The Data Security Law will enhance an increasingly comprehensive legal framework for information and data security in the PRC.

By Hui Xu and Kieran Donovan

On June 10, 2021, the Standing Committee of China’s National People’s Congress passed the Data Security Law (DSL), which will come into effect on September 1, 2021. The primary purpose of the law is to regulate data activities, safeguard data security, promote data development and usage, protect individuals and entities’ legitimate rights and interests, and safeguard state sovereignty, state security, and development interests. The DSL will enhance an increasingly comprehensive legal framework for information and data security in the People’s Republic of China (PRC). Highlights in the DSL include that it:

  • Applies to a wide range of data and data activities, with extraterritorial jurisdiction. The DSL broadly defines “data” as any record of information created in electronic or other forms, and comprehensively defines “data activities” to include data collection, storage, usage, processing, transmission, provision, and disclosure of data. The territorial scope of the DSL extends beyond the PRC and also applies to data activities conducted outside of the PRC, if they may “harm the national security or public interests of the PRC, or the legitimate rights of Chinese citizens or entities.”
  • Refines regulations on “important data” and emphasizes protection of “core state data.” The DSL proposes to classify and protect data based on importance of the data and requires authorities to provide a list of important data to strengthen the protection. The DSL further introduces the concept of core state data and emphasizes that the state will implement a strengthened management system in relation to core state data involving national security, lifelines of the national economy, important people’s livelihood, and major public interests.
  • Imposes a set of obligations combined with high fines and severe penalties on entities and individuals who conduct data activities. In particular, entities violating regulations of cross-border data transfer, or entities violating the core state data management system or harming state sovereignty, national security, and development of interests, may face penalties including monetary fines of up to CNY10 million (~US$1.5 million) and/or revocation of business licenses or demands to close down businesses, and may bear criminal responsibilities (if applicable).

Read the full Client Alert