On June 10, 2021, after being submitted to the twenty-ninth meeting of the Standing Committee of the Thirteenth National People’s Congress (“NPC”) for consideration, the text of the Data Security Law was officially released. The Data Security Law will come into effect on September 1, 2021.1
In the “Legislation Plan of the Standing Committee of the Thirteenth NPC” released in September 2018, the Data Security Law was included in the legislation plan for the first time as “a draft law to be submitted for deliberation during the tenure under relatively mature conditions”.2 After two years of preparation, the text of the first draft Law was released after the first deliberation of the Standing Committee of NPC in July 2020, and the second draft of the Data Security Law was submitted for the second deliberation on April 26, 2021, and the Law is officially released now.
After its promulgation, the Data Security Law will become an important part of the national security legal system represented by the State Security Law, and will, together with the Cybersecurity Law and the Personal Information Protection Law that passed the second deliberation, become a more complete basic legal system in the information field.
The key content of the Data Security Law is as follows.
I. Scope of Application
The Data Security Law is applicable to data processing and regulatory activities carried out within the People’s Republic of China. In terms of its extraterritorial application, the Data Security Law further provides that any organization or individual outside the territory of the People’s Republic of China will be held accountable by law if such an organization or individual harms the State security, public interest or legitimate rights and interests of citizens and organizations of the People’s Republic of China in carrying out data processing activities. (Article 2)
The Data Security Law further provides that “data” means any record of information in electronic or other forms; while “data processing” means acts such as data collection, storage, processing, use, provision, transaction, and disclosure. (Article 3)
According to the above definitions, “data” covers a wide range of information records generated from across all aspects of production, operation and management in the process of the gradual transformation to digitalization of government affairs and enterprises. The supplementary provisions of the Data Security Law further provide that data processing involving State security shall be governed by the Law of the People’s Republic of China on Safeguarding State Secrets and the related laws and regulations; therefore, the Data Security Law does not apply to data processing involving State secrets. The Data Security Law is applicable to data processing activities in statistics and archival work, and also to data processing activities involving personal information. These data processing activities should also comply with the requirements of the relevant laws and regulations in such aspects. How the requirements of Data Security Law should be applied to business enterprises in practiceis subject to further observation. For example, the Data Security Law provides obligations on the protection of data based on hierarchical classification, but only formulates relevant specific obligations (as set out in Part VI of this Article) on Important Data. Further clarification on whether data other than Important Data shall be regulated accordingly and the focus and rules still need to be clarified later.
The Data Security Law provides that data security means the ability to ensure the effective protection and lawful use of data and keeping data in a continuous security status by taking necessary measures. (Article 3) As seen from the entire contents of the entire Data Security Law, data security mentioned therein includes both at the macro level of national security and the micro level of implementation of data security measures by organizations and individuals.
II. Linkage between the Data Security Law and the Legal System of Security and Cyber Affairs
Data security is an important component of national security and cybersecurity.
The National Security Law provides in principle that the State will construct network and information security protection systems, improve its ability to safeguard the network and information security, and step up the innovative research, development and applications of network and information technologies, so as to achieve security and controllability of … and data. (Article 25).
The Cybersecurity Law also requires enterprises to perform their obligations of hierarchical cybersecurity protection, and take such measures as data classification, backup and encryption of important data (Article 21). Further observation is required for the coordination and connection between the Data Security Law and the provisions of the aforesaid laws and the relevant supporting regulations (and the draft for comments), for example:
The linkage between the relevant obligations on the protection of Important Data as provided in the Data Security Law and those as defined and provided in the Cybersecurity Law and the Data Security Administrative Measures (Draft for Comments);
The linkage among data export control systems as provided in the Data Security Law and the export control requirements provided in the Export Control Law that was issued in 2020, and the relevant requirements for data export as provided in the Cybersecurity Law, Data Security Administrative Measures (Draft for Comments) and the Personal Information Protection Law (Second Draft for Review);
The linkage between the data security review system as provided in the Data Security Law and the foreign investment security review system as provided in the Foreign Investment Law and the Measures for Cyber Security Review.
III. Principle of Regarding Data Security and Development as Equally Important
In the general provisions, the Data Security Law firstly specifies that the State protects the data-related rights and interests of individuals and organizations, encourages reasonable and effective utilization of data, and secures the orderly and free flow of data in accordance with the law, so as to promote the development of the digital economy with data as the key element. (Article 7)
Next, in the second chapter, the Data Security Law expressly provides its support to data security and development. The relevant support measures include the implementation of a Big Data strategy, the promotion of data infrastructure construction, and the design of digital economy development plans (Article 14); supporting the development and utilization of data to improve the intelligent level of public services (Article 15); the strengthening of basic research on data development and utilization technology (Article 16); the promotion of digital talent cultivation (Article 20) and other general strategies and guidelines for the encouragement and support of digital economy development, digital development and utilization. It also requires formulating relevant standards for data development and utilization technologies and data security (Article 17); promote data security tests and evaluations as well as certifications (Article 18), and establish and improve data transaction management systems (Article 19).
