Unpacking China’s New Data Security Law And Privacy Legal Framework
If you’re a multinational enterprise (MNE) that does business in or with China, you’re likely aware of the Data Security Law (DSL) that went into effect on September 1, 2021. The DSL adds to an increasingly comprehensive legal framework for information and data security in China. The law also imposes extensive data processing requirements and imposes potentially severe penalties for violations.
This article attempts to share a high-level overview of the DSL and put into context the overall state of data governance in China. First, a disclaimer: This article isn’t legal advice. Instead, it is a high-level look at a new set of data governance and regulations that affect our customers. We do recommend that you seek guidance from your legal department and other relevant experts.
A Brief Recap Of China’s Recent Data Security Initiatives
The recent legal moves by China over the past few years address the country’s growing concerns over the amount of data collected by firms and whether that information is at risk of misuse and attack, particularly by foreign nations. On June 10, 2021, the Standing Committee of China’s National People’s Congress passed the Data Security Law (DSL), which took effect earlier this month (September). The DSL, together with the 2017 Cybersecurity Law and the just-passed Personal Information Protection Law (PIPL), will form an increasingly comprehensive legal framework for information and data security in China.
Data Security Law Highlights
The primary purpose of the DSL is to regulate “data activities,” safeguard data security, promote data development and usage, and protect individuals and entities’ legitimate rights and interests. Additionally, the DSL focuses on safeguarding China’s state sovereignty, state security, and development interests.
The DSL provides broad extraterritorial jurisdiction. According to Article 2, the law governs data activities conducted within China as well as those outside the country that may “harm the national security or public interests of the PRC, or the legitimate rights of Chinese citizens or entities.”
Defining and Classifying Data
The DSL requires all companies in China to classify the data they handle into several categories and governs how that data is stored and transferred to other parties. The classification system will control data according to the data’s importance (i.e., “important data”) to China’s economy, national security, and public and private interests.
The DSL further introduces a separate regulatory framework for “core state data,” broadly defined as data involving national security, lifelines of the national economy, importance to people’s livelihood, and significant public interests. Core data are subject to stricter processing regulations.
Currently, the data classification system details are not specified in the DSL but are expected to be rolled out in the future.
Data Security Compliance Obligations
The DSL imposes general obligations on companies and individuals who carry out any data activities, including:
- Establishing comprehensive data security management systems, organizing data security education, and implementing necessary measures to ensure data security
- Strengthening risk monitoring, taking corrective actions when data security flaws or “loopholes” are discovered, and notifying users and authorities of security incidents
- Conducting regular risk evaluations of the data activities for “important data” processors and reporting results to relevant authorities.
The more sensitive the data a company handles, the more rigorous the data security obligations. For example, in addition to obeying strict processing restrictions for “national core” data, entities that process “important data” must:
- assign a data security officer,
- create a data security management department,
- conduct regular evaluations to monitor potential risks, and
- report results to appropriate government agencies.
Cross-Border Data Transfer Requirements
There are many details about cross-border data transfers that we won’t cover in this article. But, basically, the DSL doesn’t allow the transfer of any data from China to any foreign law enforcement agencies or judicial bodies without approval from the appropriate Chinese government authorities, creating complications for companies legally required to submit data to foreign authorities.
For example, companies established in China that offer goods or services in the European Union (EU) are subject to the EU General Data Protection Regulation (GDPR), which allows EU supervisory officials to request data when exercising their enforcement powers. However, China requires that companies receive government approval before transferring data in response to GDPR enforcement requests.
Again, the DSL currently provides no specific guidance to companies on this requirement.
Penalties For Noncompliance
Failure to comply with DSL requirements includes demands for rectification, warnings, monetary fines, forfeiture of illegal gains, revocation of business licenses, and/or orders to close down businesses. Noncompliance with the DSL that scales to a criminal or administrative offense level may also be prosecuted criminally under China’s Criminal Law or be subject to administrative penalties. In addition, the DSL allows parties to recover damages through civil litigation in court.
What’s Next? Here’s How Appsian Security Can Help
MNEs currently conducting business in and with China are likely already used to stingy information and data security controls and may have existing internal policies for information technology, data management, and privacy already in place. Even so, those companies will benefit from additional reviews of their data processing policies and activities for potential non-compliance risks.
Additionally, it’s a good time to talk with Appsian Security to learn how the Appsian Security Platform (ASP) can help you comply with China’s DSL, along with other global compliance regulations like GDPR. ASP gives you complete control and visibility over your business data using a comprehensive platform that combines data security, identity and access management, and governance, risk, and compliance (GRC).
Contact us today for a demonstration.
Sources, References, And Further Reading:
- “China’s New Data Security Law: What to Know,” by Hui Xu & Kieran Donovan, Latham & Watkins, LLP
- “China Adopts New Data Security Law,” by Colin Zick, Foley Hoag LLP
- “Cross-Border Data Transfer and Data Localization Requirements in China,” by Andrea Tang, CIPP/E, CIPM, ISO27001 LA
- “Translation: Data Security Law of the People’s Republic of China” – Stanford’s DigiChina Cyber Policy Center
- “Unpacking China’s game-changing data law,” by Shen Lu, Protocol