One shoe has dropped - China promulgates Data Security Law

China's new Data Security Law (DSL) was promulgated on 10 June and will take effect from 1 September this year. Being the first fundamental law on data security in China, the DSL sets out the overall principles and structure of China's data security legal regime from a national security and sovereignty point of view. The theme of the DSL is the security of both personal and non-personal data, which sets it aside from the Cybersecurity Law (2017) that focuses on the security of information infrastructure, networks and systems, and also from the draft Personal Information Protection Law (draft PIPL) which regulates the processing of personal information.

It took less than a full year for the DSL to be formalised since the first draft was released in July 2020, during which the law went through three readings at the national legislative body and two public consultations. This shows the legislators' determination to pass the law as a priority, and indeed many of its provisions suggest that the state is taking a very active and leading role in the decision-making and foundation building process concerning data security.

Below we highlight some of the key features of the DSL that particularly catch our eyes and may have the most direct impacts on companies' data practice.

• Extra-territorial effect

  The DSL will apply to data processing activities that occur within the territory of China, as well as those conducted outside of China to the detriment of the national security, public interest or the lawful rights and interests of any citizen or organisation of China. This means international companies that carry out data processing activities relevant to Chinese citizens, organisations and national security and interest of China may also be caught within the applicability scope of the DSL.

• Categorised and hierarchical data protection system

  This is one of the features of the law that attract most heated discussion in the market. The state shall categorise data in accordance with its importance to the economy and society and the potential risk level to national security, public interest or the legitimate interest of individuals and organisations if such data is leaked, illegally obtained, damaged or tempered with.

  The state will apply layered level of protection to different categories of data. This is in line with the risk-based approach taken by the Cybersecurity Law. The DSL expressly mentions two categories of data: "state core data" and "important data".

  The responsibility to formulate the specific catalogues of "important data" falls on regional and sectoral regulators. The term "important data" was first brought up in the Cybersecurity Law in the context of cross-border data transfer restrictions. Although there have been many attempts in subsequent draft laws and national standards to specify the scope of "important data", to this date there is no official list. With the promulgation of the DSL, we hope this can be clarified soon so as to give companies certainty on their respective compliance obligations.

• Obligations of "important data" processors

  The DSL sets out several additional requirements for processors of "important data". For example, such processors shall conduct periodical risk assessment on their data processing activities and submit the reports to competent regulators. The risk assessment report shall cover the following items: types and quantity of "important data" that is processed, details of the data processing activities, data security risks and mitigating measures. Note that such risk assessment is different from the risk assessment of high-risk personal information processing activities required under the draft PIPL.

  Processors of "important data" shall also appoint data security officer and data security responsible body. Such data security officer is a separate role from the network security officer under Cybersecurity Law and the personal information protection officer under the draft PIPL. It's not clear from the law whether it is permissible to have one person wearing multiple hats, or maybe the real question should be whether the person is competent to shoulder all of these responsibilities.

• Cross-border data transfer

  The DSL largely follows the same logic as the Cybersecurity Law in terms of cross-border data transfer -- if "important data" collected and generated by Critical Information Infrastructure (information infrastructures that are strategically important to national security and public interest) operators during its operation within China is to be provided to overseas, it shall be subject to security assessment. For "important data" collected and generated by other data processors, it shall be subject to measures to be formulated by the regulators. We should point out that detailed rules on the requirements and procedures of such security assessment are still pending.

• Government data access requests

  The DSL reiterates that the government data access requests for crime investigation and national security purposes shall follow strict approval procedures, and organisations and individuals shall cooperate with legitimate requests.

  Data access requests made by foreign authorities shall be processed by competent Chinese authority in accordance with relevant laws and international conventions / treaties or on the principle of equality and reciprocity. Without the approval of Chinese authority, any domestic organisation or individual must not provide data stored in the territory of China to the requesting foreign authority.

• Data export control and countermeasures

  Data can be the subject of export control measures. The state has the power to undertake countermeasures against discriminatory foreign restrictions and policies.

The promulgation of the DSL is one significant step taken by Chinese legislators towards a systematically sophisticated data security legal framework. Although there are plenty of gaps to be fulfilled by lower level rules, we can clearly see the overarching theme of national security and data sovereignty running through the law. In the less than three months period before the law takes effect on 1 September,  we recommend that companies should take prompt actions to comb through their data flows and identify those that are potentially subject to stricter security requirements, and get ready to implement further organisational measures (putting in place policies and designating responsibilities) to comply with the law. With the DSL promulgated and the draft PIPL coming near to its final form, it is vital to keep a close eye on the development of the draft PIPL and how it may interplay with the DSL.