Locations
The Most Important Things You Need to Know About Data Security in China.
The PRC Data Security Law (“DSL”) has been issued by the Standing Committee of the National People’s Congress of the PRC on 10 June 2021, and will come into effect on 1 September 2021.The DSL and Personal Data Protection Law (which is likely to be released soon) are the two highly anticipated laws in the legal regime of data privacy and information security. Compared to the PRC Cyber Security Law (“CSL”) , which is the first set of comprehensive legislation governing cyber security and data privacy in China, DSL can be deemed as the first overarching law governing data security in China.
The DSL contains 7 chapters and 55 articles in total. The key provisions mainly relate to data security systems from the national and the local governments’ perspective, data security obligations from data operators’ perspective, and penalties for violations.
This article provides a summary of the crux of the DSL, and the implications of such in light of recently enacted legislation (including those in a draft form), in the legal regime of data protection and information security.
The Fundamental Significance of the DSL
Apart from protecting the legitimate rights and interests of individuals and organizations, another theme which seems to be of the utmost importance, when enacting the DSL, is national sovereignty and security.
The fundamental and strategical significance of the DSL in the legal regime of data security in China could be seen from its broad scope of regulated data and activities, as well as the very high-level authority in charge of national data security, under the DSL.
Responsible Authorities
The central national security leading organ, i.e., the National Security Commission of the Communist Party of China (“CPC”), will be in charge of decision-making, formulation of national data security strategy, coordination, and supervision of national data security work in China.
Local governments, at all levels, will be responsible for data security in the performance of their respective duties.
Industry regulators will be responsible for the supervision and management of data security within their respective industries. Public security and national security authorities will be responsible for the supervision of data security, while Cyberspace Administration of China (“CAC”) will have overarching responsibilities for network security – per their respectively allocated responsibilities.
Regulated Data
Under the DSL, data is defined to include any information recorded in an electronic, or any other form.
The two types of data regulated under the CSL are network data[1] (i.e. in electronic form only) and personal information[2] (in electronic or other form). Thus, the regulated data under the DSL essentially covers the data regulated under the CSL.
Although the DSL provides that CAC (i.e., Cyberspace Administration of China) will be in charge of network data security, in accordance with the DSL and other legislations, further clarifications would still be needed as to how DSL will be implemented in conjunction with the CSL, and data privacy legislation, with respect to data security for network data and personal data, in particular where discrepancies exist.
Note that the DSL does not govern data pertaining to state secrets and the military.
Regulated Activities & Extraterritorial Application
The DSL regulates data security throughout the entire life cycle of data activities, including collection, storage, use, processing, transfer, provision, disclosure of data, etc.
In addition to regulating data activities from the data security perspective, the DSL expressly emphasizes that data is a key element for the development of the digital economy, and that it encourages the cultivation of data markets and data transactions. To that end, it specifically provides requirements regulating data transaction, intermediary services, and online data processing services.
In addition to governing data activities conducted within the PRC, Article 2 provides that the DSL will have an extraterritorial effect on any overseas activities that cause damage to the national security, public interest, or the legitimate rights and interests of citizens or organizations of the PRC. The DSL seems to have a broader extraterritorial reach than the CSL, whose extraterritorial effect will apply only when overseas activities have caused severe damage or consequences to the “critical information infrastructure” of China.
Under the DSL, data shall be classified on the basis of (i) the importance of data to economic and social development, and (ii) potential harms to national security, public interest, or the legitimate rights and interests of individuals or organizations – when, and if such data is compromised, tampered with, destroyed, leaked or illegally obtained or used.
This “tiered” protection system is not a new concept in the legal regime of information security. In fact, it can be traced back to the Administrative Measures for the Multi-level Protection of Information Security promulgated in 2007. Since then, numerous regulations and national standards regulating the "multiple-level protection scheme” in the field of information security have been enacted.