To sum up, in terms of its system design, the Data Security Law is intended to encourage and establish various data-related policy support measures to promote and coordinate the balanced and orderly development between the digital economy and data security by taking in to consideration data management and requirements.
IV. Data Security Law Enforcement Bodies and their Work Duties
Articles 5 and 6 of the Data Security Law specify the regulation of data security and the work duties of different law enforcement bodies. The Data Security Law provides that the Central State security leading institution is responsible for the overall decision-making and coordination of national data security, formulates and guides the implementation of national data security strategies and major policies, coordinates the major issues and important work of national data security, and establishes the Coordination Mechanism of National Data Security Work. The Coordination Mechanism of National Data Security Work is firstly provided in the Data Security Law, which is responsible for coordinating the relevant departments to formulate Important Data catalogues (Article 21) and to strengthen the work around acquisition, analysis, research and judgment, and early warnings of data security risk information; In addition, according to Article 6:
The various regions and departments shall have the responsibility for the data collected and generated in its work of their own regions and departments and the security of such data;
The competent industrial departments such as industry, telecommunications, transportation, finance, natural resources, health, education, science and technology industries shall be responsible for the data security supervision of their own industries and fields;
The public security bodies and national security boies shall be responsible for the data security supervision within their respective scope of duties; and
The cyberspace administrations of the State are responsible for the overall planning and coordination of cyberspace data security and the relevant regulatory work.
V. The Basic System of Data Security
As the basic law in the field of data security, the Data Security Law has established a series of fundamental systems in the field of data security in Chapter 3 and formulated the basic framework of data security systems in China, laying a solid foundation for the development and perfection of the data security system in the future. These new fundamental systems include:
Data Protection Based on Hierarchical Classification, Important Data Protection Systems and National Core Data Protection Systems
The Data Security Law provides that the State shall protect data based on hierarchical classification according to the importance of data in economic and social development and the extent of damage that would be caused to the national security, public interest or legitimate rights and interests of individuals and organizations were the data tampered, destroyed, disclosed or illegally obtained or used. The Coordination Mechanism of National Data Security Work shall coordinate the relevant departments to formulate the Important Data catalogue. Data related to national security, the lifeline of national economy, the important aspect of people's livelihoods and major public interests belong to the National Core Data, and should be protected with stricter regulation.
All districts and departments shall, according to the system of data protection based on hierarchical classification, determine Important Data protection catalogue for its own district, department and relevant industry, and give priority to the protection of the data listed in the catalogue. (Article 21)
The Data Security Law imposes special requirements on the processing of Important Data: (1) a processor of Important Data shall appoint person in charge and management organization for data security (Article 27); and (2) a processor of Important Data shall make risk assessments on Data Processing on a regular basis, and submit the risk assessment reports to the relevant administrative department. An assessment report shall include the category, quantity, the details of the data processing activities, the imminent data security risks and countermeasures. (Article 30)
The regulation on Important Data was initiated by the Cybersecurity Law in 2016, which mainly states the requirement on data localization and security assessment for cross-border transmission of Important Data with respect to the Important Data collected by the operators of critical information infrastructure (“CIIO”). Relevant drafts for comment were issued later on to enumerate and define all categories of Important Data, for example, the Information Security Technology-Guidelines for Security Assessment on Cross-border Transmission of Data (Draft for Comments) and the Data Security Administrative Measures (Draft for Comments), and states the requirements for the processing of Important Data, for example, the Data Security Administrative Measures (Draft for Comments).
The Data Security Law will establish the rules for the processing of Important Data, which reflects the continuous deepening of Important Data management systems. However, the Data Security Law still does not provide a clear definition of Important Data, and leaves it to the districts, departments and industries to issue the relevant lists, which reflects the complexity of classifying and defining data in practice.
