On 10 June 2021, the Data Security Law (DSL) was passed by the National People’s Congress Standing Committee. It will be effective as of 1 September 2021, leaving a very short window for companies to take the necessary measures to adapt to the new data security regime. The enactment of the DSL only took a little more than one year, with two rounds of reviews by China’s top legislative body and public comments in June 2020 and April 2021, indicating the country’s intention to improve the regulations on data security.

Most part of the content of the final version of the DSL is consistent with the previous second draft. Still, there are some changes which may have a significant impact on the operations of enterprises, both in China and globally.

Main changes:

  • The introduction of the National Data Security Coordination Mechanism, which will coordinate work related to national data security and formulate the Catalogue for Important Data;
  • Industries are encouraged to develop association standards on data security;
  • The data-based intelligent public services should meet the needs of the elderly and the disabled;
  • Anew term, “national core data”, is incorporated to define data concerning national security, lifeline of national economy, important livelihood of people, and vital public interests;
  • The addition of one article stipulating that, when collecting and using data, governmental agencies shall keep confidential the personal privacy, personal information, trade secrets and confidential business information, and shall not illegally disclose such data;
  • Warnings or fines will apply to those who illegally provide important data abroad.

Highlights:

Data Security Regime

The DSL introduces a comprehensive data security regime, structured on five pillars:

  1. Data categorisation and classification

China will establish data categorisation and classification in accordance with the significance of data in economic and social development, and the level of impact on national security if the data is damaged, leaked or illegally used.

  1. Data security risk assessment, report, information sharing and rapid alert

China will establish such system to strengthen data security risk information acquisition, analysis, and rapid alert.

  1. Data security emergency handling

Relevant departments in China should initiate emergency plans to eliminate hidden dangers and risks for security, and publish relevant warning information in time in case of data security incidents.

  1. Data security review

China will set up a data security review system for the data processing activities that (may) impact national security.

  1. Data export control

Data that fall into the category of ‘controlled items’ is subject to export control.

Cross-border Data Transfer

When processing important data collected and generated in China, the Critical Information Infrastructure Operator (CIIO) shall follow the requirements stipulated in the Cybersecurity Law – specifically Article 37: Personal information and important data collected and produced by CIIOs during their operations within the territory of the People’s Republic of China shall be stored within China. If it is necessary to provide such information and data to overseas parties due to business requirements, security assessment shall be conducted in accordance with the measures developed by the national cyberspace administration in conjunction with relevant departments of the State Council).

If the data processor is not considered as a CIIO, it should follow the administrative measures for the transfer security of important data – which will be formulated by the national cyberspace administration and other relevant departments of the State Council, to deal with the data collected and generated in China.

Analysis:

  • The DSL encourages, for the first time, industry organisations to develop association standards and guide the industry on the strengthening of data security protection.
  • Though “important data” and “national core data” are introduced, the DSL does not provide any guidance on how such data shall be determined. It is expected additional supporting regulations will follow, to offer more indication on these concepts.
  • The DSL does not make clear when and how the National Data Security Coordination Mechanism will be established.

The translated version of the DSL is available here.

SESEC will follow up on the implementation of the DSL and the enactment of the Personal Information Protection Law.