On June 10, 2021, the Standing Committee of China’s National People’s Congress (“NPC”) enacted the Data Security Law (“DSL”), which will take effect on September 1, 2021 (the official Chinese version is available here and Covington’s unofficial English translation is available here). This law creates a framework for the protection of broadly defined “data security” from a national security perspective.
Prior to the adoption of the final version of the DSL, two previous drafts were released for public comments in July 2020 and April 2021 (see our blogpost and client alert on previous versions here and here). Although, the main structure and most key requirements proposed in the second draft of the DSL remain unchanged, the final version introduces certain notable updates in addition to some minor changes for language clarity. For instance, the final version calls for the establishment of a more stringent regulatory framework on the protection of “national core data” on top of the regulatory framework for “important data” (Article 21). Also, the final version increases the amounts of penalties for violation of certain requirements under the DSL (Article 44 to 52), including for example the provision of data requested by a judicial or enforcement agency outside of China without obtaining the approval from a competent Chinese authority.
Key Changes Introduced in the Final Version
(1) Establishment of a “National Data Security Coordination Mechanism”
Consistent with the second draft, Article 5 of the DSL specifies that China’s national security agencies will lead the development and implementation of China’s data security strategies. The final version of the DSL further adds that China’s national security agencies will also establish a “National Data Security Coordination Mechanism.” So far, it is unclear how such a mechanism will be setup and what Chinese government agencies will be involved. But the Coordination Mechanism will be tasked with (i) coordinating various agencies to issue catalogue(s) of “important data,” as to be discussed below (Article 21), and (ii) promoting data security risk information sharing amongst government agencies (Article 22).
(2) Data Categorization and the Protection of “National Core Data:”
Consistent with the second draft, the DSL calls for the central government to establish a “data categorization and classification system” at a national level to govern data based on “the level of importance to national security, public interests, as well as lawful rights of individuals and organizations, if the data is tampered, damaged, leaked or illegally obtained or used.”
In the final version of the DSL, a new category of data, “national core data,” was introduced, which includes “data related to [China’s] national security, lifeline of national economy, people’s livelihood and vital public interests” (Article 21). Without specifying any details, the DSL requires more stringent requirements to be imposed to protect such data and introduces severe penalties to penalize companies violating such requirements. Absent further guidance, it is currently unclear how a company may determine whether certain data processed by it may be considered “national core data” and how such data should be protected.
Note that, as to be explained below, the framework of regulating “important data” remains the same in the final version of the DSL, including data security obligations imposed on entities processing such data and the restrictions on transferring such data outside of China.
(3) Data Security Obligations on Entities
The second draft of the DSL requires all entities carrying out data processing activities to comply with the data security requirements under the Multi-level Protection Scheme (“MLPS”), which is a mechanism mandated by the Cybersecurity Law, where the government classifies companies’ networks physically located in China according to their relative impact on national security, social order, and economic interests if the system is damaged or attacked.
The final version of the DSL retains the above requirement but clarifies that such a requirement applies to entities that carry out data processing activities through Internet or other forms of information network (Article 27). It appears that this change is made for clarity purposes and will unlikely change the requirement’s substance.
Note that in addition to the MLPS-related requirements as discussed above, the DSL also imposes specific security requirements on entities that carry out data processing activities. For example, the DSL requires entities to adopt technical and necessary measures to safeguard data security (Article 27). Further, if an entity discovers data security defects or breaches, it must inform users and unspecified “competent authorit(ies)” immediately (Article 29).
For entities that process “important data,” the DSL mandates them to appoint a responsible person and internal department for data security as well as to carry out a risk assessment on “a regular basis” and report the risk assessment results to “competent authorities” (Article 30).
(4) Increased Penalties for Violations
- Violation of requirements for the protection of “national core data.” According to Article 45 of the DSL, violations may result in a fine up to RMB 10,000,000, which is significantly higher than penalties for violating other requirements such as these related to “important data.” Further, an entity may also be ordered to suspend or temporarily close its business or have its licenses or permits revoked for such violations. Serious violations may even result in criminal liabilities.
- Violation of cross-border data transfer rules.
- Consistent with the second draft, the DSL introduces separate frameworks for the cross-border transfer of “important data” by operators of Critical Information Infrastructure (“CII”) and other non-CII data processing entities. Under the DSL, CII operators must follow the rules established under the Cybersecurity Law, which require CII operators to locally store “important data” that is collected or generated in China and undergo a security assessment conducted by designated agencies, if the cross-border transfer is necessary for business needs. Data processing entities that are non-CII operators are required to follow separate cross-border data transfer rules to be published by the Cyberspace Administration of China (“CAC”) and other government authorities (Article 31).
- Entities violating the above cross-border data transfer requirements may be subject to a fine of up to RMB 1,000,000. For serious violations, the amount of fines can be increased to RMB 10,000,000. Such entities may also be ordered to suspend or temporarily close its business or have their licenses and permits taken for their violations.
- Violation of rules on requests for data by foreign judicial or law enforcement organs. Entities failing to obtain an approval before providing data stored in China to judicial and enforcement agencies outside of China may be subject to a fine of up to RMB 1,000,000. If a violation causes “serious consequences,” the entity violating the above rules may be subject to a fine of up to RMB 5,000,000. Similarly, entities might be ordered to suspend or temporarily close its business or have its licenses or permits revoked for violating this requirement (Article 48).
Key DSL Requirements that are Unchanged from its Second Draft
In addition to the key changes as explained above, it is also worth noting the following important rules that were introduced in the second draft of the DSL remain unchanged in its final version.
- Cross border transfers of important data. As introduced above, the rules governing cross-border transfers of important data remain unchanged in the final version of the DSL. CII operators must follow the cross-border transfer rules under the CSL and non-CII operators must comply with the rules to be published by the CAC and other government authorities (Article 31).
- National security review of certain data processing activities. At a national level, the DSL calls for the establishment of a system for “national security review” to examine any data activities that may be deemed to pose risks to national security. The DSL also emphasized that the decision of the national security review is final, indicating that such a decision may not be appealed (Article 24).
- Chinese government access to data. The DSL also specifically mentioned that China’s public security bureaus (China’s police) and national security agencies can request data for national security and criminal investigations, as long as proper procedures are followed. Also, individuals and organizations are obligated to comply with such requests (Article 35).
- Request for data by judicial and enforcement agencies outside of China. Under the DSL, China will respond to requests for data by judicial and enforcement agencies outside of China in accordance with international treaties or agreements to which China is a party or based on the principle of “equality and reciprocity.” All previous versions of the DSL consistently require that if a judicial or enforcement agency outside of China requests data stored within China, such data shall not be provided without the approval of an unspecified “competent authority” in China. (Article 36).