PRIMER: China’s Data Security Law
IFLR’s latest explainer looks at how companies are preparing for the new law and what areas are the most challenging to comply with
Aimed at protecting national security interests in the usage, collection and protection of data, China’s Data Security Law came into effect on September 1 2021. Data protection experts said that there are a number of areas that remain murky in the new law, such as guidance on which regulatory bodies are in charge of the new law and what data processing activities may trigger national security review requirements.
What is the new law about?
Adding to the suite of data protection laws China has implemented in recent years, including the Cybersecurity Law and Personal Information Protection Law, the Data Security Law has a strong focus on protecting national security. Highlights of the law include cross-border data transfer requirements and compliance requirements on data intermediary services providers. Penalties for violation of the law range from fines between RMB 100,000 ($15,400) to RMB 1 million, and suspension or revocation of a business’ licence.
What are the most challenging areas to comply with?
According to Annie Xue, partner at Gen Law Firm, data classification is a key challenge. “For instance, Article 21 of the new law stipulates that important data and national core data require significantly higher protection; however, as of now, the authorities have not provided guidelines on how to define and identify important data and national core data,” she said.
Yan Luo, partner at Covington & Burling, added: “Although the central government and the sectoral regulators are going to release important data catalogues that will provide detailed guidance on identifying important data in different sectors, we are not quite sure when such catalogues will be issued.”
In addition, the Data Security Law requires the Cyberspace Administration of China to release cross-border transfer rules for important data. However, it remains uncertain when the new cross-border transfer rule will be finalised.
Anna Gamvros, partner and Asia Pacific head of data protection privacy and cybersecurity at Norton Rose Fulbright, said: “The law creates more restrictions on cross-border transfer of important data creating a more complex environment for companies with international operations.”
There is uncertainty relating to national security review requirements – data processing activities that affect or may affect national security are subject to national security review.
Another challenging aspect is the lack of clarity in which regulator will be in charge of the new law. Article 36 stipulates that without the in-charge Chinese agencies’ prior approval, domestic entities and individuals shall not provide data stored within the territory of China to foreign law enforcement and judicial bodies.
“There are no guidelines on which agencies are being referred to, what the procedures are, and whether all the data transfer due to overseas disputes will be subject to the agencies’ examination,” said the head of legal at an Asia-focused information management firm. “This would be extremely burdensome to business operators.”
How does it differ from the Personal Information Protection Law?
In addition to the Data Security Law, China passed the Personal Information Protection Law in August, which became effective on November 1 2021. While both pertain to data, there are a number of key differences. “The Data Security Law applies to data processing activities within China’s territory which are detrimental to China’s national security, public interests or Chinese citizens’ rights and interests, whereas the Personal Information Protection Law applies to processing of personal information within China’s territory or for certain China-related purposes,” said Gamvros.
While the Personal Information Protection Law is limited to information about natural individuals, the Data Security Law is not.
Xue added: “The legislative goal of the Data Security Law is national security, while that of the Personal Information Protection Law is the protection of legitimate rights and interests arising from personal data.”
What are strategies businesses should keep in mind to ensure compliance?
The terms of the Data Security Law are very high-level and broad, so companies should monitor future developments and issuance of implementation rules. An example of this is the sector specific Automobile Data Security Regulation which was issued in August and provides more guidance on concepts, such as what is considered to be important data.
“Companies should plan ahead, be proactive and maintain a good working relationship with the regulators, seeking guidance where necessary,” said Gamvros.
While waiting for the implementation rules to be finalised, companies should be proactive in considering risks involving cross border transfer of important data, in light of potential national security risks. “Companies that have not already done so should start mapping flows of important data transferred outside of China,” said Luo.
The in-house counsel at the information management company said that the Data Security Law imposes additional obligations on entities that process important data. For instance, entities that process important data are required to periodically conduct risk assessments on their data processing activities and will be subject to separate cross-border transfer rules.
“Entities that process important data thus need to reconsider the mechanism for cross-border data transfer and stipulate plans to comply with these requirements,” she said.
To ensure compliance, Xue said that businesses should adopt strong data protection frameworks, internal policies and protocols, as well as external privacy policies and data protection agreements alongside the whole data life cycle
What enforcement challenges might the regulator encounter?
It may be difficult for the regulator to balance economic development and foreign investment, which requires free flow of information to a reasonable degree, and national security interest. “We can foresee difficulties in both law making and law enforcement,” said Gamvros. “Enforcement of the Data Security Law places a heavy burden on the authorities, so more personnel will be needed.”
Companies will compare regulatory regimes and sophistication and the activity of regulators in different jurisdictions, and may make investment decisions on that basis, Gamvros added. As a result, there will be higher expectations around the professional skills and technical capabilities of the regulator.
Looking at law enforcement track records, Xue expects there to be insufficient awareness of personal information protection compliance and difficulties in detecting unapproved cross-border data transfers, especially those stored in physical media. Furthermore, there may be a lack of transparent and effective cooperation and consistency mechanisms across government agencies.