designated agencies. If a CII operator fails to comply with the DSL’s localisation requirements and transfers critical data to a foreign jurisdiction then the authorities can suspend, cease or revoke the businesses operational certificate/ business license.
Non-CII operators must follow separate cross-border data transfer rules to be published by the Cyberspace Administration of China in collaboration with relevant departments.
More information on localisation and cross-border transfer restrictions is here.
Data security obligations
Entities that carry out data processing activities iva the internet or other information networks must comply with the data security requirements under the Multi-Level Protection Scheme (‘MLPS’), which is a mechanism mandated by the Cybersecurity Law. This allows the government to ‘classify’ a companies network according to its potential impact on national security, social order, and economic interests if the system is damaged or attacked. Data deemed more critical and of higher classification “will be subject to stricter management and protection requirements.”
The DSL also imposes specific security requirements on entities that carry out data processing activities such as requiring those entities to adopt technical and necessary measures to safeguard data security.
The DSL also introduces a form of mandatory data breach notification. If an entity discovers data security defects or breaches, it must inform users and unspecified ‘competent authorities’ immediately. As covered above, there are additional responsibilities for entities that process ‘important data,’ including the appointment of a responsible person and internal department for data security and carrying out regular risk assessments and reporting on risk to competent authorities.
Chinese government access to data and restrictions for Foreign Investigations
The DSL specifically refers to China’s public security bureaus (China’s police) and national security agencies being able to request data for national security and criminal investigations as long as proper procedures are followed. Individuals and organisations are obliged to comply with such requests or receive large penalties.
Companies that are incorporated in China therefore should exercise caution when attempting to rely on any privacy shields from other jurisdictions.
Overall the DSL will have significant impacts on data transfers and data collection as weill as giving Chinese agencies extensive rights of access to data held. It is another part of the complex maze of data security legislation that impacts businesses in China.
 Article 31.
 Article 27.
 Article 29.
 Article 31.
 Article 35