The Data Security Law of the People’s Republic of China (hereinafter referred to as the “Data Security Law”) was adopted and promulgated by the 29th Meeting of the Standing Committee of the 13th National People's Congress of the People's Republic of China (hereinafter referred to as the “PRC”) on 10 June 2021 and shall be implemented as of 1 September 2021.
The Data Security Law and the Personal Information Protection Law of the PRC to be adopted will be the most important basic laws aiming to detail and strengthen the protection of data and personal information respectively as outlined in the Cybersecurity Law of the PRC. This article briefly summarizes the key provisions in respect of data security compliance obligations for relevant companies which process data as follows:
1. Basic Terminology
Data: It refers to any record of information, regardless of whether it is recorded electronically or in other means.
Data processing: It includes collection, storage, using, processing, transmission, provision and disclosure of data.
Data security: It refers to the adoption of necessary measures to ensure that the data is effectively protected and legally used as well as the ability of keeping the data in persistent secure status.
2. Scope of Application
The Data Security Law applies to those data processing activities conducted within the territory of the PRC and the security administration over such activities.
Based on the definition of the terminology “data” under the Data Security Law, the processing of information recorded in other means rather than in the electronic form shall also be governed thereunder. That means those processing activities for information recorded on paper, etc shall also be governed thereunder and therefore it expands the scope of data subject to security measures as defined under the Cybersecurity Law of the PRC.
Moreover, the Data Security Law will be extraterritorially applied to processing activities conducted outside the territory of the PRC in case such activities impair the PRC’s national security, public interest and legitimate rights and interests of citizens and organizations. Liabilities shall be imposed on such harmful data processing activities.
3. General Requirements on Data Processing
Chapter 4 “Obligations of Data Security Protection” of the Data Security Law sets out the requirements on processing of data, including important data and national core data. The following outlines the general requirements on data processing activities:
(a) The general principles for conducting data processing activities include as follows: The laws and regulations shall be followed; Social ethics shall be respected; Business ethics and professional ethics shall be observed; The national security and public interests shall not be endangered, and the legitimate rights and interests of individuals and organizations shall not be impaired.
(b) Collection of data shall be carried out in legitimate and fair ways, and theft or illegal collection of data is not permitted. Where the laws and administrative regulations stipulate the purpose and scope of collecting and/or using the data, the data shall be collected and/or used within the prescribed purpose(s) and scope.
(c) Data processor shall, based on the implementation of network security grading protection system, perform the data security obligations set out in the Data Security Law, including establishing the whole-process data security management rules, organizing and implementing data security trainings as well as adopting appropriate technical measures and other necessary measures according to the laws and regulations.
(d) Data processing activities (and research and development of data related new technology) shall be carried out in order to facilitate the economic and social development, promote the welfare of the people and in compliance with the social public ethics. (This provision may have been included to set principles in terms of AI research and development, etc)
(e) Monitoring of the data processing activities shall be strengthened, and remedial measures shall be taken immediately in case of discovery of risks regarding data security related defects or bugs.
(f) In case of data breach, responding measures shall be taken immediately, and disclosure to users and report to the competent authorities shall be made in a timely manner.
(g) Relevant parties shall cooperate with the public security authorities and the national security authorities by providing the data required for the purpose of safeguarding the national security or investigating crimes.
(h) Without the approval of the competent authorities, domestic organizations and individuals shall not provide data stored within the territory of the PRC to foreign judicial or law enforcement agencies. (There are tricky scenarios where companies may have to identify whether its data processing activities shall be regulated according to this clause. Taking as examples, the overseas recipients subject to its home country’s compliance requirements may have to provide the data received from the Chinese data processors to its home country’s competent authorities as required; and a Chinese entity may have to provide data to judicial authorities or law enforcement agencies located outside the territory of the PRC in terms of international dispute resolution. The key point is whether indirect provision of data to foreign judicial or law enforcement agencies shall be subject to approval by the Chinese competent authorities.)
4. Important Data
(a) Data Classification and Hierarchical Protection
Article 21 of the Data Security Law specifies that the State establishes a data classification and hierarchical protection system. According to the importance of data in economic and social development, as well as the degree of harm it will cause to national security, public interests, or legitimate rights and interests of individuals or organizations where the data is tampered with, destroyed, leaked, or illegally acquired or used, the data is classified, and appropriate level of protection measures shall be ensured for the respective categories of data.
(b) Identification of Important Data
The Cybersecurity Law of the PRC sets preconditions for transferring important data of critical information infrastructure operators (hereinafter referred to as the “CIIO”) collected and generated during their domestic operations to overseas recipients. The Cybersecurity Law of the PRC also sets requirements for all network operators to back up and encrypt the important data.
However, what is important data, or alternatively how to identify the important data is not defined. With the adoption and implementation of the Cybersecurity Law of the PRC as well as the subsequent release of certain draft guidelines or regulations, the identification of important data and CIIOs has been a hot topic and tough task for companies aiming to ensure compliance with the data protection compliance requirements as there are no explicit provisions in effective laws or administrative regulations in this regard.