After the implementation of the CSL, such tiered protection system has been expanded from information system security to network security, and it is now commonly known as a "multiple-level protection scheme”. The Regulations on the Cybersecurity Multi-Level Protection Scheme (in a draft version), when passed into law, may hopefully provide detailed guidance on the classification of data and the implementation of a "multiple-level protection scheme”.
We note that some industry regulators have already released standards or regulations to implement a "multiple-level protection scheme” in their respective industry sectors. For example, the China Securities Regulatory Commission has issued a recommended standard titled “Guidelines for Data Classification and Grading for the Securities and Futures Industry”, in 2018; the People's Bank of China has issued a standard titled “Financial Data Security - Guidelines for Data Security Classification” in 2020; while in the same year, the Ministry of Industry and Information Technology has issued “Guidelines for Classification and Grading of Industrial Data (for Trial Implementation)”. Undoubtedly, we can anticipate that more and more industry-specific regulations and standards are to be issued in the foreseeable future.
Important Data
Instead of providing detailed guidance on how to classify data and implement the "multiple-level protection scheme”, the DSL requires each local authority and industry regulator to form a catalogue of “important data” for its own industry, based on the "multiple-level protection scheme” implemented in its region and industry sector.
“Important data” is not properly defined in the DSL. We note that the term “important data” (without being properly defined) originates from the CSL, mainly in the context of the operation of “critical information infrastructure”. However, pursuant to the Measures for Security Assessment of Transmitting Personal Information and Important Data Overseas (Draft for Consultation), the “important data” is no longer restricted to the operation of “critical information infrastructure” and could be generated by any network operation. This position seems to be reaffirmed by the Measures for Data Security Management (Draft for Consultation) (“MDSM”). Pursuant to the draft MDSM, the “important data” shall refer to any data, the disclosure of which may directly affect national security, economic security, social stability, public health and safety, such as undisclosed government information, large-scale population, genetic health, geography, mineral resources, etc. The draft MDSM also provides that the “important data” generally excludes personal data, and information pertaining to the production and operation as well as internal management of an enterprise. Since the MDSM are implementation rules of the DSL, if it is passed in its current form, it will provide clarifications on the definition and scope of “important data” under the DSL.
As indicated earlier, the “important data” for each industry will eventually depend on the "multiple-level protection scheme” implemented in such industry. For example, in the financial institution sector, the People's Bank of China has issued a recommended standard titled “Personal Financial Information Protection Technical Specification”, under which the “personal financial information” is classified into three grades (C3, C2, C1), in order of decreasing sensitivity, evaluated on the basis of the potential harm or damage that may occur as a result of any unauthorized access or modification. Although the term “important data” is not expressly used in said standard, it is arguable that those classified as C3 will most likely be deemed as “important data” in this field.
Please note that, special obligations governing “important data” are imposed by the DSL. For example, Article 27 provides that any operator handling[3] “important data” must delegate a person, and management organ, to be in charge of the data security work and to ensure implementation of data security work. Also, Article 30 requires that any operator handling “important data” shall conduct risk assessments for their data activities regularly, and submit a risk assessment report to the relevant competent authority. The risk assessment report must include the following: categories and quantities of “important data” handled by the operator, how such data is handled, data security risks confronted, and countermeasures (proposed and taken).
Data Security Assessment
Article 24 provides that China will establish a system for “data security review”, and conduct national security review on data activities that may affect national security. It is worth noting that the security review will be the final decision, indicating that no judicial review or appeal is available.
Unfortunately, the DSL does not provide clear guidance on the criteria for evaluating and determining what activities may be deemed as "influencing or likely to influence national security". Also, the competent authorities in charge of the review, the specific procedures, and the requirements for documentation require further clarifications and guidance.
