On 28 June 2020, a draft on the Data Security Law of China ("Draft DSL") was tabled for discussion at the National People's Congress ("NPC") Standing Committee for the first time; five days later on 3 July, the full text was released to solicit public comments. Two years have passed since it was included in the legislation plan of the NPC in September 2018 and four years since the idea of data security was brought up in the Notice on Issuing Action Plan of Promoting the Development of Big Data by the central government. The DSL is expected to be China's next step in strengthening data regulation on the horizon. Considering that President Xi Jinping has mentioned on many occasions the need for accelerating legislation construction to protect data security, the final is expected to undergo a relatively fast-track as its predecessor, the Cybersecurity Law, which took about 16 months from the first review to the promulgation. It merits close attention of the relevant legislative process.
Internationally, battles over data has become increasingly intensified and even normalized among major nations. The United States intends to strengthen its digital power by using regulatory tools such as its export control regime, the CFIUS regime (foreign investment review) and the Clarifying Lawful Overseas Use of Data Act ("CLOUD Act") to control data flow. China needs to take a stance on its own view of data security. Accordingly, certain provisions in the Draft DSL responds to how data discovery during cross-border law enforcement provided by the CLOUD Act should be handled, and also clarified the interplay between data security and export control. There is even a very broad provision that allows countermeasures to be taken in response to any discriminatory measure in investment or trade that is adopted by any foreign country or region.
Domestically, although the National Security Law of China and the Cybersecurity Law of China has provided some protection of data in principles, they are far from sufficient. The establishment of a comprehensive and fundamental regulation in data security has never been more imperative. The Draft DSL attempts to take on such mission. While security being the main theme of the legislation, it also places a significant gravity on the development of data. It reemphasizes to promote data as a fundamental production factor, as proposed by the State Council in April this year. A standalone chapter focuses on the protection of data related rights and interests, the development of data governance and mining, and the promotion of data-oriented digital economy. It also includes a provision on encouraging and developing data trading markets while establishing trading norms.
The current draft comes with a total of 51 articles in 7 chapters. Key features of the draft and the potential impacts are summarised below.
- Applicable Scope and Extraterritorial Jurisdiction
The Draft DSL provides a broad applicable scope in combination with its definition clauses. In Article 2, it states that the law applies to any data activity within the territory of China. This article is followed by the definition of "data", which refers to any record of information in electronic or non-electronic form; and the definition of "data activity", which refers to activities such as collection, storage, processing, use, provision, trading, and disclosure of data. Therefore, it is much broader than the Cybersecurity Law or its implementing rules, which usually focus on personal data or important data, and the definitions here have the all-inclusive feature.
Second paragraph of Article 2 additionally provides extraterritorial jurisdiction. It clearly stipulates that it applies to data activities carried out by any foreign organisations or persons, wherever they occur, provided such activities bring damages to national security or public interests or the rights and interests of citizens or organisations of China.
- Multi-level Enforcement Structure
The Draft DSL, similar to the Cybersecurity Law, has entrusted several authorities to carry out relevant duties with an overall coordinator at the central level. It does not seem to change the existing complexity of data governance in China. According to Article 6 of the Draft DSL, the central national security institution will be the principal data security regulator in China, responsible for the overall planning and coordination of data security work and relevant supervision and administration. It is consistent with the primary authority under the National Security Law.
Meanwhile, sectoral and regional regulators will assume data security administration in their respective industries and regions:
- Each regional government or government department will respectively take responsibility for the security of data generated, aggregated, or processed in carrying out its work;
- Sectoral regulators in the field of industry, telecommunications, natural resources, health, education, national defense technology, finance will supervise data security of their own sector;
- Public security organs and national security organs will undertake data security duties in accordance with other relevant laws and regulations; and
- National network information department – the primary authority under the Cybersecurity Law – will coordinate and supervise Internet data security.
- Data Classification and Protection of Important Data
The Draft DSL stays in line with the Cybersecurity Law and other sector guidelines and reiterates the classification and gradation management of data. For example, the so-called "Classified Protection 2.0" – the new cybersecurity classified protection requirements launched according to the Cybersecurity Law include requirements on data classification, and there have been sector-specific rules on classified protection of data, for example, in finance and industrial areas. The Draft DSL further clarifies that the standard for such classification is based on "the importance of data in economic and social development, and the degree of harm to national security, public interest, or the legitimate rights and interests of citizens and organizations if the data is tampered with, destroyed, leaked, illegally acquired, or illegally used."
On top of data classification, processors of important data shall bear additional responsibilities. The Draft DSL specifies that a processor of important data shall appoint a person in charge of data security and establish a governance structure. In addition, a processor of important data shall conduct regular risk assessment and file with competent authorities. However, instead of defining what is important data, the Draft DSL authorizes regional government and sectoral regulators to promulgate catalogues of important data within their own responsibility.
