The new Data Security Law (“Data Security Law”) of the People’s Republic of China (“PRC”) was first proposed in the legislative plan of the Standing Committee of the 13th National People’s Congress on 7 September 2018. After three deliberations and two public consultations, it was officially adopted on 10 June 2021 and implemented on 1 September 2021. This latest data law builds on the foundation laid down by the Cyber Security Law and together with the Personal Information Protection Law (to be implemented on 1 November 2021) form the legal framework to regulate information and data security in the PRC including limiting cross-border data flows and enforcing data localization.
We highlight below the key features of the new law :-
The Data Security Law applies to a wide range of data and activities involving data processing within the PRC and those carried out outside the PRC which threaten the national security and public interests of the PRC or the legitimate rights of Chinese citizens or entities (Article 2). The new law thus has broad extraterritorial jurisdiction.
Article 2 of the Data Security Law defines “Data” as any record of information in electronic or other form; and “Data processing” as including collection, storage, use, processing, transmission, provision and disclosure of data.
II. Export of important data
To restrict the exit of important data collected and generated by operators of critical information infrastructure during operations within the PRC, Article 31 of the Data Security Law provides that exit security management measures shall comply with regulations of the State Cyberspace Administration of China in conjunction with relevant departments of the State Council.
Article 37 of the Cyber Security Law further stipulates that critical information infrastructure operators that gather or produce personal information or important data during operations within the PRC shall store the data within mainland China. Where due to business requirements it is truly necessary to provide the data outside of mainland China, they shall follow the measures jointly formulated by the State Cybersecurity and Informatization Departments and the relevant departments of the State Council and conduct a security assessment.
In respect of the important data collected and generated by other data processors in domestic operations, the relevant rules for data exporting safety management are still unclear. Formal management measures will be issued. Before that, domestic enterprises should pay close attention to the compliance obligations relating to important data export.
III. Data to overseas judicial or law enforcement agencies
Pursuant to Article 36 of the Data Security Law, without the prior approval of the competent authority of the PRC, domestic organizations and individuals shall not provide data stored within the PRC to foreign judicial or law enforcement organizations (unless otherwise provided for under international treaties or agreements in which the PRC is a party). In other words, complying with the data access request of foreign judicial or law enforcement organization may also result in violation of the Data Security Law.
Violation of Article 36 may lead to fines of up to RMB5 million for the enterprises and of up to RMB500,000 for the direct responsible executives, and other penalties include close down of business, revocation of business license or forfeiture of illegal gains.
IV. Maintaining market competition by data processing activities
Article 51 of the Data Security Law provides that whoever excludes or restricts competition, or prejudices the legitimate rights and interests of individuals or organizations through stealing data or obtaining data by other illegal ways to carry out data processing activities shall be punished in accordance with the relevant laws and administrative regulations.
This article would prohibit operators from excluding or restricting market competition in their business activities.
The Data Security Law reinforces that a data security protection system is fundamental to the field of network security. Therefore, enterprises should actively implement the network security hierarchical protection system in accordance with the requirements of the Cyber Security Law and the “hierarchical protection 2.0” series of standards, and carry out the hierarchical protection evaluation, rectification and filing.
Enterprises, especially those with cross-border business activities, should pay careful attention to the wide ranging and extensive compliance requirements under new Data Security Law and other laws and regulations concerning data privacy and cyber security. It would be necessary to review any new implementation rules and conduct internal due diligence to ensure compliance and avoid breach.
If you have any questions on the above eNews or require advice on the Data Security Law, experienced lawyers in our Intellectual Property & Media teams will be happy to assist you.