On June 10, 2021, China’s national legislature – the Standing Committee of the National People's Congress passed the Data Security Law (the “DSL”). The DSL (see here for a non-official English translation) took effect on September 1, 2021 and marks China’s first comprehensive data regulatory regime, one of three key frameworks that will buttress the country’s data and cybersecurity governance. The DSL will work in tandem with China’s 2017 Cybersecurity Law (the “CSL”), which requires firms to improve the security of their data networks and the Personal Information Protection Law (the “PIPL”), which was passed on August 20, 2021 with enforcement beginning November 1, 2021 (stay tuned for future updates on Orrick.com on this). This triad of new data laws represents an increasingly comprehensive legal framework for privacy and data security in the nation’s second largest economy. With the broad extraterritorial reach of the DSL, international companies that collect data and do business in and with China now have a new set of data rules by which to play. We summarized the key highlights and takeaways of the DSL below:
The DSL governs not only data processing (which includes the collection, storage, use, processing, transmission, provision, and disclosure of data) and management activities conducted within China, but also those outside of China that have the potential to harm China’s national security or public interest or damage the legal interests of any Chinese citizen or organization. It remains unclear how this broad regulatory discretion will be enforced, and the extraterritorial effect of the law will likely hinge on treaties and reciprocity agreements between China and other countries.
The DSL empowers multiple Chinese governmental authorities to oversee data security matters:
The DSL grants authority to China’s Central Government to establish a hierarchical data categorization system in accordance with the importance of the data to China’s economy, national security, livelihood of Chinese citizens, and public and private interests. This system will result in data deemed more important to China’s national interest being more heavily regulated. To this point, the DSL focuses on two categories of data subject to a heightened level of regulation and protection: “important data” and “national core data.” We discuss each in turn below:
The concept of “important data” was introduced in the CSL, requiring elevated protection, a localization requirement, and a prior security assessment for cross-border transfer of important data by critical information infrastructure operators (“CIIOs”). CIIOs are generally entities operating in the communications, information technology, finance, transportation, and energy sectors. While the CSL only required CIIOs to comply with heightened regulation for important data, the DSL expands this requirement to all businesses that process important data. Under the DSL, processors of important data must:
(i) identify the responsible person and management body for data security and allocate data security protection responsibilities; and
(ii) conduct regular risk assessments on data processing activities and submit risk assessment reports to competent authorities.
While the CSL and DSL do not define “important data,” the DSL states that a consortium of national-level agencies will develop catalogue(s) of “important data” and mandates that local governments and regulatory agencies develop more detailed catalogues to identify the scope of “important data” based on their respective region and sectors. Thus, international companies will have to comply with both the broader national requirements, as well as the region and industry-specific catalogue(s) for important data.
National Core Data
The DSL also introduces the concept of “national core data,” a class of data subject to stricter regulations due to its relation to national security, the national economy, citizen’s livelihoods, and important public interests. While there will likely be further rules and regulations detailing the scope of national core data and guidelines for its protection, violations of the national core data management system may be subject to fines of up to 10 million yuan (~$1.56 million USD), revocation of business licenses, suspension of business, or possible criminal penalties. The law also imposes penalties on entities that fail to cooperate with data requests from Chinese authorities for law enforcement or national security matters. Given the vague scope of this category, it is currently unclear how a business should review its data processing activities to adequately identify and protect such national core data.
The DSL specifies numerous obligations that data processors must fulfil, including:
As in frameworks like the California Consumer Privacy Act (“CCPA”) and the EU General Data Protection Regulation (“GDPR”), more sensitive data requires more obligations to ensure that data is protected. Under the DSL, entities that process “important data” must designate a data security officer, establish a data security management department, conduct periodic assessments to monitor potential risks, and report those results to applicable government agencies.
For cross-border transfers of “important data,” the DSL establishes a separate framework for CIIOs (discussed above) and non-CIIOs. CIIOs must comply with rules under the CSL, which requires local storage for important data that is collected in China. If a CIIO must transfer data out of China for a necessary business purpose, a security assessment in accordance with the procedures of the Cyberspace Administration of China (CAC) is required. The CAC and other regulatory agencies have yet to formulate cross-border transfer rules for non-CIIOs.
Importantly for litigation and international legal proceedings, the DSL states that without approval from Chinese authorities, no organizations or individuals in China may transfer data stored within China to any foreign judicial or enforcement authorities. Neither the specific authorities nor the details of the approval processes are specified in the DSL, but entities that violate this requirement face fines of up to 1 million yuan (~$156,000 USD), with additional fines for responsible individuals. Entities whose violations result in “serious consequences” may face fines of up to 10 million yuan (~1,560,000 USD) and the potential suspension of the business and revocation of its business license.
Entities that violate their obligations under the Data Security Law face severe penalties. In addition to those penalties mentioned above, Chinese authorities may impose fines of up to 500,000 yuan (~$77,000 USD) on noncompliant entities, issue additional fines to responsible individuals, and mandate remedial measures. If an entity fails to adopt remedial measures after receiving a warning, or if a security incident results in serious consequences (such as a large-scale data breach or leak), the entity may face fines of up to 2 million yuan (~$310,000 USD), as well as the potential suspension of business processes and revocation of the business license.
Additionally, the DSL empowers China’s Central Government to respond in kind against any foreign state that purportedly discriminates against Chinese interests regarding investment and trade related to data technologies.
Many of the DSL’s requirements seem similar to other data security laws, particularly those of the GDPR. However, the DSL establishes a much more expansive framework than the GDPR. The DSL governs not only the personal data of Chinese citizens, but also data that is important to China’s national security and economy, and it has much stricter data transfer restrictions than the GDPR. Although many key implementing details remain unclear and subject to future regulatory rulemaking, companies doing business in and with China should review their data processing activities for noncompliance risks.
We recommend that international companies doing business in China assess whether and how the DSL applies to their data processing activities and what further data security measures should be implemented. The DSL is already in effect, so the time is now for companies to comply with the law’s extensive obligations. Companies should undertake the following steps to evaluate risk:
Stay tuned as Orrick will continue monitoring the regulatory developments and forthcoming rules related to the DSL, as well as the implementation of the upcoming PIPL, which will be enforced starting on November 1, 2021.