China’s Data Security Law: Analysis and Compliance Guidance

By：

Jihong CHEN

Jiabin SUN

On 10 June 2021, the Data Security Law of the People's Republic of China (hereinafter as the “DSL”) was adopted at the 29th session of the Standing Committee of the 13th National People's Congress and promogulated. The DSL will become effective as of 1 September 2021, leaving companies less than three months to adapt. The DSL is the fundamental law in data security sphere and together with the Cybersecurity law (hereinafter as the “CSL”) and the Personal Information Protection Law (Draft), it outlines the data regulatory framework in China. Specifically, the DSL contains 7 chapters and 55 articles, which widely covers data security mechanism, obligations and liabilities at both State administration and data handler level. In this article, we will analyze the key contents of the DSL and provide you with a practical compliance guideline for a better grasp of the implication of the law on your businesses.

1. Applicable Scope

This law applies to data handling activities conducted within the territory of China and the security supervision and administration over such activities. The DSL also has certain extra-territorial application which states “data handling activities conducted outside the territory of China, harming national security, public interests or legitimate rights and interests of citizens and organizations of shall be legally liable in accordance with laws”.[1]

2. Regulatory Framework 

The DSL expressly outlines the data security regulatory framework. It specifies the head role of the central leading institution for national security especially in coordinating the data security work at the State level via the coordination mechanism. The DSL clarifies the respective data supervision responsibilities of various national public departments (for example, the State Cyberspace Administrative Departments, the public security organs and the national security organs) and industrial competent authorities, in avoidance of ambiguous and repetitive administration. 

Picture 1. Data security regulatory framework

3. Systematic Data Security Protection Mechanism

The DSL specifically proposes a set of comprehensive and top-down design of data security mechanisms in Chapter III, that consist of: 

Hierarchical Data Classification Mechanism. [2]

• Classification Standard
  

Data, under the mechanism, is matrixed in accordance with its importance in economic and social development and degree of harm to national security, public interests or legitimate rights and interests of individuals and organizations when any security incidents.

• Important Data

Article 21 of the DSL specifies that Important Data shall require prioritized protection. As for the formulation of Important Data Catalogue, relevant departments under the coordination mechanism by the central leading institution for national security shall formulate the catalogue at the State level and then each region and sector shall develop its specific catalogue.

• Core Data

The notion of “Core Data” is proposed for the first time which refers to data in relation to the national security, the lifeline of the national economy, important parts of people's livelihood and major public interests. [3] Article 21 stipulates that Core Data shall be administrated at a more stringent level. Companies shall closely pay attention to any further legislative developments in relation to Core Data administration.

Data Security Risk Prevention and Incident Response Mechanism. A State level data security risk assessment, monitoring and early warning mechanism as well as an incident response mechanism will be established to prevent and mitigate any potential data security risk in a more centralized, unified and efficient way.[4]  

National Security Review Mechanism.[5] The DSL, in convergence with the National Security Law, stipulates that data handling activities that affect or may affect national security shall be subject to national security review.

Export Control Mechanism.[6] In line with the Export Control Law, data concerning national security and any international obligations under fulfillment by China is subject to export control.

Countermeasure Mechanism. [7] China may adopt equivalent countermeasures against any prohibitive or restrictive measures imposed by any country or region in terms of data related investment or trade.

4. Comprehensive Data Security Protection Obligations

The DSL places a raft of data security protection obligations on data handlers in the entire Chapter IV. It shall be noted that the DSL merely provides the scaffold and would require supplemental regulations, national standards and guidance for further implementation in practice. Companies shall keep a close eye to any legislative development for compliance purpose. Obligations under DSL mainly comprise:

Data Security Management System. Companies shall establish and complete lifecycle data security management system, take corresponding technical and other necessary measures to ensure data security and conduct relevant data security education and training. [8]

Multi-Level Protection Scheme (MLPS). The DSL by stating “data security protection obligations shall be fulfilled on the basis of MLPS when conducting data handling activities via Internet and other information networks” sets out the fundamental role of MLPS in data security protection. [9]

Data Collection and Handling. Data handling activities shall conform to social morals and ethics. [10] Data collection shall be legitimate and fair. [11]  The collection and use of data shall be limited to the prescribed purposes and scope by laws and administrative regulations, if any. [12]

Important Data Handling and Cross-border Transfer.