- New Regime: Data Security Review Procedure
The Draft DSL sets up a new regime – namely the "data security review", which could be one of the review systems under the National Security Law. It states that for data activities that influence or may influence national security, a national security review will be conducted and the decision will be final without judicial oversight. Though not specified what the "data security review" will encompass, it may closely relate to the cybersecurity review (a security review required of operators of critical information infrastructure if the procurement of "network products and services" implicates China's national security), or the security review of cross-border transfer of personal data and important data; both review systems having their basis in the Cybersecurity Law. But the details of the data security review will have to await further regulations to be landed.
- Data Trading and Data Exchange
A breakthrough in the Draft DSL is that as a statute, for the very first time, it declares to establish and improve data trading systems and data trading markets, while it will also regulate data trading behaviours. Data trading is formally recognized in the definition as one of legitimate "data activities." Though China has had specific data markets in name of certain places, such as Guiyang, Shanghai, etc., it is unprecedented that selling and buying data is removed from the shady area, legalized and even explicitly encouraged by the government. However, the Draft DSL does not define ownership of data. It is expected to be shaped when developing data trading norms in reality.
As intermediaries that facilitate data transactions, "data brokers" are also provided in the Draft DSL and afforded certain duties. A data broker shall require data seller to explain data sources, verify the identifications of the trading parties, and retain audit and transaction records. Otherwise administrative sanctions may be imposed.
- Data Sovereignty and Control on Data Export
Cross-border data flow is a must-have topic for the DSL to address, and great importance is attached to data access in cross-border law enforcement proceedings. In response to the US's CLOUD Act, China passed the International Criminal Judicial Assistance Law in October 2018, which prohibits individuals and organisations from providing any evidentiary material or assistance to foreign enforcement authorities without obtaining the prior approval from competent Chinese authorities. The Draft DSL reaffirms such position in Article 33, but leaves an opening that if an inter-government treaty provides otherwise such assistance may be provided.
On the other hand, China itself may have to collect evidence of data stored overseas. It is worth noting that the Draft DSL also imposes stringent requirements on domestic enforcers and public authorities for accessing data based on their duties under Article 32. It says such enforcement activities shall also be subject to authorities' approval in accordance with the law.
In addition, the Draft DSL emphasises the implementation of export control over data that might be considered as controlled items. It echoes the anticipated Export Control Law of China, which is also under the deliberation of the NPC so far. Thus, it remains to be seen what kind of data would be covered under China's new export control regime.
At last, as the flip side of reciprocity principle, Article 24 empowers Chinese government to promulgate countermeasures in case any foreign country or region adopts discriminatory measures against China in terms of investment or trade related to data or date-related technologies. This clause may grant authorities very broad powers at times of international political frictions.
- Open Access to Government Data: New Opportunities for Companies?
The large amount of data held by governments are, without doubt, valuable assets that can be processed and utilised. Chapter V of the Draft DSL encourages governments at all levels to share information with the public unless it is preserved by law. Unified, interoperable and safe platforms will be established to promote the development of such data. Before this, some regional government has implemented local rules to push for government data opening. The Draft DSL confirms the trend from a higher level.
- Companies' Obligations of Data Security and Potential Legal Exposure
Any person or organisation is required to follow relevant laws, regulations, and national standards when carrying out data activities. These duties not only include those indicated in Chapter IV, e.g. setting up data security management system, conducting training, taking safeguard measures (Article 25), but also may refer to other laws or rules, e.g. how data should be collected lawfully (Article 29). And processors of important data will undertake additional responsibilities as mentioned above. The legal consequences of failure to fulfil these safeguard duties are:
- fines of up to CNY 100,000 (approximately USD 14,245) for entities, and CNY 50,000 (approximately USD 7,123)for the person in charge; or
- where refusing to make corrections or causing serious data leakage, fines of up to CNY 1 million (approximately USD 142,452) for entities and CNY 100,000 (approximately USD 14,245) for the person in charge.
In addition, the Draft DSL introduces two new roles: "data broker" under Article 30 and "online data processor" under Article 31, and their corresponding duties. The role of a data broker is described as in part (5) above. An online data processor shall obtain relevant licences or register in accordance with the law. Otherwise, either of them can face fines of up to ten times of illegal gains or CNY 1 million, and CNY 100,000 for the person in charge. They may even be revoked business licenses or banned from relevant business.
- Look Forward: What is Next?
Although the Draft DSL mainly codifies macrosystems and general principles, and restates more current regulations, it delineates the basic regulatory framework of data security. It echoes the existing Cybersecurity Law and the National Security Law from an emphasized security point of view. More ambitiously, it will bridge with the Personal Information Protection Law and the Export Control Law that are not introduced yet, and establish data security across different fields of law. The interplay will bring intricate compliance duties for companies. But at the same time, it also acknowledges and encourages data markets and access to government data, showing that digital economy development based on data will be as important an axis of the DSL as security.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.