Only two months after the release of the second draft of the Data Security Law of the People’s Republic of China (the Second Draft), on June 10, 2021, the Standing Committee of the National People's Congress passed the new Data Security Law (the Law) after a final review of its third draft. The Law took effect on September 1, 2021. Compared with the Second Draft, the final version of the Law has made five major changes.

1. Optimizing the Overall Planning of Data Security

According to the Law, the overall data security decision-making and coordination work will be under the leadership of the central national security authority, which is consistent with the provisions of the Cybersecurity Law and further consolidates the position of data security in the national security system. The Law clearly establishes a national data security coordination mechanism of which the relevant responsibilities include: (1) overall planning and coordination of related departments to formulate the catalogues for important data and strengthening the protection of important data; and (2) overall planning and coordination of relevant departments to strengthen their work in the collection, analysis, determination, and early warning of data security risk information (arts. 5, 21, and 22).

Therefore, the Law further clarifies the governance system in the field of data security. That is:

• The central leadership authority of national security will be responsible for decision-making and coordination with respect to data security work, researching and formulating major guidelines and policies, coordinating major matters and key work regarding national data security, and establishing a national data security coordination mechanism;
• The relevant departments of industries such as telecommunications, transport, finance, natural resources, hygiene and health, education, and science and technology will be responsible for the supervision of data security in respective industries or sectors;
• Public security organizations and national security organizations will be responsible for the supervision of data security within each organization’s respective scope of duties; and
• The national cyberspace administration authority will be responsible for the comprehensive coordination of online data security and related supervision work (arts. 5 and 6).

2. Further Clarifying the Data Security Management System

The final version of the Law adds the concept of “national core data.” This refers to the data relating to national security, the lifelines of the national economy, the key livelihood of people, and major public interests, which will be subject to a stricter management system in China (art. 21).

Accordingly, it is essential for all companies in China to classify and grade the data under their control or to which they have access. The scope of data classification may include national core data, important data, sensitive personal information, general personal information, and other data or information. After the classification, different protection should then be applied to the classified data in order to establish a system for different data compliance requirements.

In line with the new concept of national core data, the Law also adds a new legal liability for violating the national core data management system. Those who violate the management system for national core data and cause harm to national sovereignty, security, and development interests will be imposed a fine between RMB 2 million and RMB 10 million by relevant departments. They may also be ordered to suspend business or stop operation for rectification or be subject to revocation of relevant business permits or business licenses, as appropriate. If the violation constitutes a crime, the violators will be held criminally liable in accordance with the relevant law (art. 45).

3. Requiring the Intelligent Public Service Providers to Fully Consider the Needs of the Elderly and the Disabled

The rapid development of the digital economy in China has led to the widespread application of intelligent products and services. This brings convenience and efficiency to the public, but also causes inconvenience to the elderly and even forms a “digital divide” for them. In November 2020, the General Office of the State Council issued the Implementing Proposals for Effectively Solving the Difficulties of the Elderly in Using Intelligent Technologies guidelines. To respond to the relevant needs, the Law adds a new provision concerning the protection of the rights and interests of the elderly and the disabled. The Law stipulates that China will support the development and utilization of data to improve the level of intelligence in public services. When providing such intelligent public services, the needs of the elderly and the disabled should be fully considered to avoid causing any obstacles to their daily lives (art.15). For example, some bank services may require customers to complete remote authentication. However, if the elderly and the disabled are unable to do so, the bank should consider sending its staff to such elderly or disabled person’s home to provide on-site services.

4. Further Improving the Regulations on Ensuring Government Data Security

As for government data, compared with the Second Draft, the Law emphasizes that the sensitive information obtained during data processing should be kept confidential. The final version of the Law adds some obligations of government authorities, including: (1) in the course of performing statutory duties, government authorities should keep data such as personal privacy, personal information, trade secret, and sensitive business information confidential in accordance with the laws, and not disclose or illegally provide such data to others (art. 38); and (2) where government authorities entrust others to build and maintain any electronic government system or to store or process any government data, these authorities should supervise the entrusted parties in terms of their fulfillment of the corresponding data security protection obligations in accordance with relevant laws and regulations, as well as any contracts as agreed (art. 40). 

