China's new data security law

Briefing

Those familiar with the EU GDPR and its UK equivalent will recognise many of the concepts and requirements in the PRC Personal Information Protection Law which took effect on 1 November 2021 (which we discuss here). However, the other major element of the PRC data protection regime focuses very much on national security and may be less familiar.

Data security, particularly where it impacts national security, is a politically sensitive subject in China and we have seen a number of legislative developments in this space including the PRC Cyber Security Law (CSL) which took effect in 2017, and the new PRC Data Security Law (DSL) that came into effect on 1 September 2021.

There are some complicated implications under the DSL that – besides regulatory challenges of a routine nature – may also have a structural impact on the China operations of international businesses.

What is covered by DSL?

The DSL applies to all data activities. Here "data" is defined broadly, referring to any record of information in electronic or non-electronic form and the term "data activities" refers to activities including, collecting, storing, processing, using, providing, trading or publishing data.

As expected, the DSL adopts an extraterritorial approach and, in addition to onshore data activities, applies to and may be enforced against any organisation or individual outside the PRC that conducts data activities jeopardising national security, public interest or the legitimate interests of citizens and organisations of the PRC. This potentially exposes relevant international companies to considerable legal uncertainty.

Important data

Of particular sensitivity is data which is designated as "important data". This term was used (but not defined) in the earlier CLS, and is also a feature of the DSL. The use of "important data" triggers a number of statutory obligations (Art. 27 & 30, DSL):

to specify a person and department to be in charge of and be responsible for data security
to regularly conduct a risk assessment (RA) on relevant data processing activities and submit an RA report to the competent authority; an RA report shall include details on the categories and quantity of important data processed, processing activities, security exposure and management measures, and
requirements to follow special rules (yet to be formulated) when such important data are exported; if a business qualifies as a "critical information infrastructure operator" (CIIO), its important data must be stored onshore, and any export shall be subject to prior administrative clearance.

The exact scope of important data is to be clarified by an important data classification system yet to be established. The contemplated classification will factor in:

the importance of the respective data in economic and social development, and
the gravity of damage it could cause to national security, public interest, legitimate interests of individuals/organisations should the data be altered, sabotaged, leaked, illegally obtained/used.

The issue of "state secrets" – which can be a headache for foreign companies when dealing with Chinese counterparties – is explicitly carved out from the DSL, and is regulated separately under the State Secret Protection Law.

Minimum compliance

Even if your business does not use "important data", you may still need to follow some general statutory legal principles when organising data activities.

Some of these relate to the higher Corporate Social Responsibility (CSR) expectation. For example, Article 28 of the DSL stipulates that data processing activities and new data technology R&D shall help economic and social development, shall promote the welfare of people, and shall be in line with social morale and ethics.

Obligations under the DSL, which are of a more generic IT security nature and apply to all companies, include the following:

To establish and complete a data security management system covering the "full process" (of data processing), and to undertake respective technical measures and other necessary measures to ensure security of data. If data processing activities are conducted based on an information network like the internet, data security obligations shall be performed on the basis of the Chinese multiple level protection scheme (等级保护制度).
To strengthen risk monitoring during data processing. Remedies shall be taken immediately when risks like security deficiency or loopholes are discovered. In the event of a security breach, immediate measures shall be taken and the the incident reported to users as well as to the competent authorities in a timely manner.

Some of these obligations were already addressed by the earlier CSL, and are now repeated with some slight differences under the DSL.

Actions to take now

The DSL remains very general but is now quickly being supplemented by implementing details. For example, in late September 2021, draft national standards on the classification of "important data" were published. As the regime is developing very quickly, businesses need to keep a close watch on legislative developments in the data security space.

International businesses should pay particular attention to their cross-border data transfers (both intra-group and to third parties). Potential sensitivities associated with the concept of important data may result in the need to revisit and adjust data transfer models to mitigate regulatory exposure under the PRC laws.

On top of this, Chinese subsidiaries will need to report to Chinese authorities and get prior approval before they can transfer any onshore data to their foreign head office or if required to make a transfer by a foreign court or law enforcement agency (Article 33, DSL). This requirement will become quite a challenge for international companies especially when organising a global investigation case that requires data cooperation from the PRC side.

Businesses should already be implementing the minimum compliance measures discussed here and should revisit data practices now and as further detail around compliance emerges.