China is to reach a new height in enhancing national security in data area. On June 10, 2021, China adopted the widely concerned Data Security Law (the "DSL") at the 29th Meeting of the Standing Committee of the 13th National People's Congress, China's top legislature.
The widely applicable DSL with extraterritorial effect clarifies the State's regulatory system for data security, requires data security protection obligations to be performed, and further increases the penalties based on the second draft of the DSL.
Considering that the DSL will come into effect as of September 1, 2021, during the short grace period, entities to which the law applies are suggested to establish the relevant compliance systems and perform data security protection obligations as required as soon as possible, in order to be prepared for the upcoming implementation of the new legislation.
This alert aims to provide a general picture of the DSL, and to discuss the possible impacts of this law on entities operating in China, as well as the highlights to be paid attention to when conducting data compliance in accordance with this law for kind reference.
I. SCOPE OF APPLICATION
According to Article 2 of the DSL, the law applies to data processing activities and their security regulations carried out within the territory of China. Meanwhile, data processing activities carried out outside of the territory of China that harm the national security, public interests or lawful interests of citizens or organizations of China, will be held liable in accordance with the law.
This provision reflects the law's certain degree of extraterritorial application effect, which is consistent with the practice of countries around the world to extend their jurisdiction over data through legislation. That means, entities processing data outside of China may also be governed by this law.
Besides, under the DSL, "data" is broadly defined as any record of information in electronic or non-electronic form, and "data processing" widely includes activities such as collection, storage, use, refinery, transfer, provision and disclosure of data.
II. ENFORCEMENT AUTHORITIES
Similar to the regulation of personal information protection in China, data security is also regulated by multiple parties. On this basis, the DSL clarifies that the central national security leadership agency (namely the National Security Commission) is responsible for the decision-making and coordination of data security-related works; and other regulatory departments like the Cyberspace Administration of China and the Ministry of Public Security, competent authorities of industries like finance and healthcare, and local governments are responsible for the relevant regulation of data security within their respective scope of duties.
As the DSL does not change the current polycentric supervision on data security, but maintains such status quo to some extent, the data processing activities of an entity may be subject to multiple law enforcement authorities' regulations with different perspectives in practice.
III. HIGHLIGHTS FOR DATA SECURITY COMPLIANCE
The DSL creates a series of data security systems, including data categorization and classification, data security review, etc., and establishes a basic framework for data security. At the same time, this law puts forward some data security protection obligations for entities carrying out data processing activities, and stipulates penalties for violations to ensure that they are complied with. As such, for the relevant companies, it is suggested to pay attention to the following highlights when conducting compliance work in accordance with the law.
1. Data Categorization and Classification
Data categorization and classification is not a new concept, but has been mentioned in several regulatory documents, such as the Industrial Data Categorization and Classification Guide (Trial) issued by the Ministry of Industry and Information Technology of China in 2020. The DSL reiterates it as a data security system.
Further, the DSL provides that data categorization and classification protection shall be implemented according to the level of importance to the State's economic and social development, as well as the degree of harm to the national security, social interests or lawful interests of citizens and organizations, if the data is tampered with, destroyed, leaked or illegally obtained or used.
According to the new law, a catalog of important data will be formulated at the national level, and each region and department will make specific catalogs of important data in their own region and department on this basis. The relevant entities shall be subject to the above-mentioned catalogs when categorizing and classifying data. For now, before the catalogs are released, it is recommended that the relevant companies could sort out and identify internal data at first, and prepare for the following categorization and classification work.
2. Important Data Protection
The DSL proposes to strengthen the protection of important data, which is generally understood as data closely related to national security, economic development, and social public interests; and puts forward the following special requirements for the processor of important data.
a) Responsible Person and Department for Data Security
The DSL requires that the processor of important data shall designate a person in charge and set up a management department, to fulfill data security protection responsibilities.
The law does not further elaborate on the duties and responsibilities of the person in charge and the management department. In addition, whether the person in charge of data security can concurrently serve as the person in charge of network security required by the Cybersecurity Law and the person in charge of personal information protection that may be required by the coming Personal Information Protection Law remains to be further clarified as well.
b) Risk Assessment
The processor of important data shall conduct risk assessment of its data processing activities regularly, and submit a risk assessment report to the competent authority according to the DSL. Such risk assessment report shall include the categories and quantities of important data processed, how data processing activities are conducted, and the potential data security risks and responding measures.
c) Cross-border Transfer of Important Data
The Cybersecurity Law has stipulated the requirements on the export of important data by critical information infrastructure operators ("CIIOs"). The DSL extends the restriction on the cross-border transfer of important data to general data processors, namely non-CIIOs. According to this law, the national cybersecurity and informatization department will take the lead to formulate the security management measures for important data export by non-CIIOs, which shall be highly concerned by the relevant entities, especially multinationals.