Thus, data security is not only an obligation of companies or individuals, but also an obligation of the government authorities. The Law requires the full coverage of the private and public sectors, which means that all individuals, entities, public departments, and administrative agencies must comply with and bear responsibilities of the Law.

5. Increasing the Penalties for Violation of the Law

The final version of the Law has made major adjustments to legal responsibilities as follows:

• As mentioned above, the Law adds the concept of “national core data” as well as the legal liability for violating the national core data management system, which is listed as a separate paragraph. The related legal consequences are obviously heavier than those of violating other data security protection obligations, and the fine can be as high as RMB 10 million, which matches the regulation of a more stringent management system for national core data (art. 45).
• The penalty for violating the obligation relating to the transfer of important data out of China has been significantly increased. The final version of the Law also lists such obligation as a separate paragraph. Aside from other relevant legal consequences, the fines have been significantly increased. The Law increases the maximum fine for entities from RMB 5 million to RMB 10 million, and the maximum fine for individuals from RMB 500,000 to RMB 1 million (art. 46).
• The Law also greatly increases the penalty for providing data to foreign judicial or law enforcement agencies without the approval of competent authorities in China. The maximum fine in the Second Draft is RMB 1 million for entities and RMB 200,000 for individuals. Finally in the Law, the maximum fine is RMB 5 million for entities and RMB 500,000 for individuals (art. 48).

It should be noted that the violation of the Law is not only a simple issue of fines for companies. The punishment also involves ordering suspension of related business, suspension of business for rectification, revocation of related permits, and even revocation of business licenses. In addition, people who are directly responsible for a violation will also be fined. That is to say, the punishment is severe and all companies in China should pay more attention to the relevant regulations.

Suggestions to Companies in China

The implementation of the Law will definitely affect all types of companies in various industries in China, especially internet companies engaging in e-commerce and instant messaging and banks and insurance institutions involving highly sensitive data. Generally speaking, business operators need to focus on the following aspects:

• Proceeding with data classification and grading for all the data obtained. Companies can set different types and levels for data according to its importance and set up different protection mechanisms accordingly. The higher the importance of the data, the stricter the protection measures and supervision should be.
• Establishing an internal data management system. After identifying the level of data security and corresponding measures, companies should establish relevant rules and regulations and conduct regular training on data security handling and risk prevention. For employees in important data positions, companies should also conduct confidentiality training, and should take appropriate confidentiality measures.
• Sorting out the data processing issues of their own businesses. The collection and processing of data must follow the principles of lawfulness, fairness, and necessity. Companies should also inform the data owners and obtain authorization before processing the data. Meanwhile, companies are also advised to establish a data flow-monitoring mechanism to check the real-time status of data usage.
• Establishing a data risk assessment mechanism. Companies should regularly conduct risk assessments on their collected data, assess the level of security risks they are facing, and take timely response measures to data that generates security risks.
• Actively paying attention to the promulgation and implementation of relevant laws (e.g., China just passed the Personal Information Protection Law, which will be effective on November 1, 2021), regulations, and national standards. It is important for companies to strictly follow the Law and the upcoming regulatory requirements issued by various authorities, and they should update and strengthen their internal control management of data security in a timely manner.

Notes to Foreign Companies Outside of China

The provisions in the Law are vague and ambiguous as to its application to foreign companies outside of China. According to the Law, foreign companies would be held liable for any data activities outside of China that compromise China's national security, its public interests, or the legal rights and interests of Chinese citizens or organizations (art. 2). It appears that the extraterritorial reach of the Law has been contemplated to address foreign entities that publish sensitive data on China and Chinese citizens. However, it is unclear how broadly this provision will be applied to foreign-based companies.

On the other hand, for foreign companies with presence in China, such local entities will be required to comply with the requirements under the Law such as data cross-border transfer, data protection, risk assessment, etc. Going forward, we will continue to monitor the development of relevant rules and implementations of the Law in practice.

[View source.]