China Finalizes Data Security Law to Strengthen Regulation on Data Protection

On June 10, 2021, the Standing Committee of the 13th National People's Congress passed the long awaited People's Republic of China (China) Data Security Law ("DSL") after a final read of the third draft. The DSL, which takes effect on September 1, 2021, applies to all types of data processing activities, including collection, storage, use, refining, transmission, provision, and disclosure of data carried out within the territory of China. National security is a theme throughout the DSL, and its key provisions provide for: 

• Establishment of a data categorization and classification system that requires strengthened protection of "important data," and remains to be formulated by the relevant government agencies based on the impact any misuse or misappropriation of the data would have on, among other things, national security and public and private interests; 
• Implementation of the Multi-Level Protection Scheme ("MLPS") pursuant to the 2017 Cybersecurity Law, imposing different levels of security requirements based on the damage that would be caused to national security, social order, or public interest in the event of network disruptions or cybersecurity incidents;
• Tightened restrictions on transfer of data outside of China;
• Extensive data security obligations imposed on companies; and
• Severe penalties for violations of the DSL.

Key Changes in the Final DSL

Although the basic framework of the final DSL remains mostly unchanged since the prior two drafts were issued on July 3, 2020, and April 29, 2021, there are several key changes. The final DSL adds a new "national core data" category for data that impacts "national security, the lifelines of the national economy, are important to people's livelihood, and important to the public interest." Such data is subject to enhanced processing restrictions. The exact scope of these data categories are intentionally broad and vague to allow for flexible interpretation. This will add an additional level of uncertainty for business. In addition, the final DSL adds penalties for violating restrictions on processing of "national core data" and engaging in prohibited cross-border transfers of "important data." 

Extensive Obligations on Entities Engaging in Data Processing Activities 

The DSL contains an extensive framework for entities engaging in data processing activities, including obligations to: 

• Establish a data security management system, carry out security training, and implement security measures under the MLPS; 
• Designate a responsible data security person and establish a data security department; 
• Implement enhanced risk monitoring and take prompt remedial measures in the event of a data security incident; and 
• Conduct periodic risk assessments when handling "important data" and report to the relevant government agencies. 

For the cross-border transfer of "important data," the DSL establishes separate regulatory frameworks for Critical Information Infrastructure Operators ("CIIOs") and non-CIIOs. The former must follow the regulations under the Cybersecurity Law, and the latter must follow the rules to be promulgated by the Cyberspace Administration of China together with other relevant government agencies. The DSL hence clarified that the system of Chinese government approval required for cross-border transfer of important data under the Cybersecurity Law is not applicable to non-CIIOs, which is welcoming to companies doing business in or with China.

Cross-Border Transfer of Data in Legal Proceedings

The DSL expressly prohibits providing any data stored in China to law enforcement authorities or judicial bodies outside of China without prior Chinese government approval. This new requirement has a significant impact on cross-border litigation and other legal proceedings. For example, companies established in China, offering goods or services to data subjects in the EU, and which are therefore subject to the EU General Data Protection Regulation ("GDPR"), are required to obtain Chinese government approval before providing personal data collected from EU data subjects, and stored in China, to EU supervisory authorities, if such authorities request data when exercising their enforcement powers under the GDPR.

Severe Penalties for Violations of the DSL

The DSL imposes severe punishments for entities violating the law, including suspension of the business, revocation of the business license, fines up to RMB 10 million (US$1,560,000), and potential criminal penalties. Individuals directly responsible for violations may be subject to fines up to RMB 1 million (US$156,000) and potential criminal penalties. Entities may be punished for a failure to cooperate with the Chinese authorities' data requests, and for providing data to foreign judicial or law enforcement authorities without approval from relevant Chinese authorities.

Implementation 

As with many Chinese laws, much of the detail of how the DSL will work in practice will be set out in implementation rules that have yet to be issued and may not be issued before the DSL comes into force. "Important data," which are the focus of the DSL, are not defined in the DSL or other Chinese laws or regulations, although some draft regulations have attempted to define the term. This is likely to create ongoing uncertainty, similar to the 2017 Cybersecurity Law for which key implementing regulations have not yet been issued.