China’s New Data Security Law

October 30, 2021 In Blog, Data, Privacy By Shengkai Xu

On June 10, 2021, China’s top legislature, the Standing Committee of the National People’s Congress (NPC), promulgated the new Data Security Law (DSL) of the People’s Republic of China.^[1] This legislative development took place two months after the NPC released the second draft of the proposed law in April 2021.^[2] The DSL became effective on September 1, 2021.^[3]

Article 2 of the legislation states its broad scope – the law applies to all data processing activities within the mainland territory of China.^[4] Outside of the mainland territory, this new law governs any aspect of data processing detrimental to national security, the public interest, or legal rights and interests of Chinese citizens and organizations.^[5] This expands on the previous Network Security Law (NSL), which applied only to outside-China processing deemed an attack, infringement, interference or damage to Chinese information infrastructure.^[6] Data, as defined by the DSL, covers any record of information in electronic or other forms, such as hard copy written records of information.^[7] Data processing activities regulated by DSL include, though are not limited to, the collection, storage, use, processing, transmission, provision, and disclosure of data.^[8]

The DSL classifies data based on its importance to the state’s economic development, national security, public interest, and the legitimate rights and interests of individuals and entities.^[9] Following the directive of the Network Security Law to adopt data classification measures,^[10] the DSL classifies all data into three categories. The DSL uses the concept of “core national data” to implement a strengthened management system regulating core data involving national security, lifelines of the national economy, people’s livelihoods, and major public interests.^[11] Violations of the core state data management system or any activities that may endanger China’s sovereignty, security, and development interests will be subject to fines up to 10 million yuan.^[12] suspension of business, revocation of business licenses, and possible criminal liability.^[13]

The concept of “important data” was first raised in the NSL, under which network operators in China are required to categorize data and formulate backup and encryption measures for the protection of important data. ^[14] The DSL further requires, however, that business operators who process important data must appoint a responsible person and establish a specific internal department for important data protection, carry out risk assessments on a regular basis, and report the risk assessment results.^[15]

Neither the NSL nor the DSL provides details on the definition and scope of important data or the detailed protection mechanism. The DSL authorizes the national data security coordination mechanism to coordinate with the relevant departments to formulate an important data catalogue at the national level.^[16] The DSL also authorizes different provincial regions and industrial sectors to formulate their own specific important data catalogues with protection requirements.^[17] The extent of the regulatory duties owed by regional and industrial sectors, however, are yet to be spelled out.

Regarding the cross-border transfer of important data, the DSL introduces separate frameworks for the regulations of operators of critical information infrastructure (CII) and non-CII data processing operators.^[18] For CIIs, the export of important data collected and generated in China is governed by the NSL and requires passing a security assessment by pertinent regulatory authorities.^[19] Under the NSL, CII operators are required to locally store important data that is collected or generated in China.^[20] For non-CIIs, the DSL specifies that the rules regulating the export of important data collected and generated in China will be developed by the Chinese Cyberspace Administration along with the relevant departments of the State Council.^[21]

The passage of the DSL reflects China’s growing concern over the security of data amassed by private firms, the risks of data breach, and an upward trend toward more intensified regulatory scrutiny. In July, the Cyberspace Administration of China launched an investigation into Chinese ride-hailing company DiDi days after it began trading on the New York Stock Exchange.^[22] The DSL was promulgated days after the launch of the DiDi investigation. While the full extent of the legislation’s regulatory impact is yet to be assessed, careful monitoring of data security issues is more important than ever—for businesses and investors alike.

Footnotes[+]

Footnotes
1	George Qi and Qianqian Li, China Finalizes Data Security Law, Greenberg Traurig (July 26, 2021), [https://www.gtlaw.com/en/insights/2021/7/china-finalizes-data-security-law] [https://perma.cc/8FCM-YE9J].
2	Id.
3	See Cao Yin, Data Security Law Improves Governance, CHINA DAILY (June 15, 2021), https://global.chinadaily.com.cn/a/202106/15/WS60c7fa07a31024ad0bac6b34.htm [https://perma.cc/HQ9X-4UNC].
4	Shuju Anquan Fa (数据安全法) [Data Security Law] (promulgated by the STANDING COMM. NAT’L PEOPLE’S CONG., June 10, 2021, effective Sept. 1, 2021), art. 2 (China), http://www.npc.gov.cn/npc/c30834/202106/7c9af12f51334a73b56d7938f99a788a.shtml [https://perma.cc/G3HP-Q4YL]. For an unofficial English translation, see Translation: Data Security Law of the People’s Republic of China, (June 29, 2021), STANFORD DIGICHINA POLICY CENTER, https://digichina.stanford.edu/news/translation-data-security-law-peoples-republic-china [https://perma.cc/FSH5-QSBX] [hereinafter DSL].
5	Id.
6	Wangluo Anquan Fa (网络安全法) [Network Security Law] promulgated by the STANDING COMM. NAT’L PEOPLE’S CONG., November 7, 2016, effective June 1, 2017) arts. 2, 5 (China), http://www.cac.gov.cn/2016-11/07/c_1119867116.htm. For an unofficial English translation, see Rogier Creemers et al., Translation: Cybersecurity Law of the People’s Republic of China (Effective June 1, 2017), NEWAMERICA (June 29, 2018), https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-cybersecurity-law-peoples-republic-china/ [https://perma.cc/2489-S6B8] [hereinafter NSL].
7	See DSL, supra note 4, at art. 3, para 1.
8	Id. at art. 3, para. 2.
9	Id. at art. 21, para. 1.
10	See NSL, supra note 6, at art. 21, para. 4.
11	See DSL, supra note 4, at art. 21, para. 2.
12	Id. at art. 45, para 2.
13	Id.
14	NSL, supra note 6, at art. 21.
15	DSL, supra note 4, at art. 30.
16	Id. at art. 5.
17	Id. at art. 6.
18	See id. at art. 31.
19	NSL, supra note 6, at art. 35.
20	Id., at art. 37.
21	Id. at art. 31.
22	Zen Soo, Explainer: Why China is Investigating Tech Firms like Didi, ASSOCIATED PRESS, (July 5, 2021), [https://apnews.com/article/china-data-privacy-technology-business-2728ec59a0ac887dd5a27a0cdd397b52] [https://perma.cc/UP74-HHX7].

Shengkai Xu

Shengkai Xu is a second year J.D. candidate at Fordham University School of Law and a staff member of the Intellectual Property, Media & Entertainment Law Journal. He holds a B.A. from Minzu University of China, a M.A. from University at Buffalo, and is a Ph.D. candidate at University at Buffalo, State University of New York.

China’s New Data Security Law

China’s New Data Security Law

Share this:

Related

Shengkai Xu