New Data Security Law in China

On June 10, 2021, the National People’s Congress passed the Data Security Law (non-official English translation available here), which will come into force on September 1, 2021. The Law aims to regulate a wide range of matters relating to the collection, storage, processing, use, and transfer of data. The Law is also a key supplement to the Cybersecurity Law (English translation available here).

The Data Security Law (“Law”) applies to data handling activities carried out within the mainland territory of the People’s Republic of China (“PCR”). Nonetheless, data handling activities carried out outside the mainland territory of China that could threaten national security, the public interest, or the lawful rights and interests of citizens and organizations, are also bound by the Law. The Law also provides that if any nation or region employs discriminatory, restrictive, or other similar measures against the PRC in areas such as investment or trade in data and technology for the exploitation and development of data, the PRC may employ equal measures against that nation or region based on the actual circumstances at issue.

Although the Law mainly provides key principles that need to be regulated by different industries or local governments, there are some significant matters that should be taken into account:

1. Key definitions: Section 3 of the Law defines the “handling” of data as the collection, storage, use, processing, transmission, provision, disclosure, etc., of data; while “data” is defined as any record of information in electronic or other forms. Meanwhile, “data security” refers to employing necessary measures to ensure that data is effectively protected and legally used, as well as having the capacity to ensure a sustained state of security.
2. Lawful processing of data. Any organization or individual collecting data must employ lawful and appropriate methods for its handling and refrain from stealing or otherwise unlawfully obtaining data. Where laws and administrative regulations have provisions on the purpose or scope of data collection and its use, data is to be collected or used within the purpose and scope provided for in those laws and administrative regulations (Section 32).
3. International transfer of data: Section 31 of the Law states that the provisions of the Cybersecurity Law apply to the security management for the transfer of data from mainland China that was collected or produced by critical information infrastructure operators inside the mainland territory. As per important data, security measures for its transfer are to be drafted by the State internet information department in conjunction with the relevant departments of the State Council.
    
   1. “Important data” refers to data that is yet to be hierarchically classified by the State based on the importance of the data for economic and social development and the extent of harm to national security, the public interest, or the lawful rights and interests of citizens or organizations that would be affected if this data is altered, destroyed, leaked, or illegally obtained or used (Section 21, Law).
       
   2. “Critical information infrastructures” refer to public communication and information services, power, traffic, water resources, finance, public service, e-government, and other critical information infrastructure which, if destroyed, caused to malfunction or leak data, could seriously endanger national security, national welfare, peoples’ livelihoods, or the public interest (Section 31, Cybersecurity Law).
4. Privacy impact assessments. Section 30 of the Law states that those handling important data must periodically conduct risk assessments of their data handling activities and send risk assessment reports to the relevant regulatory departments. Risk assessment reports must include the types and amounts of important data being handled; how it is handled; what data risks apply and how those risks will be mitigated, among others.
5. Outsourcing of data processing services. Section 33 provides that the service providers must require those institutions engaged in data transaction brokerage services to: explain the sources of the data, verify the identities of both parties to the transaction (the broker should check whether the party has the required licenses, if applicable under Section 34), and retain examination and transaction records.

Non-compliance with the Law can result in fines from 10.000 RMB to 1.000.000 RMB (USD 1.500 to USD 154.380) and/or business suspension, revocation of operation licenses, or revocation of business licenses. Managers or others responsible for the handling of data could be personally liable for legal breaches.