• Responsible Person

Important Data handlers shall specify the responsible person and the administrative body for data security to implement and fulfil data security protection obligations. [13]

• Regular Risk Assessment
  

Handlers of Important Data shall conduct risk assessments regularly and submit the risk assessment reports to competent authorities.[14]

• Data Localization and Cross-border Transfer

Important Data collected or generated by critical information infrastructure operators (CIIOs) shall be stored within the territory of China and shall pass the security assessment by the State Cyberspace Administrative Departments when truly necessary to be transferred outside the territory of China, as prescribed in Article 37 of the CSL. The cross-border transfer of Important Data of non-CIIOs shall be regulated by measures to be enacted by the State Cyberspace Administrative Departments together with relevant departments of the State Council. [15]

Security Risk Monitoring and Incident Response Obligations. [16] Data handlers shall enhance risk monitoring and take immediate remedies for any security bugs or vulnerabilities. Data handlers shall response quickly to any data breach and inform users and report to competent departments in a timely manner.

Enforcement Cooperation. Domestically, companies shall cooperate with the legitimate request for data retrieval by public security organs and national security organs.[17] Internationally, companies or individuals shall not provide data stored within the territory of China to foreign judicial or law enforcement agencies as requested, unless approved by competent authorities. [18]

Data Transaction and License Requirement. Companies conducting data handling activities shall obtain relevant license qualification as prescribed by laws (for example, ICP, IDC and EDI license under value-added telecommunication services). [19] Data transaction intermediaries shall review identity of parties involved in the transaction, obtain data source description and put documentation. [20]

5. Promotion of Data Development and Utilization

Data development and utilization is the other limb of the DSL. Article 13 expressly stated that the State advances data development and data security as a whole. In general, the State promotes data development and encourages data application by setting up national data security standardization system, promoting data security testing, evaluation and certification services, building comprehensive data transaction administration system and etc.

6. Legal Liabilities

The DSL mainly contains liabilities of correction order and warning by relevant competent authorities, suspension of relevant businesses for rectification, revocation of business permits or licenses, monetary penalties and criminal charges when constituting criminal offense. The monetary penalties imposed in DSL touches both company level and directly responsible persons in charge level as listed below.

Chart 1. Monetary penalties 

The DSL Compliance Obligation List and Guidance for Companies

[Note] 

[1] Data Security Law of the People’s Republic of China, Article 2. 

[2]  Data Security Law of the People’s Republic of China, Article 21.

[3] Ibid.

[4] Data Security Law of the People’s Republic of China, Article 22, Article 23.

[5] Data Security Law of the People’s Republic of China, Article 24. Republic of China, Article 25.

[7] Data Security Law of the People’s Republic of China, Article 26.

[8] Data Security Law of the People’s Republic of China, Article 27.

[9] Data Security Law of the People’s Republic of China, Article 27.

[10] Data Security Law of the People’s Republic of China, Article 28.

[11] Data Security Law of the People’s Republic of China, Article 32.

[12]  Data Security Law of the People’s Republic of China, Article 32.

[13] Data Security Law of the People’s Republic of China, Article 27.

[14] Data Security Law of the People’s Republic of China, Article 30.

[15] Data Security Law of the People’s Republic of China, Article 31.

[16] Data Security Law of the People’s Republic of China, Article 29.

[17] Data Security Law of the People’s Republic of China, Article 35.

[18] Data Security Law of the People’s Republic of China, Article 36.

[19] Data Security Law of the People’s Republic of China, Article 34.

[20]  Data Security Law of the People’s Republic of China, Article 33.

[21] Data Security Law of the People’s Republic of China, Article 45.

[22]Ibid.

[23] Ibid

[24] Ibid. It worth noting that the DSL newly adds relevant liabilities in response to the establishment of Core Data administration mechanism.

[25] Data Security Law of the People’s Republic of China, Article 46.

[26] Data Security Law of the People’s Republic of China, Article 48.

[27]  Data Security Law of the People’s Republic of China, Article 48.

[28] Data Security Law of the People’s Republic of China, Article 47.

The End

About the Author

Jihong CHEN

Beijing Office

Equity Partner

Practices：IP Licensing & Enforcement, Cybersecurity & Data Protection, Antitrust & Competition

Industry Sectors：Financial Services, Telecommunications and Technology

Jiabin SUN

Beijing Office

Intellectual Property Department

The author recommended articles in the past：

特别声明：

以上所刊登的文章仅代表作者本人观点，不代表北京市中伦律师事务所或其律师出具的任何形式之法律意见或建议。

如需转载或引用该等文章的任何内容，请私信沟通授权事宜，并于转载时在文章开头处注明来源于公众号“中伦视界”及作者姓名。未经本所书面授权，不得转载或使用该等文章中的任何内容，含图片、影像等视听资料。如您有意就相关议题进一步交流或探讨，欢迎与本所联系。

点击“阅读原文”，可查阅该专业文章官网版。