It is also noteworthy that, the Measures for Cybersecurity Review (“MCR”) which came into effect on 1 June 2020, will apply national security review only to network products and services procured by “critical information infrastructure operators” (“CII Operators”) under the CSL. Thus, the national security review provided under the DSL is much broader than those under the CSL and MCR. In other words, the data security review under the DSL covers any and all of the data activities that may impact the national security, and will apply to all entities engaged in data activities in China.
However, neither the DSL nor the draft version of the MDSM has provided detailed guidance on the procedure of national security review. There is a possibility that the MDSM may provide clarifications in the regard in its final version.
Cross-Border Data Transfer
Article 31 provides that transmission of “important data” collected or generated in the course of operation by CII Operators shall comply with the requirements of the CSL, while non-CII operators will be subject to separate rules to be promulgated by CAC (i.e. Cyberspace Administration of China) and the State Council.
As indicated earlier, a few draft legislations such as MDSM have already extended the regulation of “important data” from CII Operators to all data operators. This DSL provision simply reiterates that position, indicating the government’s intention to tighten the control over the exportation of any “important data”, for the purposes of protecting national security and the public interest.
In light of the foregoing, it is highly likely that any overseas transfer of “important data” may eventually be subject to a national security review, depending on the rules to be enacted by CAC and the State Council.
More importantly, Article 36 explicitly prohibits any transmission of data that is stored in the PRC to any foreign judicial or law enforcement institutions, without a prior approval from a competent authority of the PRC. The Chinese authority will grant permissions based on the international treaties or conventions to which China is a signatory, or under the reciprocity principle for data sharing. Further, Article 26 reiterates the reciprocity principle for data sharing, stating that if any country or region that adopts discriminatory prohibitions, limitations, or other similar measures pertaining to any investment or trading of data and data-related technologies, against China, then China may, depending on the specific case scenario, adopt equivalent measures against such country or region.
In the absence of any specific carve-out allowing a different approach in Hong Kong and Macau, it seems that not only would data stored in Mainland China be restricted from transfer to overseas law enforcement institutions without prior approval, but data stored in Hong Kong or Macau will also be subject to this restriction.
Also, it remains uncertain as to how these restrictions will be interpreted and implemented in practice. For example, if the data already exists in servers outside of China, as they may be transmitted to overseas offices or employees outside of China (in the normal course of business or for other legitimate purposes), would that still be caught by Article 36 and would such still require a prior approval from a competent authority of the PRC? The above also gives rise to the issue of whether Article 36 will be interpreted to prohibit overseas authorities from directly conducting investigations, and collecting evidence and data in China?
All these restrictions, or requirements, will certainly lead to an increase in the negotiation costs for any cross-border transactions or activities involving data, in particular “important data”. Also, it may create additional challenges for a multinational company doing business in China, when confronted with a government request or judicial order to produce data or documents stored in China.
In the absence of further clarifications, it is advisable to take a careful review of contracts that may potentially involve cross-border transfer of data, and carefully consider and evaluate different factors, when dealing with a request from an overseas judicial or enforcement agency to produce data stored in China.
Harsh Penalties for Non-Compliant Acts
To strengthen the control of data security in China, the DSL has imposed severe penalties on entities, as well as persons directly responsible for violations of the DSL. Under the DSL, the “persons directly responsible for violations” refers to "the person in charge directly responsible for the breach", and "other persons directly responsible for the breach".
The monetary fines applicable to an enterprise for a violation of the DSL range from RMB50,000(approximately USD7,800) to RMB10 million (approximately USD1.6 million); while the monetary fines on persons directly responsible for the breach range from RMB10,000(approximately USD1,600) to RMB1million (approximately USD160K).
Moreover, for a severe breach, an enterprise may be subject to, in addition to the monetary fines, suspension of its business, revocation of its business license or permits, or even criminal prosecution.
Although it remains to see how the DSL will be implemented and enforced in reality (in particular in the absence of detailed clarifications or guidance on certain key provisions), we believe that the passage of the DSL will most certainly urge local governments and business operators to enhance their investments in data security work.