On July 2, 2020, the Standing Committee of the National People’s Congress of China (“NPC”) released the draft Data Security Law (“Draft Law”) for public comment. The release of the Draft Law marks a step forward in establishing a regulatory framework for the protection of broadly defined “data security” in China, with a particular focus on the governance of “important data,” defined as “data that, if leaked, may directly affect China’s national security, economic security, social stability, or public health and security.” Many provisions of the Draft Law remain vague and lack guidance on how they might be implemented in practice.
We discuss a few key requirements of the Draft Law in a greater detail below.
Scope and Geographic Reach
Article 2 states that the Draft Law applies to “data activities” within China, but it also states that organizations and individuals outside of China that conduct data activities which may harm China’s national security, public interests, or the rights of Chinese citizens may be subject to this law. Here, the term “data” covers all electronic and non-electronic records of information, and “data activities” refers to the collection, storage, processing, use, provision, transaction, and disclosure of data (Article 3). Note, however, that the Draft Law does not govern data activities involving state secrets, personal information, and military information (Articles 49 and 50).
Data Security Framework
Section 3 of the Draft Law focuses primarily on regulating important data. Article 19 under this Section stipulates that regional governments, as well as central government departments, shall determine the “important data” for their respective regions, departments, and industries, and implement measures to protect such data.
At the national level, a few systems will be established to protect data security (Articles 20-22):
- a centralized mechanism for risk assessment, reporting, information sharing, monitoring, and early warning of potential data security risks;
- an emergency response system, whereby in the event of a data security incident, the relevant department shall initiate the emergency plan to mitigate risks and warn the public as needed; and
- a system for “national security review” to examine any data activities that may be deemed to pose risks to national security.
Separately, the Draft Law includes a provision under Article 24 stating that should any countries or regions act in a discriminatory manner against China with respect to data-related trade or investments, China has the right to take corresponding measures against such country or region.
Data Security Obligations on Entities Carrying out “Data Activities”
Entities that carry out data activities shall establish a system to ensure data security, which includes training personnel and other technical measures. Moreover, entities that process important data shall appoint data security personnel and a management committee to allocate data security responsibilities.
Such entities shall also enhance risk monitoring capabilities. Remedial measures shall be implemented immediately when vulnerabilities are discovered, and users and the regulator shall be notified of any data security incidents.
These requirements under the Draft Law seem to overlap with requirements related to important data under the draft Measures for Data Security Management (“Draft Measures”), which contain requirements pertaining to designating personnel responsible for data security, restrictions on transfers of important data, etc. (see our previous blog post here for a summary of the Draft Measures).
Requirements for Specific Types of Entities: Data Brokers and Providers of “Online Data Processing Services”
The responsibilities for data brokers include (1) requesting that the provider of data explain/clarify the source of the data, (2) verifying the identities of parties to the transaction (i.e., the data provider and data recipient), and (3) maintaining audit and transaction records.
Providers of online data processing services must obtain appropriate business licenses or filings, according to regulations to be issued by the telecom regulators.
Government Access to Data
The Draft Law specifically mentioned that law enforcement entities that that collect data to maintain national security or to investigate crimes should comply with necessary procedural laws, but individuals and organizations are obligated to comply with the request.
Where a data access request is made by a foreign law enforcement entity to an individual or organization, such individual or organization shall, prior to disclosure, first report the request to a competent Chinese regulator for approval. However, to the extent that China participates in international treaties which include provisions for foreign law enforcement access to data, the data shall be disclosed in accordance with such treaties.