On 3 July 2020, the National People’s Congress (NPC), China’s top legislature, presented its draft Data Security Law (DSL) to the public to solicit their comments by 16 August 2020.
The DSL process was obviously fast tracked compared with the legislative pacing for other draft laws on the NPC agenda for 2020. While the Cyber Security Law (CSL), effective since 1 June 1 2017, seems to regulate the same topic, it is a different law.
What are the exact differences and implications that international businesses should take note of? What does it mean for businesses that have designed their privacy management around the GDPR? What needs to be done to align them to the proposed law in China?
Here are some quick takeaways from our data protection and compliance specialists.
Article 2 of the DSL stipulates that data activities conducted within the PRC shall be subject to this law. For the purpose of the DSL, the term "data" refers to any record of information in electronic or non-electronic form and the term "data activities" refers to activities which, among others, collect, store, process, use, provide, trade or publish data. Since both are very broad terms and the CSL already addresses similar concepts such as "network data" – ie various electronic data collected, stored, transmitted, processed and generated through network – there will be discernible overlaps between the two laws.
Although the CSL is meant to apply more to cyber-related matters (eg IT infrastructure and operators) and the DSL to focus more heavily on data matters (ie information record in cyber and non-cyber world), confusion, and potential conflict between the two laws could easily arise. Worth noting is that the scope of data under the DSL is broader than the usual data thought of in the IT world – it also covers data in the offline world (eg data in isolated media or on an offline computer and even data in traditional paper-based forms).
Though Articles 49 and 50 of the DSL explicitly stipulate that data activities concerning state secrets or military matters shall be regulated separately – for example, by the State Secret Protection Law – the emphasis of the law (Article 4) is on an overall national security approach. It aims to do this by establishing and improving data security governance, as well as increasing competencies to ensure data security and, as such, closely linking this law and the country’s political concerns. This could potentially mean that when assessing a specific legal issue in the context of the DSL, potential political sensitivity also needs to be taken into consideration.
It is clear that any data activities within the PRC shall be regulated by this law, according to Article 2 of the DSL. What is important to know is that the DSL is taking a "long reach" approach by stipulating in the same article that legal liabilities shall also be pursued against any organisation or individual outside the PRC that conducts data activities jeopardising national security, public interest or legitimate interest of citizens and organisations of the PRC. Such a provision could expose international companies to considerable legal uncertainties, provided their routine course of business touches upon data processing activities (which is inevitable in today’s digitalised world).
Besides companies in the business world, the DSL will also impact activities conducted by foreign governmental agencies and even countries. Article 33 of this law stipulates that when a foreign law enforcement agency requests to retrieve data stored within the territory of the PRC, relevant organisations and individuals shall report to the competent PRC authority for approval. They will then need to obtain clearance before providing such data, unless there is already bilateral treaty or international convention which provides for other arrangements. Such a statutory requirement reads very similar to that on data export control under Article 37 of the CSL, which could easily cause a dilemma for international businesses (eg when handling a global investigation case that requires cooperation from the PRC).
The above conflicting situation could also arise at a country-to-country level, especially due to the reciprocity principle outlined in Article 24 of the DSL. It provides that the PRC may take retaliatory measures should any other country or region impose discriminatory prohibition, restriction, or other similar measures against the PRC in the field of investment and trading relating to data and data exploration/exploitation technologies.
Though still a draft law, the high speed of the DSL’s legislation process should be a solid reason for companies to begin assessing the gap between their current modus operandi and the new statutory requirements under the DSL now.
Explicit obligations outlined by the DSL include those below, which for many international companies should not sound unfamiliar, since these requirements are very close to those under the European GDPR:
The DSL is part of an ongoing exercise by China to establish a more comprehensive system for safeguarding national security. It also addresses some high-level topics such as a multiple-level data protection scheme, a national-level assessment and contingency mechanism, and a data-related national security review system. The strong political concerns that can be detected behind this draft law reflect China’s determination to safeguard its digital sovereignty, particularly in the face of pressure from the outside for “de-coupling”.
Irrespective of all the political sensitivities, those who have already been making an effort to implement European GDPR compliance need not worry too much. As discussed above, many regulatory obligations addressed in the DSL essentially approximate those under the GDPR. However, at first glance, it is already possible to identify areas in which the DSL will go beyond the standards of the GDPR and thus to a certain extent require an adjustment of GDPR-oriented privacy concepts in the company.
Certainly, the material scope of application of the DSL seems to go beyond the scope of the GDPR, at least in part. This is because it may also cover data sets that are not electronically processed (paper files), which is the exception rather than the rule under the GDPR. Companies are already familiar with the concept of Privacy Impact Assessments (PIAs) under the GDPR. The GDPR thus only provides for the fact that the results of these assessments must be shared with the supervisory authorities in individual cases within narrow limits, and may at least require a review of the processes established in the company based on the DSL requirements. Since the DSL also requires a person responsible for data security to be appointed, this may necessitate the examination and, if necessary, adjustment of the governance structures.
These examples show that – depending on the interpretation of the law through local authorities – businesses should engage specialists to check through their current set-up to ensure necessary local adaptation and the implementation of China specifics. In particular, they need to examine and assess their potential exposure under the DSL, as even being located outside China is not a safe haven from the long reach of this law. The same also applies to companies’ existing legal tactics when dealing with partners from China.
For example, resorting to litigation or law enforcement in a home country may be easy to initiate but could be detrimental to an effective outcome, since any enforcement could potentially run into obstacles under the DSL. The real challenge brought by the DSL is thus not only to carry out regulatory compliance checks and make improvements, but also to rethink more strategically and – where necessary – adjust current approaches on how to deal with and manage data activities in (and with) China.