Article 31 of the Data Security Law clearly states that the provisions of the Cybersecurity Law shall apply to the cross-border transfer of Important Data collected and generated by CIIO in the territory of the People's Republic of China; measures for security assessments on cross-border transmission for Important Data collected and generated by other data processors in the operation within the territory of the People’s Republic of China shall be formulated by the cyberspace administrations of the State in conjunction with the relevant departments of the State Council. Therefore, under the Data Security Law, exportation of Important Data by CIIO will still be subject to administration by Article 37 of the Cybersecurity Law, i.e., in principle Important Data shall be stored locally, and data export shall be subject to security assessment; while for other data processors, export of Important Data shall also be subject to specific Important Data exportation administrative measures. At present, such measures have not been released yet. Therefore, exportation of Important Data by data processors (other than CIIO) is still subject to further clarification.
The concept of National Core Data was proposed for the first time in the Data Security Law. At present, the Data Security Law has not specified more stringent management systems. But Article 45 has stipulated penalties for violations of the National Core Data management system (the maximum fine can be up to RMB 10 million). We understand that the scope of the National Core Data and related management system will be further established in the future.
Data Security Risk Management and Control System
The Data Security Law requires the State to establish a unified, efficient and authoritative mechanism for data security risk assessment, reporting, information sharing, and monitoring and early warning. The Coordination Mechanism of National Data Security Work coordinates the relevant departments to strengthen acquisition, analysis, research and judgment, and early warning work of data security risk information (Article 22). The details of such a system and the obligations of relevant governmental departments and enterprises will be provided in the relevant supporting regulations to be promulgated in the future.
Data Security Emergency Response Mechanism
The State will establish a data security emergency response mechanism. In case of a data security incident, the relevant administrative department shall, according to the law, launch the emergency plan and take corresponding emergency measures to eliminate the hidden security hazards, prevent the expansion of damage, and timely issue to the community any warning information in relation to the public (Article 23). The linkage between the foregoing provision and the existing regulations such as the Emergency Response Law needs further observation.
The State will establish a data security censorship system to conduct national security reviews on data processing that affects or may affect national security. The security review decision made according to law shall be final. (Article 24)
The Data Security Law does not state the details of the data security censorship system. Further, the relationship between such a system and the foreign investment security review system as set out in the existing Foreign Investment Law, as well as the relationship between the security review systems applicable to CIIO as set out in the Cybersecurity Review Measures, needs further observation.
Data Export Control System
The State shall enforce the export control system against data which falls into the controlled items and associates with the performance of international obligations and the safeguarding of national security according to the law. The Export Control Law issued on October 17, 2020 states the requirement on the export control of goods, technologies, services and other items, and defines the export control.
Besides, the Cybersecurity Law, the Data Security Administrative Measures (Draft for Comments) and the Personal Information Protection Law (Second Draft for Review) respectively state the requirements on security assessments on the cross-border transmission of Important Data and personal information by CIIO and network operators, but the relevant detailed rules have not yet been clarified. Measures for security assessment on the cross-border transmission of Important Data collected and generated by other data processors provided by Article 31 of the Data Security Law have not yet been released. The coordination and linkage between the data export control and the security assessment system for the cross-border transmission of data awaits further elaboration from future legislation.
Countervailing Mechanisms for Discriminatory Measures
Reciprocal countervailing measures shall be taken against those who take prohibitions, restrictions or similar discriminatory measures against the state in aspects of investment and trade including data and data development and utilization technology considering the actual circumstances. (Article 26)
VI. Obligation of Data Security Protection
Chapter 4 of the Data Security Law states the obligations that entities and individuals shall fulfill under the national data security protection system. These basic obligations include:
to establish and improve the data security whole- process management system, give data security education and training, and take technical and other necessary measures to ensure data security. Using Internet and other information networks to carry out data processing activities should fulfill the obligation of data security based on the network security classification protection system. (Article 27);
to strengthen risk monitoring, remedial measures shall be taken immediately when risks such as data security defects and loopholes are found. To take timely measures and report to the user and the administrative department after the occurrence of any data security incident (Article 29);
to obtain data in a legal and proper manner (Article 32);
to cooperate with the public security and national security authority in retrieving data for the purpose of safeguarding national security or investigating crimes (Article 35);
The competent authorities of China shall handle requests for data from foreign judicial or law enforcement bodies in accordance with the relevant laws and international treaties and agreements concluded or acceded to by China, or in accordance with the principle of equality and reciprocity. Without the approval of the competent authorities of China, organizations and individuals within the territory of China shall not provide foreign judicial or law enforcement agencies with data stored in the territory of China where an overseas judicial or law enforcement agency asks for the retrieval of data stored within China. (Article 36)
In addition to the foregoing basic obligations, the Data Security Law imposes special data security obligations on the agencies engaged in data intermediary services, i.e. agencies engaged in the intermediary service of data trading shall ask the data provider to explain the sources of the data, authenticate the identity of the trading parties and preserve audit and transaction records. The suppliers engaged in data business and intermediary platforms for data transactions shall pay full attention to such requirements (Article 33);
VII. Openness and Security Requirements for Government Data
In the context of the steady promotion of the electronic government, it is urgent to protect the security of government data. On the one hand, the continuous improvement of the transparency and openness of government data is required to improve the level of social governance; on the other hand, government data is related to national security due to its particularity, the abuse or illegal disclosure of which will endanger the State and society. Thus, Chapter 5 of the Data Security Law clearly states the requirements on government data security and openness, including, among others, national authorities shall engage in data processing within the statutory scope of duties, establish and improve the data security management system, promptly and accurately disclose government data, and establish a safe and controllable open platform of government data.
