On June 10, 2021, China officially passed China’s first Data Security Law, which will take effect on September 1, 2021. Following the introduction of the Data Security Law, together with the Cybersecurity Law, which has been implemented since June 1, 2017, and the Personal Information Protection Law, which is undergoing public comment for its second draft released on April 29, 2021, data compliance is becoming increasingly important and complicated for companies operating business in China or with data originating from China.
Before the enactment of the Cybersecurity Law in 2016, China didn’t have any dedicated national legislation on data security, and the duty of protecting data was mainly left to companies that collect and/or use data to implement voluntary protection schemes. The 2016 Cybersecurity Law encompassed the issue of cyber data management and security, but other types of data remain unregulated. The Data Security Law filled up the gap by addressing all types of data (including both electronic and non-electronic data) and covering the full cycle of data activities.
Scope of governance
Under the 2016 Cybersecurity Law, all the network owners, managers, and service providers (the “Network Operators”) are required to implement measures to safeguard network security and integrity, and ensure contents published on the network are legal and appropriate. Although technically speaking every enterprise providing services or operating business through a computer network would fall within the definition of Network Operator, based on the reported enforcement cases since 2017, website and mobile application operators were the primary targets of the crackdowns.
By contrast, the Data Security Law has a much wider jurisdiction. Firstly, unlike the 2016 Cybersecurity Law, which only governs cyber data, the scope of Data Security Law also covers non-electronic data. Secondly, although both laws imposed long-arm jurisdiction over illegal overseas activities, the sanctions under the 2016 Cybersecurity Law are limited to exportation of personal and core data originated from China, importation of illegal data from overseas, and activities severely undermining China’s core information infrastructure facilities, whereas any overseas data processing activity that jeopardizes China’s national security, public interest, or lawful rights of any person or entities are considered illegal under the Data Security Law. Obviously, the Data Security Law is taking a catch-all approach to provide a very broad grounds for future legal enforcement.
Points to note
Data classification system
From the fact that the term “national security” is mentioned 14 times in a law comprised of only 55 provisions, it is quite clear that enhancement of national security is a very big driver behind the promulgation of the Data Security Law, if not the most important one. Pursuant to the Data Security Law, the Chinese government will for the first time establish a centralized classification system by the level of importance of the data. Data that are pertinent to national security, national economy, social welfare, and important public interests will be regarded as core data, and will be subject to stricter scrutiny. In the near future, the Chinese government will publish national, regional, and departmental catalogues with classification guidance for the ease of reinforcing supervision on core data processing activities.
Data security monitoring system
As required by the Data Security Law, all data processors will be required to establish a data security policy and risk monitoring system. Processors of core data are required to report their data protection practice to the government on periodic basis, and processors of non-core data are required to report to the government in event of security failure. Companies who fail to protect their data and cause large scale data leakage may face a fine of up to RMB2 million and risk suspension or closure of business. If the violation concerns core data in jeopardy of China’s national interests, the fine may be up to RMB10 million.
The exportation of core cyber data will continue to be governed by the 2016 Cybersecurity Law, whereas China will introduce the new regime regarding exportation of other data. One of the most notable implications on such data exportation restriction is its counteracting effect against the Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”) promulgated by former US President Donald Trump in 2018. The CLOUD Act enables US law enforcement agencies to demand access to electronic data no matter which country the data is stored in. However, under the 2016 Cybersecurity Law, exportation of personal data and important data stored in core information infrastructure facilities in China are subject to safety review. This measure has been endorsed by the Data Security Law, which further provides that companies who failed to comply with this requirement may be fined up to RMB10 million and risk suspension or closure of business. The Data Security Law also allows countermeasures to be taken in response to any discriminatory measures against China’s data or data development related investment or trade adopted by foreign countries or regions.
So far, the Data Security Law has only set out a skeleton for the governance of data. The meaning of some important concepts remain unclear. For instance, the concept of “public interests” in the Data Security Law is widely used across various Chinese legislations, but there is neither specific definition for it within the Data Security Law itself, nor has the legislator published any guidance providing clarification. Further, it is unclear which governmental authority should be responsible for enforcement. Based on the latest enforcement case report, a large-scale violation of citizens’ information privacy by certain Chinese local companies operating mobile phone apps was sanctioned by a joint group consisting of The Public Security Bureau, Cyberspace Administration Office, and Communication Administration Bureau for “jeopardizing public interests.” However, it is worth noting that the concept of “public interest” is going to be a bit different in the US than in China. Generally speaking, public interest in the US is limited to activities like public health (think pandemic response) or rule of law (think law enforcement). This is a much narrower concept than in other places in the world. As such, it will be prudent to see what the Chinese officials do with their approach to defining “public interest.”
While waiting for further implementation rules, enterprises with data originated from China should start assessing their exposure to risk of data leaks, unauthorized data exportation, and other violations in this new compliance environment, and seek professional advice.