On June 10, 2021, the National People’s Congress of the People’s Republic of China (PRC) approved the passage of the Data Security Law (DSL), which will take effect on Sept. 1, 2021.
Unlike the PRC’s Cybersecurity Law of 2016 (CSL) and the Personal Information Protection Law – undergoing public comment for its second draft, released on April 29, 2021 – both of which permitted organizations doing business in the PRC to implement their own measures to protect personal data and data traversing organizations’ networks, the new DSL will mandate certain measures for the security of any record of information in electronic or other form (including physical copies) that has national or other security implications from a regulatory perspective.
Effect on Multinational Companies
In addition to activities conducted within the PRC, the DSL governs data processing activities, which include the collection, storage, use, processing, transmission, provision and disclosure of data and data security administration outside the PRC that may jeopardize national security, public interests or the legal rights and interests of Chinese citizens and companies. Accordingly, multinational companies that have a presence in the PRC or interact with Chinese entities or individuals should be aware of the DSL’s implications for these types of activities.
Data Classification and Tiered Protection System
Based on the clear terms of the DSL, the new legislation carries an obvious theme of protection of the PRC’s national security interests, and the law is plainly targeted at organizations that process a significant amount of data as part of their ordinary operations. The DSL permits regional and departmental authorities to establish a “classified and graded” data protection system that categorizes data into different groups based on the data’s nature and then assigns different levels of importance to the data within each group. The data protection requirements vary depending on how that data is compiled or used, so we should expect that attendant regulations will also vary. Data that is pertinent to national security, the national economy, social welfare and important public interests will be regarded as “core” data and will be subject to stricter scrutiny, as described below. The National People’s Congress intends to publish national, regional and departmental catalogues with classification guidance for reinforcing supervision of core data processing activities.
“Critical data” will be subject to stricter governance and protection requirements. Specifically:
(i) Similar to the CSL’s requirement that an operator of a “critical information infrastructure” under a government-sponsored security assessment prior to transferring personal information and “important data” overseas, a processor of critical data must conduct regular risk assessments and submit its assessment reports to the competent authority. Such reports must include the type and volume of data processed, descriptions of its data processing activities, data security risks faced, and its response measures. (Note: The security assessment mechanisms have yet to be defined under the DSL and the CSL.)
(ii) Data processing activities that affect or could affect the PRC’s national security will be subject to a binding national security review by PRC regulators. Further details of the implementation procedures are expected to be formulated and issued by the National People’s Congress.
(iii) Certain data relating to the PRC’s national security, national interest or performance of international obligations may be deemed controlled items and thus subject to export control.
Foreign Investigation and Law Enforcement
The DSL also stipulates that any provision of data stored in the PRC by a Chinese entity or individual that is made in response to a request by any foreign judicial body or law enforcement authority will be subject to the prior approval of the competent authority, and it also allows countermeasures to be taken in response to any discriminatory measures against China’s data or data development-related investment or trade adopted by foreign countries or regions. This obligation potentially affects multinational companies’ data submission to the U.S. Securities and Exchange Commission, the Department of Justice, or similar foreign law enforcement bodies or regulators. Violations could trigger significant fines of up to RMB 10 million (approximately $1.56 million).
Multinational organizations with a presence in the PRC or that interact with Chinese individuals or organizations will need to traverse a complex landscape of data governance, classification and export requirements. The terms “national interest” and “national security” are presently undefined, and the National People’s Congress has yet to provide any guidance for these concepts.
In the meantime, multinational organizations, particularly high-tech companies that process a substantial volume of data originating in the PRC, should assess their data handling practices in the PRC and develop a well-defined data governance and mapping program. Such a program should include identification of the source and recipients of any such data, the identity of any individuals associated with the data, and recordation of all uses and activities of data processing.