A few months before the release of the draft Personal Information Protection Law (PIPL), the Standing Committee of China’s National People’s Congress announced a draft Data Security Law (DSL). The draft is short on specifics in many areas. However, similar, to the more-detailed Cyber Security Law (CSL), the DSL is likely to bring forth a wide raft of other implementing regulations, standards and guidance; the DSL itself merely provides the scaffolding. Given the breadth of the issues addressed by the DSL - namely, the collection, storage, processing, use, provision, transaction, publication of any kind of data, and other related activities - this corpus of rules and regulations stands to have a deep impact on business operations in China.
The national security policy driver suggests that the DSL is likely to pass quickly through the committee stage and be enacted some time in 2021.
Enhanced data security measures
The DSL proposes the establishment of a comprehensive state-directed data security system, that will comprise:
- A hierarchical data classification management and protection system that will matrix the importance of the data to the national economy, national security and the public interest and society, and the degree of harm that would result from a security incident.
- A centralised data security risk assessment, reporting, information sharing, monitoring and early warning mechanism. Any data activities that implicate national security may be subject to government security review, which will not be appealable.
- A data security emergency response mechanism to effectively respond to and manage data security incidents.
The system of security controls is likely to be akin to the Ministry of Public Security’s multi-level protection scheme (i.e. MLPS 2.0) albeit with a specific focus on data security.
These systems will be connected with other existing administrative structures (presumably this refers to cyber security administrative structures) to establish a data security review system and an export control system.
The DSL would also place the following obligations on individual organisations:
- Organisations carrying out data activities should take corresponding technical measures and other necessary measures to ensure data security. They should also strengthen data security risk monitoring, risk assessment, and internal security training.
- Mandatory reporting requirements for data security incidents.
- Organisations conducting online data processing services will need a licence going forward. It appears that the licensing authority will be the Ministry of Industry and Information Technology.
- Where organisations engage in data transaction intermediary services, they must require the source of data to be disclosed and retain records of their validation of the data, as well as records of all transactions involving the data.
The DSL itself does not elaborate on any of these requirements.
The concept of important data was first introduced in the CSL. Important data was to be subject to enhanced protection and also to restrictions on cross-border transfer. Important data was subsequently ‘defined’ as data the leakage of which may directly impact national security, economic security, social stability or public health and security, such as non-public government information and information on population, genetic health, geography and mineral resources (draft Measures on the Management of Data Security issued in 2019). And the definition was further elaborated upon in a catalogue set out in the draft Guidelines for Cross-Border Data Transfer in 2017 and defined as data that is closely related to national security, economic development and public interest which is collected in China, but which does not amount to a state secret. However, neither the draft Measures nor the Guidelines were ever enacted, and ‘important data’ has never been authoritatively categorised.
The DSL provides that each region and sectoral regulator will formulate a regional sector-based catalogue of important data. It appears therefore that there will not be any single, nation-wide catalogue of important data. This may be reflective of a possible difficulty of reaching alignment on what constitutes important data across the various government ministries since 2017.
Organisations handling important data will be subject to additional obligations under the DSL, such as the need to designate data security personnel and management bodies to ensure responsibility over data security, and to periodically conduct risk assessments and submit reports of those assessments to the applicable authorities.
However, the DSL has nothing to say on the regulation of cross-border transfers of important data.
Overseas regulator requests
The DSL provides in general terms that foreign law enforcement bodies will require permission from Chinese authorities to access data stored within the PRC. And organisations in China will be prohibited from providing data requested by foreign regulators and law enforcement until they have reported the request to the relevant authorities and obtained permission to disclose.
This is of a piece with Article 277 of the PRC Civil Procedure Law, which provides that foreign authorities require consent to serve documents, conduct investigations and collect evidence in Chinese territory. Similarly, Article 4 of the Criminal Judicial Assistance Law provides the same in relation to criminal proceedings and related evidence. Article 177 of the Securities Law likewise gives the China Securities Regulatory Commission authority to block the transfer of securities data out of China without its approval.
As with the CSL and the PIPL outlines above, the DSL sets out the liability of organisations and the relevant personnel involved in the event of non-compliance with the DSL. Organisations which do not fulfil the data security obligations set out under the DSL may receive a correction order, a warning and a fine of up to RMB 100,000 (and no less than RMB 10,000). Persons who are directly responsible for the entity’s breach may be fined up to RMB 50,000 (not less than RMB 5,000). Where organisations refuse to make the required corrections, cause data leakages on a large scale or cause any other serious consequences, a fine of up to RMB 1 million (not less than RMB 100,000) may be issued, and the directly relevant personnel may be fined up to RMB 100,000 (not less than RMB 10,000).
When organisations that engage in data transaction intermediary services do not adhere to their obligations to verify disclosed data, such organisations may be subject to corrections ordered by the relevant authorities, confiscation of illegal income and a fine that amounts to up to ten times the sum of the illegal income obtained (and no less than the sum of the illegal income obtained). If no illegal income has been obtained, then the organisation may be fined up to RMB 1 million (not less than RMB 100,000) may be issued. Directly relevant personnel may be fined up to RMB 100,000 (no less than RMB 10,000).
Organisations that conduct online data processing services without the required licences may be subject to corrections ordered by the relevant authorities, face a ban of operations, confiscation of illegal income and a fine that amounts to up to ten times the sum of the illegal income obtained (and no less than the sum of the illegal income obtained). If no illegal income has been obtained, then the organisation may be fined up to RMB 1 million (no less than RMB 100,000) may be issued. The directly relevant personnel may be fined up to RMB 100,000 (not less than RMB 10,000).
For an overview of what to expect in data privacy/ security law in China in 2021 and more detail on the new Personal Information Protection Law please click below: