On 2 July 2020, the full text of the draft Data Security Law of the People’s Republic of China was released online for public comments. The draft law features a total of 51 articles, divided in seven chapters: (i) general rules; (ii) data security and development; (iii) data security systems; (iv) obligations for data security protection; (v) government data security and openness; (vi) legal liability; and (vii) supplementary provisions.
The draft Data Security Law marks the elevation of data security to national security level. Together with the Cybersecurity Law (which entered into force in 2017) and with which complementarities will constantly be sought, the draft Data Security Law can be seen as integral part of China’s concept of national security and as a supporting regulation of the National Security Law, and as such it has significant implications.
It is also noteworthy that Art. 49 of the draft law stipulates that all data activities involving personal information must abide by the provisions of relevant laws and administrative regulations: this leaves room in the future for the introduction and convergence with the Personal Information Protection Law in China. According to various analyses, it is expected that the formal implementation of the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law will significantly contribute to the development of China’s digital economy, from the dimensions of network, data and personal data.
Support to the promotion of data security and development:
The aim of the draft Data Security Law is to ensure the security of data throughout various data development and utilisation activities as well as overall industrial development. Chapter II of the draft law outlines various principles and support that China will give to such activities.
In particular, Art. 17 stipulates that China will establish and improve the management system for data transactions, giving legitimate legal status to data transactions and selling activities. Among these, it is expected that three key existing standards will become an important reference to promote data transactions: “Information Security Technology Data Trading Service Security Requirements” (GB/T 37932-2019); “Information Technology Data Trading Service Platform Common Function Requirements” (GB/T 37728-2019); and “Information Technology Data Trading Service Platform Transaction Data Description” (GB/T 36343-2018).
Data security systems:
Data security is at the very heart of the draft law. According to Art. 3, data security refers to the capability to ensure that data is effectively protected and used in accordance with the law, and that data remains in a safe state thanks to the adoption of necessary measures. These include, as outlined by Art. 4, the total adherence to the concept of national security, the establishment and improvement of governance systems, and capacity-building.
The specific responsibilities of data security management and supervision are outlined by Art. 6 and Art. 7. In particular, decision-making and coordination of data security work will be the responsibility of central national security leadership bodies, which will also supervise lower-level departments; the responsibilities of regions and departments will be limited to the data, aggregated data, processed data, and the security of data generated through their own activities and work – therefore covering the entire process from data generation to processing. The responsibilities of component authorities for the investigation and punishment of misconducts and violations are outlined in Chapter VI of the draft.
With respect to ex ante data protection, Art. 19 requires a classification and grade-based approach to data security. Unlike the Data Security Management Measures (Draft for Comments) issued in May 2019, the draft Data Security Law does not provide a clear definition of the scope of ‘important data’ protection, but leaves it to all relevant regions and departments based on specific catalogues formulated by them in accordance with national provisions. As ‘important data’ involves national security, the delegation of its protection to regions and departments has sparked heated debate, also in view of potential discrepancies and conflicts among important data protection catalogues of different regions and departments. How these concerns will be addressed remains to be clarified.
The draft Data Security Law also stipulates that China will establish centralised, unified and authoritative mechanisms for data security risk assessment, reporting, information sharing, monitoring and rapid alert; and that it will strengthen the acquisition, analysis, research and rapid alert of data security risk information. Moreover, a data security review system will be established to conduct national security reviews of data activities that affect or may affect national security, so to increase risk prevention.
With respect to ex post emergency response, Art. 21 stipulates that China will establish an ad hoc mechanism for the emergency handling of data security. In the event of a data security incident, the relevant competent department shall activate emergency response plans in accordance with the law, take corresponding emergency measures to eliminate safety hazards, prevent their further expansion, and timely inform the public if potentially affected.
In the context of cross-border data flows, the draft law stipulates that China will have the right to implement export control measures over data that falls into the category of “controlled items”, namely items relating to the fulfilment of international obligations and the safeguarding of national security. When an overseas law enforcement agency requests the collection of data stored in the territory of the People’s Republic of China, relevant departments and individuals may share it only after having obtained prior approval. In addition, the draft Law allows China to adopt countermeasures against discriminatory measures taken by other countries pertaining to data and data utilisation technologies in connection to trade and investment activities.
Finally, it is noteworthy that although the provisions stipulated by the draft apply to the collection, storage, processing, use, provision, trading and disclosure of data conducted within the territory of the People’s Republic of China, they also allow China to conduct investigations for legal liability on any organisation and individual outside the territory of the People’s Republic of China whose data activities harm China’s national security, public interests, or the legitimate rights and interests of Chinese citizens and organisations . Though certainly presenting differences, this is in line with “long arm jurisdiction” provisions stipulated e.g. in the EU’s GDPR (“any act involving the processing of EU personal data, can be governed”); indeed, some observers argue that China’s scope of application of the draft Data Security Law is a response to similar EU and US practices.
The data security obligations of different subjects:
In addition to strong centralised supervision, the establishment of China’s data security governance system also needs to rely on self-management and inter-agency cooperation. Chapters IV, V VI of the draft outline the data security obligations and security measures for different subjects carrying out data activities, and stipulate corresponding legal liabilities.
However, the current draft of the Data Security Law still lacks specific provisions for practical implementation. Issues such as the division of ‘important data’ boundaries, as well as the establishment of systems for data security, data transaction, and cross-border data flows, will still need to be clarified. Nevertheless, the publication of the draft Data Security Law reflects China’s determination and confidence in regulating and optimising the legal system for data security in support to the digital economy.
By Charlotte on 18 August 2020