Those familiar with the EU GDPR and its UK equivalent will recognise many of the concepts and requirements in the PRC Personal Information Protection Law which took effect on 1 November 2021 (which we discuss here). However, the other major element of the PRC data protection regime focuses very much on national security and may be less familiar.
Data security, particularly where it impacts national security, is a politically sensitive subject in China and we have seen a number of legislative developments in this space including the PRC Cyber Security Law (CSL) which took effect in 2017, and the new PRC Data Security Law (DSL) that came into effect on 1 September 2021.
There are some complicated implications under the DSL that – besides regulatory challenges of a routine nature – may also have a structural impact on the China operations of international businesses.
The DSL applies to all data activities. Here "data" is defined broadly, referring to any record of information in electronic or non-electronic form and the term "data activities" refers to activities including, collecting, storing, processing, using, providing, trading or publishing data.
As expected, the DSL adopts an extraterritorial approach and, in addition to onshore data activities, applies to and may be enforced against any organisation or individual outside the PRC that conducts data activities jeopardising national security, public interest or the legitimate interests of citizens and organisations of the PRC. This potentially exposes relevant international companies to considerable legal uncertainty.
Of particular sensitivity is data which is designated as "important data". This term was used (but not defined) in the earlier CLS, and is also a feature of the DSL. The use of "important data" triggers a number of statutory obligations (Art. 27 & 30, DSL):
The exact scope of important data is to be clarified by an important data classification system yet to be established. The contemplated classification will factor in:
The issue of "state secrets" – which can be a headache for foreign companies when dealing with Chinese counterparties – is explicitly carved out from the DSL, and is regulated separately under the State Secret Protection Law.
Even if your business does not use "important data", you may still need to follow some general statutory legal principles when organising data activities.
Some of these relate to the higher Corporate Social Responsibility (CSR) expectation. For example, Article 28 of the DSL stipulates that data processing activities and new data technology R&D shall help economic and social development, shall promote the welfare of people, and shall be in line with social morale and ethics.
Obligations under the DSL, which are of a more generic IT security nature and apply to all companies, include the following:
Some of these obligations were already addressed by the earlier CSL, and are now repeated with some slight differences under the DSL.
The DSL remains very general but is now quickly being supplemented by implementing details. For example, in late September 2021, draft national standards on the classification of "important data" were published. As the regime is developing very quickly, businesses need to keep a close watch on legislative developments in the data security space.
International businesses should pay particular attention to their cross-border data transfers (both intra-group and to third parties). Potential sensitivities associated with the concept of important data may result in the need to revisit and adjust data transfer models to mitigate regulatory exposure under the PRC laws.
On top of this, Chinese subsidiaries will need to report to Chinese authorities and get prior approval before they can transfer any onshore data to their foreign head office or if required to make a transfer by a foreign court or law enforcement agency (Article 33, DSL). This requirement will become quite a challenge for international companies especially when organising a global investigation case that requires data cooperation from the PRC side.
Businesses should already be implementing the minimum compliance measures discussed here and should revisit data practices now and as further detail around compliance emerges.