On 10 June 2021, the Standing Committee of the 13th National People’s Congress adopted the Data Security Law of the People’s Republic of China (“Data Security Law”) effective from 1 September 2021.
The Law establishes an overarching framework to regulate data handling and management accordingly with national sovereignty, security, and development interests. Under the Data Security Law, the scope and definition of data include any record of information in electronic or other forms and an extraterritorial application to China-related data handling and management. Therefore, companies should be implementing changes for the forthcoming September effective date.
At Horizons, we have been advising clients with China commercial interests to evaluate data handling and management in preparation for the Data Security Law. Specifically, we recommend appointing a specific China data management officer who develops compliance policies and correct implementation to safeguard the company. Below, we highlight the main takeaways and the practical implications for companies doing business in or with China.
Scope of Data
The Data Security Law defines the scope of data and handling as the following in Article 3:
- Data shall refer to any record of information in electronic or other forms.
- Data handling shall refer to the collection, storage, use, processing, transmission, provision, and disclosure of data.
- Data security shall refer to the ability to ensure data is effectively protected, lawfully used, and kept in a secure state by adopting necessary measures.
In practice, the Data Security Law focuses on data security, electronic and non-electronic forms, and data handling activities. The Cyber Security Law adopted on 1 June 2017 focuses on the supervision and management of information and network systems. Therefore, the scope of Data Security Law is broader and affects all companies handling online and offline data.
The Law designates the State to establish a data classification and grading mechanism based on two aspects:
- degree of importance to economic and social development.
- the level of damage to national security, public interests, organisations where the data is tampered with, destroyed, leaked, or illegally obtained or used.
For data identified as important data, a specific catalogue shall be formulated by each region and department. Regional and departments shall determine and grade important data accordingly to the relevant industry and areas and establish stricter data protection obligations. Equally, national security data, the lifelines of the national economy, people’s key livelihood, and major public interests shall be classified as core data and subject to a stricter management system.
Therefore, companies should anticipate stricter data management obligations. Specifically for multinationals involved in cross-border data transfer, important or national data could be defined as controlled categories and subject to export controls.
Data Security Protection Obligations
Although obligations are dependent on the type of data handled, we recommend companies appoint specific personnel or management to supervise the data management and ensure policies are correctly implemented.
For all companies conducting data handling activities, the Data Security Law stipulates the following obligations:
- establish and perfect a data security management system across the entire workflow;
- adopt lawful and proper methods in collecting data and obtaining data by illegal means is forbidden;
- organise and conduct data security education and training;
- adopt the corresponding technical measures and other necessary measures to ensure data security; and
- take immediate disposal measures, notify users as required and report the matter to the relevant competent department.
For companies handling data classified as important data, the following obligations are provisioned
- specify responsible personnel and management bodies for data security;
- fully implement data security protection responsibilities;
- periodically conduct risk assessments for their data handling activities;
- periodically submit a risk assessment report to the competent department
- the risk assessment shall include the categories and quantities of the important data handled by the organisation, how data is handled, any occurred data security risks, and countermeasures
Moreover, organisations and individuals are obligated to cooperate with public security and national security organs that require their data for national security or criminal investigation. In practice, data privacy policies should be revised accordingly. Where data laws of other jurisdictions may cross over, such as the General Data Protection Regulation, the application of the two could be challenging and specialised advice should be sought.
Whilst the Data Security Law applies to the data handling activities within the People’s Republic of China (“PRC”), related data handling outside of PRC could be subject to investigation. Specifically, in Article 2, where data handling outside of PRC harms the national security, public interests, or legitimate rights and interests of citizens or organisations of the PC, legal liability shall be investigated. Although specific liabilities are not mentioned, violations of the Data Security Law are subject to civil, public security administration, and criminal penalties. Therefore, companies outside of China handling related China data should still implement China-specific data compliance policies to migrate unintentional violations and risk future liabilities.
Violations of the Data Security Law are subject to fines between 50,000 RMB and 2 million RMB, and companies may concurrently be ordered to suspend relevant business or revocation of business licenses. Consequently, data security protection is significant and shall not be taken lightly.
The Data Security Law paves the significant role of the State in data development and protection, as China advances the digital economy. Mismanagement of data, specifically those handling important data could face significant liabilities for both the company and individual.
If you would like to discuss data security in China, please contact Horizons at firstname.lastname@example.org and our Partner in charge will be in touch.