Cross-border investigation from China’s new Data Security Law

On June 10, 2021, the Standing Committee of China's National People's Congress released the official version of the Data Security Law (DSL), which will come into force on September 1, 2021. This article highlights the key differences between the official version and the two previously published draft versions and their potential implications, in particular with respect to cross-border compliance and investigations.

1. Key highlights of the Data Security Law

(A) Multiple levels of government involvement

Pursuant to Article 6 of the DSL, the government authorities responsible for enforcing the  DSL are divided into three different levels:

(1) departments responsible for overseeing specific industries, including but not limited to industrial, telecommunications, transportation, finance, natural resources, health, education, and science and technology, shall each supervise data security in their respective industries;

(2) the public security and national security authorities shall supervise data security with respect to matters that fall within their respective purview; and

(3) the national cyberspace authority shall be responsible for conducting overall coordination of cyber data security and related supervision work.

Depending on the situation and industry, one or more levels of oversight may be involved in the approval process; for example, a telecommunications company may require the approval of both the industry-specific department and the national cyberspace authority before engaging in cross-border data transfer. It is therefore imperative for Chinese entities to identify the competent government authorities and apply for approval accordingly.

(B) Multiple layers of data protection systems and mechanisms

Article 21 authorises the creation of a "Categorised and Hierarchical Data Protection System" and "National Data Security Work Coordination Mechanism" to further classify and protect important data. The National Data Security Work Coordination Mechanism, for example, will coordinate relevant government authorities to formulate a catalogue of important data to strengthen the protection of such data. Other functions of these two systems are scattered throughout other articles of the DSL.

Although we are waiting for more details to be released, it is already clear at this stage that the Chinese government is placing heavier emphasis on multi-layered data protection and collaboration between authorities at different levels to enforce data security. This is in line with China's traditional approach of coordinating different governing bodies for important or urgent matters.  We expect to see more detailed guidelines regarding these two systems in due course.

(C) Increased restrictions on transferring data to foreign judicial or law enforcement authorities

A new Article 36 provides that "without approval of the competent authority of China, a domestic organization or individual shall not provide data stored in the territory of China to any foreign judicial or law enforcement authority." This article was absent from the two draft versions.

Prior to the DSL, restrictions with respect to international judicial assistance only applied to criminal cases. The DSL therefore expands the scope of such restrictions to non-criminal matters involving any judicial or law enforcement authority.

Violation of Article 36 may result in a fine of up to RMB5 million and/or suspension or revocation of business licenses (for legal entities) or a fine from RMB50,000 to 500,000 (for individuals).

2. Potential implications

The DSL is only a broad framework and we anticipate that the relevant authorities will issue specific guidelines for practical matters in due course. In particular, we look forward to clarification regarding:

(i) the approval process, i.e. whether there will be a separate approval authority (if so, what is the identity of this authority) or a joint approval mechanism; and

(ii) the current list of foreign "law enforcement authorities" that are subject to the Article 36 restrictions and the factors in determining whether a particular foreign authority will be designated as a "law enforcement authority".

In the meantime, we observe several immediate implications:-

(A) Impact on cross-border investigations involving companies with operations in China

In light of the new data transfer restrictions in the DSL, multinational corporations with operations in China should begin to review their data storage arrangements and cross-border transfer needs (including routine data transfer for daily operations) and determine whether changes are necessary to, among other things, facilitate cross-border investigations.

(B) Protection against foreign investigation

Increased limitations on international judicial assistance will further hinder investigations initiated by overseas judicial or law enforcement authorities on Chinese companies, since release of relevant data will be subject to additional approvals from the relevant authorit(ies).

(C) Data screening

Companies should start to adopt a practice of screening data for sensitive information in preparation for seeking approval where it is anticipated that the data will be transferred outside of China. A common scenario is where the data of a China-based entity is first submitted to its local headquarters but will ultimately be submitted to an overseas authority; particular care should be taken to ensure that such activities do not breach the DSL.

Together with the 2017 Cybersecurity Law, the DSL sets out detailed requirements for data storage and cross-border transfers and reflects the Chinese government's increasing focus on tightening China's data security framework. Companies should in particular be aware of the new approval requirements and restrictions on international judicial assistance.