Notably, the Hainan Free Trade Port Law, which was approved on the same day as the DSL and took effect concurrently, proposes for the first time at the level of law that China supports Hainan Free Trade Port to explore and implement a regional international data flow system. It is speculated that the policies and regulations on cross-border transfer of data in free trade zones and ports in China may be more flexible in the future, therefore be more benefit for the relevant entities.
In addition, the DSL, puts forward a new concept of "national core data", which is defined as data related to national security, the lifeline of the national economy, important people's livelihood, and major public interests. Also, the law indicates that national core data shall be protected with a more stricter management system. However, the DSL does not elaborate in this regard, and further requirements remain to be clarified in the future.
3. Data Security Review
Pursuant to the DSL, China will establish data security review system, to review the data processing activities that affect or may affect national security. As no detailed rules has been made in this regard, it is supposed that such system may share a similar idea to the existing cybersecurity review of China, which is conducted when CIIOs purchase network products or services that affect or may affect national security.
4. Export Control and Reciprocating Measures
In the context of the current international situation, China states in the DSL that it implements export control on data that constitutes controlled items, and imposes reciprocating measures against the countries and regions that adopt discriminatory prohibitions, restrictions or other similar measures against China. The above provisions are in line with China's Export Control Law promulgated in 2020 and the Anti-foreign Sanctions Law which was approved on the same day as the DSL and took effect on that day. As such, the relevant companies should pay great attention and make corresponding compliance arrangements in this regard.
5. MLPS-based Data Security Protection Obligations
The DSL requires entities carrying out data processing activities to perform data security protection obligations on the basis of the establishment of multi-level protection scheme ("MLPS"). Those obligations include setting up and improving data security management system across the entire workflow; organizing and conducting data security training, and adopting technical measures and other necessary measures to ensure data security.
MLPS is a system provided under the Cybersecurity Law that requires network operators to perform related obligations to protect network security and prevent data breach. The relevant entities need to file MLPS with the local public security organs in accordance with the relevant regulations and national standards. After the implementation of the DSL, it is expected that the enforcement activities against failing to file MLPS may increase accordingly.
6. Risk Monitoring and Security Incident Handling
Pursuant to the DSL, when carrying out data processing activities, entities shall strengthen risk monitoring, and immediately adopt remedial measures when data security defects and vulnerabilities are found. Meanwhile, when data security incidents occur, entities shall promptly take responding measures, notify users and report to the competent authorities.
Obviously, the above provisions are similar to those regarding cybersecurity incident response mechanism provided under the Cybersecurity Law, and those regarding personal information breach response mechanism under the draft of the Personal Information Protection Law. As such, the relevant entities may establish a set of emergency plans to deal with different security incidents in the future.
7. Request for Data by Law Enforcement Organs in and outside China
Countries around the world are strengthening their own data sovereignty. China follows such trend and makes it clear in the DSL that, on one hand, the relevant organizations and individuals are obliged to cooperate with public security agencies and national security agencies' request for data for the purpose of maintaining national security or investigating crimes; on the other hand, organizations and individuals in China are not allowed to provide data stored within the territory of China to foreign judicial or law enforcement agencies without the approval of the competent authority.
In this regard, when the relevant entities participate in judicial procedures or confront administrative investigations outside of China, attentions shall be paid to abide by the relevant provisions and consider the requirements under the laws and regulations such as the International Criminal Judicial Assistance Law of China.
8. Data-related Anti-unfair Competition and Anti-monopoly
The final version of the DSL adds a new provision compared with the previous two drafts, according to which entities grabbing or illegally collecting data in other ways, or carrying out data processing activities that eliminate or restrict competition or damage the lawful rights and interests of individuals and organizations, shall be punished in accordance with the relevant laws and regulations.
In the era of Internet economy, platforms may use crawlers and other technical measures to access others' data, and Internet giants that have a large amount of data may use data combined with algorithms to gain competitive advantages. The above provisions mainly target illegal data crawling and abuse of data to restrict competition, which is in line with and echoes the ideas and requirements under the Anti-unfair Competition Law and the Anti-monopoly Law, especially the Anti-monopoly Guidelines on Platform Economy newly released in February 2021.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.