Now the Data Security Law sheds light on the identification of important data. According to Article 21 thereof, the national data security work coordination mechanism shall coordinate relevant government departments to formulate important data catalogs and strengthen the protection of important data. All regions and departments shall, in accordance with the data classification and hierarchical protection system, determine specific catalogs of important data in their respective regions, departments, and related industries and fields, and implement key protection measures on the data included in the catalog.
In addition, data related to the national security, lifeline of the national economy, important welfare of the citizens, and major public interests belong to the national core data, for which more stringent management system shall be implemented.
Companies shall, therefore, keep alert on the updates of such important data catalogs to be formulated by the respective competent authorities and refer to such catalogs to identify if the data the companies process belong to important data (and if so, the scope of important data), and adopt corresponding protection measures as required by the applicable laws such as the Data Security Law. It is also important to keep alert on the possible upcoming legislative activities on identification of the national core data and follow those more stringent protection requirements to be set in the future.
(c) Compliance Requirements on Important Data
In addition to the general requirements on data security, Articles 27 and 30 of the Data Security Law sets more stringent requirements on processing important data:
· The processor of important data shall designate the personnel and management institution responsible for the data security so as to implement the responsibilities of protecting security of the data.
· The processor of important data shall periodically a) carry out risk assessment for its data processing activities, b) prepare the risk assessment report covering the contents of types and volume of the important data, status of the processing activities, the data security risks and the responding measures, etc., and c) file the risk assessment report with the competent authorities.
(d) Transfer of Important Data to Overseas Recipients
The Data Security Law treats the transfer of important data of CIIOs and that of other data processors to overseas recipients differently. According to Article 31 thereof, transfer of important data collected and generated during the CIIOs’ domestic operations to overseas recipients shall be subject to the provisions of the Cybersecurity Law of the PRC[i]; as for other data processors, the State Cyberspace Administration Authorities will, together with the relevant departments of the State Council, formulate measures to govern the transfer of important data to overseas, which is collected and generated during such other data processors’ domestic operations.
5. Data Transaction
According to Article 7 of the Data Security Law, the State encourages lawful free flow of data and promotes the development of the digital economy with data as a key element, while the State protects the rights and interests of individuals and organizations related to data. That indicates a balance shall be maintained between the free flow of data and the relevant legitimate righs and interests protected by the law.
Article 19 of the Data Security Law stipulates that the State shall establish and improve the data transaction administration rules, regulate the data transaction activities and promote the data transaction market.
According to Article 33 thereof, the agencies providing data transaction related services shall require the party providing the data to provide the sources of the data, inspect the identity of the transaction parties and maintain the record of the inspection and transactions.
The author considers that detailed measures on data transaction may have to be formulated to facilitate the transaction of data and boost the digital economy.
6. Administrative Penalties
(a) Various competent authorities
As aligned with those powers and responsibilities set out in the Cybersecurity Law of the PRC, the State’s cyberspace administration authorities will be responsible for overall planning and coordination with respect to the supervision over data security, while the various competent authorities in charge of respective industries (such as telecommunication, finance, etc.) shall take charge of supervising the data security within the respective industry / sector. The public security authorities and national security authorities will perform data security supervision powers and responsibilities according to the laws and administrative regulations.
(b) Administrative measures against data security risks / non-compliance
· The competent authorities can conduct interviews with the relevant parties and order implementation of rectifications to eliminate such potential risks according to the law if they have identified major risks for data processing when performing their data security responsibilities.
· Various penalties may be imposed on violations of data security obligations, such as ordering rectifications, giving warnings plus imposing monetary fines on entities and the supervisor directly in charge and other personnel directly responsible for the violations; for serious violations, penalties such as ordering of suspending relevant businesses, revoking business approvals and/or licenses, etc can be imposed.
· Monetary penalties up to 10 million may be imposed on violations specified in the Data Security Law. Such violations include: i) severe violation of provisions of Article 31 regarding transfer of important data to overseas recipients (and up to RMB 1 million may be imposed on the supervisor directly in charge and other personnel directly responsible for the violation); ii) violation of the national core data management system, endangering national sovereignty, security and development interests.
Legitimate collection and use of data as well as ensuring security of data will be necessary for smooth transfer / transaction of data. We expect that the Data Security Law will facilitate the smooth transfer of data while stressing security obligations by the processors processing the data and supervision over data security by the competent authorities. Certainly, alerts shall be kept on subsequent measures and regulations to be adopted which clarify or detail those respective obligations set out in the Data Security Law.
note[i] Where the important information collected and generated during the domestic operations have to be provided abroad for business purpose, security assessment shall be conducted pursuant to the measures developed by the Cyberspace Administration Authorities together with competent departments of the State Council, unless otherwise provided for in laws and administrative regulations, in which such laws and administrative regulations shall prevail.