On June 10, 2021, China adopted a new Data Security Law that will impact every business operating in or doing business with China. The law, which will take effect in less than a month (September 1, 2021), is sweeping in scope, imposes extensive data processing obligations, and establishes potentially severe penalties for violations. Although many of the details surrounding implementation remain unclear, given the law’s extensive requirements and severe penalties for noncompliance, companies with a global business presence should begin planning now.
The official Chinese version of the Data Security Law is available here. Although no official English translation yet exists, an unofficial translation is available here.
The Data Security Law has broad extraterritorial reach. It governs not only data processing and management activities conducted within China, but also those outside of China that would harm China’s national security or public interest or damage the legal interests of any Chinese citizen or organization.
Hierarchical Data Categorization
The law calls for China’s central government to establish a hierarchical data categorization and classification system that will govern data in accordance with the data’s importance to China’s economy, national security, and public and private interests. Based on this system, as well as a detailed catalogue of “important data” that will be formulated at the national level, each region and department in China will issue its own catalogue of “important data.” The details of this system — including a definition of “important data,” which no Chinese laws or regulations yet provide — are expected to be laid out in future implementing rules.
The law also carves out a separate regulatory framework for “national core data,” which it broadly defines as any data “related to [China’s] national security, the lifelines of the national economy, important to people’s livelihood, and important to the public interest.” Such data are subject to stricter processing regulations, although these regulations aren’t specified in the law, and violators will face increased penalties. Given the vague scope of this category (which allows for flexible interpretation by government officials), it is currently unclear how a business will be able to review its data processing activities to identify and protect “national core data.”
Obligations for Businesses
The Data Security Law imposes extensive obligations on entities and individuals engaged in data processing activities. Moreover, the law defines “data processing” broadly; it regulates any “collection, storage, use, processing, transmission, provision, and public disclosure” of “any record of information in electronic or other forms.”
The law specifies numerous obligations that entities must fulfill. These obligations include:
- Establishing a data security management system, adopting necessary measures to safeguard data security, and conducting data security training;
- Monitoring potential risks and, in the event of discovering a security incident or defect, promptly notifying users and adopting remedial measures;
- Complying with data security requirements under the Multi-level Protection Scheme (MLPS), for all entities that process data over the Internet or other information networks. The MLPS, established under China’s 2017 Cybersecurity Law, is a classification system for companies physically located in China. In brief, the MLPS imposes varying levels of security requirements on network operators based on the impact that a security incident would have on China’s national security, social order, or public interest.
The more sensitive the data being handled, the more stringent a company’s data security obligations. For example, on top of having to obey strict processing restrictions for “national core” data, entities that process “important data” must designate a data security officer, establish a data security management department, conduct periodic assessments to monitor potential risks, and report results to relevant government agencies.
Those who violate their obligations under the Data Security Law face severe penalties. Chinese authorities may impose fines of up to 500,000 yuan (approximately $77,000 in today’s dollars) on noncompliant entities, issue additional fines to responsible individuals, and mandate remedial measures. If an entity fails to adopt remedial measures after receiving a warning, or if a security incident results in serious consequences (such as a large-scale data leak), the entity may face fines of up to 2 million yuan ($309,000), as well as well as the potential suspension of the business and revocation of the business license.
In line with law’s focus on Chinese national security, violators face the steepest penalties where “national core data” are concerned. Entities found to be mishandling such data may be hit with fines of up to 10 million yuan ($1,545,000), forced to cease operations, have their operating licenses revoked, or be subject to criminal penalties. The law also imposes penalties on entities that fail to cooperate with data requests from Chinese authorities for law enforcement or national security matters.
Cross-Border Data Transfers
For cross-border transfers of “important data,” the Data Security Law creates separate frameworks for Critical Information Infrastructure Operators (CIIOs) ¾ defined in China’s 2017 Cybersecurity Law as operators of key industries whose data that could pose major risk to Chinese national security or public interest if damaged or lost ¾ and non-CIIOs. CIIOs must follow the requirements of the 2017 Cybersecurity Law, whereas non-CIIOs must follow rules that have yet to be issued by relevant state agencies.
Notably, the law expressly forbids the transfer of any data “stored in China” to any foreign judicial bodies or law enforcement agencies without the prior approval of “competent authorities” within the Chinese government. Neither the “competent authorities” nor the details of the approval processes are specified in the law, but entities that violate this requirement face fines of up to 1 million yuan ($155,000), with additional fines for responsible individuals. Entities whose violations result in “serious consequences” receive heavier penalties, including fines of up to 5 million yuan ($773,000), as well as the potential suspension of the business and revocation of its license.
These transfer prohibitions will have a significant impact on cross-border litigation and other legal proceedings. For example, although the law does not specify what it means for data to be “stored in China,” the law ostensibly applies to Chinese parties involved in civil cases in foreign courts; such parties may need to submit data as evidence in the proceeding, but will need the approval of Chinese authorities to do so.
Moreover, the transfer prohibitions create uncertainty for companies that are legally obligated to submit data to foreign authorities. Companies established in China that offer goods or services to data subjects in the European Union (EU) are subject to the EU General Data Protection Regulation (GDPR), which allows EU supervisory authorities to request data when exercising their enforcement powers. China’s Data Privacy Law requires such companies to obtain Chinese government approval prior to transferring data in response to GDPR enforcement requests. The approval process may be prohibitively lengthy or unsuccessful, and so a company may find itself trapped between the requirements of Chinese law and those of a requesting country. The Data Security Law provides no guidance to companies seeking to navigate this dilemma, and it is unclear whether the yet-to-be-released implementing rules will address the issue.
As noted above, this law will take effect on September 1, 2021. Although the Chinese government is expected to release implementing regulations that will explain unresolved details and procedures, it is unclear whether this will occur in advance of the deadline.
Many of the law’s requirements seem commensurate with other data security laws, particularly those of the GDPR; for example, both generally require that firms implement appropriate measures to safeguard data security, notify users in the event of an incident, and designate responsible officers (although the GDPR requires officers for a variety of situations, whereas the Data Security Law only requires officers for entities processing “important data”). But in many respects, the Data Security Law’s requirements are more expansive than those of the GDPR; for example, China’s new law governs not only the personal data of Chinese citizens, but also data important to China’s national security and economy ¾ and it has much stricter data transfer restrictions than the GDPR. Although many key implementing details remain unclear, companies doing business in and with China should begin reviewing their data processing activities for noncompliance risks.
*Many thanks to summer associate, Ray Lefco, for providing us with the underlying research for this post.