China’s New Data Security Law
By Art Dicker and Robin Tabbers
With online data privacy protection not having been a priority for too long, companies should be aware that China is now stepping up its game with the new Data Security Law (DSL) that was passed on 10 June 2021 and comes into effect on September 1, 2021. A separate draft of the Personal Information Protection Law (PIPL) has also been in draft circulation and is expected to be passed and come into effect at the end of 2021. The official Chinese version can be found here and an unofficial English version can be found here.
In contrast to the focus on personal information in the PIPL, the DSL addresses data of all types with perhaps more emphasis on the handling of non-personal information. So what does this mean for you as a company operating and collecting data in or related to China?
Jurisdiction & Scope
The overarching goal of the law is clear: to more directly connect data security and national security. The law’s jurisdiction includes not just data-related activities in China but also outside of China which could harm China’s national security, public interest, or the legal interests of citizens and organizations in China. As mentioned above, many of the specifics of the law are yet to come, but the mandate is there to include obligations for building better training, education, and data security management systems as well as protections and risk mitigation for cybersecurity and data breaches.
The processing of “important” data must be supervised by a specific person and company department charged with maintaining data security, risk assessments, and reporting to the relevant government authority. Even stricter regulations and penalties will apply for mishandling so called “core state data” which is seen as endangering the nation’s sovereignty, security, or development interests.
Perhaps the most direct impact to international companies with operations in China (as well as Chinese companies with operations abroad) is the increased scrutiny on cross-border data transfers.
Different requirements will exist for different types of data. Certain “important” data will be subject to government approval before being transferred out of the country while other data collected or produced by critical information infrastructure operators must conform with the security management requirements for export of data under the 2017 Cybersecurity Law. Certain other types of “controlled data” will also be subject to export control regulations with these regulations to be further developed.
Finally, there are government approval requirements when data is to be transferred out of the country by a company or individual to a foreign judicial or enforcement authority. Here we can clearly see the elevation of data security to an issue of national security and China’s increasing willingness to create and use its own laws as responses to the laws of other countries which are seen to have a direct impact in China.
For the most part, we will have to wait for more specific implementing regulations to come out to get a sense of the true effect on multinational companies doing business in China. But even before such implementing regulations arrive, companies engaged in cross-border business should review what type of information is collected, processed, and most importantly, transferred out of the country in anticipation of tighter requirements coming into effect. This includes starting to think about a preliminary playbook for responding to foreign regulators’ requests for information residing in China.
Art Dicker and Robin Tabbers, together with the Compliance Team of R&P China Lawyers, frequently advise international companies collecting or handling data with their data compliance risks in China. Feel free to contact the authors if you wish to assess or lower your company’s compliance risks.