On June 10, 2021, almost exactly three years after the passing of its Cybersecurity Law (CSL), the National People’s Congress of China passed a new Data Security Law (DSL) (click here for an unofficial English translation of the DSL), which goes into effect September 1, 2021. Where the CSL is primarily focused on cybersecurity for Critical Information Infrastructure (CII) operators and network operators, the DSL was promulgated in order to regulate data processing activities, promote data security, protect the lawful rights and interest of individuals and organizations, and safeguard national sovereignty, security, and development interests. (Article 1). The scope of the DSL is quite broad, and without clarifying regulations or guidance, the law lacks significant detail on how companies should comply, leaving many open questions in advance of the September 2021 effective date. While it is expected that the relevant authorities in China will issue guidance and formulate certain corresponding regulations, it is clear that given the sweeping scope and broad territorial reach of the DSL, the DSL may have far-reaching implications for many companies.
The DSL applies to data processing activities and data management within China, as well as those processing activities outside of China that could “damage national security, public interest, or the legitimate interests of [China’s] citizens and obligations.” (Article 2). The law broadly applies to “data,” which is defined to refer to “any record of information in electronic or other forms, ” although certain provisions apply only to “important data” or “national core data,” as explained further below. “Data processing” is defined to include the “collection, storage, use, processing, transmission, provision, or disclosure of the data, etc.” (Article 3). Based on these definitions and the scope outlined in Article 2, the DSL is incredibly extensive, potentially imposing obligations on companies all over the world, as well as many different types of data, ranging from personal information to other business data.
The DSL sets forth that the Chinese government shall establish a data classification system, setting a hierarchy for different data sets and how they should be protected, based on the importance of the data in economic and social development as well as the extent of harm to national security, the public interest, or the lawful rights and interests of individuals or organizations that would be caused if the data were altered, destroyed, leaked, or illegally obtained or used. (Article 21). In addition, based on this classification system, relevant departments will draft catalogs of “important data” within their corresponding industries and sectors, which may affect how companies within the scope of the DSL structure their own data classification programs and are required to protect certain information.
The DSL has also created an elevated category of data called “national core data”, which includes “data related to [China’s] national security, lifeline of national economy, people’s livelihood and vital public interests.” (Article 21). While the details remain unclear, the DSL contains a generic provision stating that companies handling “national core data” must implement a stricter data security management system with enhanced measures to protect such data and may be subject to increased fines for violating such requirements.
Similar to the EU’s General Data Protection Regulation’s (GDPR) Data Protection Impact Assessment and the California Privacy Rights Act’s Risk Assessment requirement, the DSL introduces the concept of “risk assessments” in two sections, Article 22 and 30. Article 22 states that the government shall establish a uniform, authoritative system for data security risk assessment reporting; Article 30 sets forth an affirmative obligation for all companies to periodically carry out risk assessments of their data handling activities for any companies handling “important data”. Such risk assessment reports shall include the following non-exhaustive information: the categories and quantities of important data processed, how the data processing activities are carried out, and the relevant data security risks and response mechanisms. The risk assessments must be sent to the relevant regulatory department(s).
Breach Response and Notification
Similar to the CSL, which requires network operators and CIIs to have an incident response plan and report all network security incidents to “relevant competent departments”, in the event of a data security incident (which the DSL does not define), the DSL requires companies to immediately remediate the incident, promptly notify users and report such data security incident to the regulatory department(s) (unclear which department(s), but again, the DSL suggests this will be clarified in later guidance). (Article 29). The DSL also requires the government to establish a national data security emergency response mechanism, requiring regulatory departments to initiate emergency response plans in the event of a data security incident (Article 23). In-scope companies should keep a close watch on any further breach response/notification guidance, to ensure the company’s incident response plan conforms with future guidance from the government.
Cross-Border Data Transfers
While the CSL governs cross-border data transfers by CII operators and network operators, the DSL specifies that for cross-border data transfers by all non-CII operators transferring “important data” outside of China, such companies will be required to comply with the rules to be formulated by the state cyberspace administration and relevant departments of the State Council. (Article 31). The CSL states that CIIs can only transfer data out of the country when (i) there is a genuine operational necessity, (ii) the CII passes a security assessment, and (iii) the CII obtain consent to transfer personal information outside of China (unless such consent is implied because the individual is the one sending such information). While the substantive requirements for cross-border data transfer obligations for non-CII operators are not yet developed, the addition of cross-border data restrictions for non-CII operators may impose significant obligations for such companies in the near future.
All companies subject to the DSL shall, among other requirements, also implement the following:
· Establish and complete a data security management system (Article 27);
· If handling important data, designate persons and a management team to be primarily responsible for data security and the fulfillment of data security protection responsibilities (Article 27);
· Educate employees and individuals on data security (Article 27);
· Deploy technical measures to safeguard data security (Article 27);
· Strengthen risk monitoring measures and take timely remedial measures in the event any security flaw, vulnerability or other risk is discovered (Article 29);
· For those companies conducting data processing activities through the Internet (presumably excluding the physical processing of such data), such companies shall comply with the Multi-level Protection Scheme (“MLPS”), a classification system for companies physically located in China and adopted under the CSL (Article 21 of the CSL). The MLPS, in short, requires network operators to (i) ensure its networks are protected against interference, damage, or unauthorized access, and (ii) classify its infrastructure and application systems in five separate protection levels and fulfill protection obligations accordingly (Article 27); and
· Obtain permission from the Chinese government before providing data stored within China to any foreign justice or law enforcement bodies (Article 36).
Penalties and Fines
Non-compliance with the DSL may subject companies to significant fines, which vary depending on the violation. For example, a company’s failure to establish and complete (i) a data security management system, (ii) risk monitoring measures or (iii) periodic risk assessment may subject such company to a fine between 50,000 RMB (approximately $7,735) and 500,000 RMP (approximately $77,350). In addition, those individuals directly responsible for managing data security may be subjected to a separate fine, ranging from 10,000 RMB (approximately $1,550) to 50,000 RMB (approximately $7,735). Where the circumstances are “serious” (which also remains undefined), the above fines may be doubled, and the violating company may be ordered to cease operations and its business licenses may be cancelled.
Furthermore, criminal liability may be imposed if violation of the DSL amounts to a criminal offense; such criminal liability may extend to individuals, specifically the individual primarily responsible for compliance with the DSL. The law does not specify the extent of the criminal liability, merely a statement that criminal liability will apply if the violation constitutes a crime.
Although the above summary provides an overview of China’s DSL, much remains unknown with the law, and companies should keep a close eye on the regulatory and legal guidance to be issued in the near future. With that being said, the DSL may, potentially, have broad overarching global implications. And there are additional requirements on the horizon, as China just passed its second draft of its Personal Information Protection Law (PIPL), presenting comprehensive nationwide privacy legislation, similar to the GDPR. If/when the PIPL passes, these three laws (PIPL, DSL and CSL) will formulate China’s comprehensive data privacy and security legal framework, which may come to be as impactful as other comprehensive data privacy and security legislation around the globe, including the GDPR.