Data Security Law Adopted to Strengthen Data Protection

The newly adopted Data Security Law is to become effective on September 1st, 2021, laying down new guidelines for regulation on data processing.

1. Expanded Protection for Data

Section 3 of the Data Security Law defines “data” as any recording of information by electronic or others means, and “data processing” to include collection, storage, use, processing, transmission, availability, disclosure, and other handling of data. It is worth noting that the new definition does not involve specific media of transection, such as a computerised information system as was in the case of information-related crimes definitions. Processing of data stored on paper or in other tangible forms would be perfectly subject to this Law.

Section 2 declares that the Data Security Law shall apply to data processing activities within the territory, including those conducted by foreign entities. It also requires that extra-territorial data processing to be subject to investigation according to law, should it raise significant national or public interest concerns. Though not clarified that it is this Law that is to be used, this section does provide a basis for potential extra-territorial application of this Law.

2. Protection by Classification and Level

Section 21 declares to establish a data classification and hierarchical protection system. This Law has broadly classified protected data as core data of the State, important data, and other data. Parties processing data will be subject to various obligations, as well as consequences for failure to comply. Important data will be defined by general and specific catalogues, and further obligations are set for processing of important data. Core data of the State carries that greatest importance and will have a tighter system of management.

There appears to be both general catalogues of important data and specific catalogues of important data. The former shall be formulated under coordination of the national data security coordination mechanism, whereas the latter shall be formulated by departments and regions.

Regions and departments have previously enacted various regulations on data managements, notably on those of scientific and strategical value. These regulations remain effective for the moment and are likely to be integrated into new regulatory bodies.

3. Arrangements for Regulation

The Data Security Law made the following arrangements for departmental regulatory responsibilities.

■ The security coordination authority shall be primarily responsible for national data security, and shall establish a national data security coordination mechanism.

■ Regions and departments shall be responsible for security of data generated or collected when conducting their duties.

■ Authorities of industry, telecommunications, transport, finance, natural resources, health, education, science, technology, etc., shall be responsible for regulation of data security in their respective responsible field.

■ National and public securityauthorities shall assume the responsibilities of data security regulation within the scope of their respective functions and duties.

■ The cyberspace administration of the State is responsible for the overall planning and coordination of cyber data security and relevant regulation.

■ Provincial governments and above shall incorporate the development of digital economy into their plans for national economic and social development.

■ Trade organisations shall, in accordance with their articles of association, formulate data security codes of conduct and group standards.

This Law also dictated several specific systems to be established.

■ Reciprocal measures against discriminatory prohibitive or restrictive measures or other similar measures. A centralised, unified, efficient and authoritative data security risk assessment, reporting, information sharing, monitoring, and early warning mechanism. 

■ A data security emergency response mechanism.

■ A data security review system, under which data processing activities that affect or may affect national security shall be reviewed, and decisions made shall be final and may exclude further judicial remedy.

■ Export control over the data which falls under controlled items and is related to the safeguarding of national security and interests and the fulfilment of international obligations in accordance with the law.

■ Reciprocal measures against discriminatory prohibitive or restrictive measures or other similar measures against the People's Republic of China.

4. Guidelines for Data Security Developments

The Data Security Law also points out several directions of data security development, which could be directions of future investments and industrial growth.

■ Big data, construction of data infrastructure, and innovative application of data.

■ Intelligent and inclusive public services.

■ Technical promotion and commercial innovation related to data security.

■ Standardisation of data security.

■ Development of data security testing, evaluation, certification, and other services.

■ Development of a sound data trading management system.

■ Professional education in such fields as data development and utilization technologies and data security, and the exchange of professionals.

5. Obligations and Consequences

Chapters 4 and 6 of the Data Security Law provided a list of obligations for organisations and individuals processing data and corresponding legal liabilities.

General obligations for data processing entities include:

■ Establishing a sound data security management system, organising data security education, taking technical and other security measures.

■ Complying with the graded protection system for cyber security where Internet activities are involved.

■ Monitoring risks, taking immediate remedial measures in case of security incidents, and notifying the users and reporting to the authority.

■ Refraining from illegal collection or theft of data.

■ Cooperating with public or national security investigations and relevant data retrieval.

■ Not to provide data to foreign judicial or law enforcement authorities without approval.

Processors of important data are subject to the following obligations in addition:

■ Specifying individuals and management bodies responsible for data security.

■ Carrying out regular risk assessment and submitting the assessment report to the authority.

■ Complying with the Cyber Security Law when exporting important data collected or generated by key information infrastructure operators.

■ Complying with future regulations made by administration and other departments when exporting other important data.

Data transaction intermediary services providers are further required to verify sources of data, identities of parties to transactions, and maintaining transaction records.

Legal liabilities for violations range from interview by authorities to fines and revocation of business permit. Generally, violation of regulations on processing of core data of the State and important data are subject to heavier penalties, and serious offences and refusal to rectify could be subject to penalties up to fines of up to 2,000,000 RMB and revocation of business permit.

Comparing to the second reading draft, the formal legislation has generally adopted heavier penalties for corresponding offences, but not to an extraordinary level. The EU General Data Protection Regulation for instance granted flexible powers to authorities to withdraw certifications and impose fines, which could be up to200,000,000 EUR or 4% of the subject’s global annual turnover, and up to half this amount even for less serious offences. Comparatively, the Data Security Law allows less flexibility of regulatory actions. And, although the Data Security Law included serious measures as to suspend business permit, it is yet clear how frequently such measures are to be used in practice. 

6. Sovereignty in the Information Domain

Intriguingly, the Data Security Law may be one of the earliest legislations regulating the information domain in general on the basis of national security concerns. Indeed, the regulatory measures listed are well within expectation, but the Law does follow a logic distinctive from other data protection legislations. Traditionally, it is the conflict between users and operators of databases that legislations try to resolve. Such legislations endeavour to set boundaries for parties generating and processing data, and set standards for compensations and penalties for torts in the virtual domain. Yet the Data Security Law primarily focus on safeguarding national and public interests related to data processing, which might provide a new angle for future legislations.

And for the same reason, the Data Security Law notably made nearly no regulation on personal information rights and protection. These issues are to be covered by a separate Personal Information Protection Law, which is currently in its second reading procedure.

7.  Conclusion

Apparently, the Data Security Law is more of a general blueprint than a thorough and detailed code. It largely depends on the future departmental and regional regulations what specific requirements enterprises in different industries will have to meet. But the enactment of this Law certainly marks attention from the country’s leadership and parliament to information security, and it should be expected that more stringent compliance standards will be adopted in the long run. It would be advisable that enterprises start planning collection, utilisation and distribution of data during their business activities, and prepare to establish internal security systems in accordance with future regulatory requirements.