It should be particularly noted that Article 38 requires the national authority to keep the personal privacy, personal information, trade secrets, confidential business information and other data known in the performance of their duties confidential, and shall not disclose or illegally provide to others. Article 40 provides that national authorities entrusting others to build and maintain e-government systems, store and process government affairs data shall pass strict approval procedures and supervise the entrusted party to fulfill the obligation of data security protection. The entrusted party shall perform the obligation of data security protection in accordance with the requirements of the laws and the contract, and shall not retain, use, disclose or provide government data to others without authorization. Therefore, any third-party supplier that cooperates with the government or provides services to the government should pay special attention to such requirements. Detailed approval procedures are subject to further observation; in addition, suppliers using government data for other business purposes are clearly prohibited by the Data Security Law.
VIII. Legal Liability for Violation of Data Security Protection Obligations
Chapter 6 of the Data Security Law sets forth the legal liability for any violation of data security protection obligations. It is provided in Article 44 that the competent authority may require to interview the relevant entity or individual, require corrective action and the elimination of hidden risks if any major safety risk is found in data processing activities. This chapter also specifies the legal liability required to be borne respectively by entities or individuals, data trading agents, government authorities or officers with data security regulatory responsibilities which carry out data processing activities, for the violation of their relevant obligations under the Data Security Law. It also expressly sets forth that criminal liability will be imposed on any person who has committed a criminal offence according to the law.
The Data Security Law provides for liabilities for entities and individuals in violation of the data security protection obligations. For entities, the maximum fine is RMB 2 million, and other punishments may be imposed include the suspension of the relevant business, the suspension of business for rectification, and the revocation of the permit or business license. For individuals, the maximum fine is RMB 200,000 for the directly responsible person in charge and other directly responsible personnel. It is worth noting that activities in violation of the requirements of the National Core Data management system, endangering national sovereignty, security and development interests, and illegally providing Important Data may face more severe liabilities. (Article 45 and 46).
The Data Security Law also separately provides for the legal liabilities for not cooperating with the public security and national security to provide data, providing data to foreign judicial and law enforcement agencies without approval, the offence of agencies engaged in the intermediary service of data and other related illegal acts.
As the first law specific to data security in China, the Data Security Law provides a legal basis and framework to set forth basic directions and guidelines for data security protection in China.
The Data Security Law involves such a wide range of fields with great complexity and huge challenges will arise. A lot of issues can be foreseen in future practice, including how to connect with the existing Cybersecurity Law, the Personal Information Protection Law still being drafted and other laws and subordinate rules, as well as how to draft and implement specific data security regulations, and how to achieve the stable and orderly development of the digital economy while protecting data security.
Data-related activities are essential in operating a company, developing a city and running government affairs, especially considering that big data, AI, cloud computation, block chain and other hi-techs are growing so fast in the rising digital economy. The Cybersecurity Law that came in to effect in 2017 provided a brand-new compliance framework for the data-related activities of a company, but with a focus only on personal or Important Data. So far, no data security legislation covering all data has been made, and the framework for the legislation and enforcement of laws governing Important Data are still being studied and built.
Undoubtedly, the Data Security Law provides a legal basis and reference for the legal and safe use and processing of data in running enterprises and public institutions as well as government affairs, to ensure their internal and external data-security related compliance and perform their data security related obligations.
The players in various fields, especially in finance, telecommunications, transportation, natural resources and other key fields that may involve Important Data need to pay attention to the rules and regulations governing data classification and Important Data protection, improve their risk prevention system and their emergency response mechanism relevant to data security. Transaction platforms need to improve their systems to review the data sources and the transaction parties. The data processing services provider for enterprises and public institutions will also be directly influenced by the Data Security Law in terms of their future business models and obligations. It is advisable for enterprises to assess whether there is any compliance gap in its current practice in accordance with the Data Security Law and to take relevant remedial measures.