On July 2, 2020, the Standing Committee of the National People’s Congress of China (“NPC”) released the draft Data Security Law (“Draft Law”) for public comment.  The release of the Draft Law marks a step forward in establishing a regulatory framework for the protection of broadly defined “data security” in China, with a particular focus on the governance of “important data,” defined as “data that, if leaked, may directly affect China’s national security, economic security, social stability, or public health and security.”  Many provisions of the Draft Law remain vague and lack guidance on how they might be implemented in practice.

We discuss a few key requirements of the Draft Law in a greater detail below.

Scope and Geographic Reach

 Article 2 states that the Draft Law applies to “data activities” within China, but it also states that  organizations and individuals outside of China that conduct data activities which may harm China’s national security, public interests, or the rights of Chinese citizens may be subject to this law.  Here, the term “data” covers all electronic and non-electronic records of information, and “data activities” refers to the collection, storage, processing, use, provision, transaction, and disclosure of data (Article 3).  Note, however, that the Draft Law does not govern data activities involving state secrets, personal information, and military information (Articles 49 and 50).

Data Security Framework

Section 3 of the Draft Law focuses primarily on regulating important data.  Article 19 under this Section stipulates that regional governments, as well as central government departments, shall determine the “important data” for their respective regions, departments, and industries, and implement measures to protect such data.

At the national level, a few systems will be established to protect data security (Articles 20-22):

  • a centralized mechanism for risk assessment, reporting, information sharing, monitoring, and early warning of potential data security risks;
  • an emergency response system, whereby in the event of a data security incident, the relevant department shall initiate the emergency plan to mitigate risks and warn the public as needed; and
  • a system for “national security review” to examine any data activities that may be deemed to pose risks to national security.

Separately, the Draft Law includes a provision under Article 24 stating that should any countries or regions act in a discriminatory manner against China with respect to data-related trade or investments, China has the right to take corresponding measures against such country or region.

Data Security Obligations on Entities Carrying out “Data Activities”

Entities that carry out data activities shall establish a system to ensure data security, which includes training personnel and other technical measures.  Moreover, entities that process important data shall appoint data security personnel and a management committee to allocate data security responsibilities.

Such entities shall also enhance risk monitoring capabilities.  Remedial measures shall be implemented immediately when vulnerabilities are discovered, and users and the regulator shall be notified of any data security incidents.

These requirements under the Draft Law seem to overlap with requirements related to important data under the draft Measures for Data Security Management (“Draft Measures”), which contain requirements pertaining to designating personnel responsible for data security, restrictions on transfers of important data, etc. (see our previous blog post here for a summary of the Draft Measures).

Requirements for Specific Types of Entities: Data Brokers and Providers of “Online Data Processing Services”

 The responsibilities for data brokers include (1) requesting that the provider of data explain/clarify the source of the data, (2) verifying the identities of parties to the transaction (i.e., the data provider and data recipient), and (3) maintaining audit and transaction records.

Providers of online data processing services must obtain appropriate business licenses or filings, according to regulations to be issued by the telecom regulators.

Government Access to Data

 The Draft Law specifically mentioned that law enforcement entities that that collect data to maintain national security or to investigate crimes should comply with necessary procedural laws, but individuals and organizations are obligated to comply with the request.

Where a data access request is made by a foreign law enforcement entity to an individual or organization, such individual or organization shall, prior to disclosure, first report the request to a competent Chinese regulator for approval.  However, to the extent that China participates in international treaties which include provisions for foreign law enforcement access to data, the data shall be disclosed in accordance with such treaties.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.