Given that the Data Security Law is one of the three fundamental data protection laws in China, the legislative process of the law has attracted much attention. In July 2020, comments were solicited for the first draft of the Data Security Law (the First Draft). Nine months later, the 13th Standing Committee of the National People’s Congress released the second draft of the Data Security Law (the Second Draft), which was open for public comments until May 28, 2021. While the Cybersecurity Law focuses more on the security of the network/system operation and network information content and the Personal Information Protection Law focuses more on the security of personal information, the Data Security Law clarifies China’s data security governance and supervision system at the legislative level.
The revisions in the Second Draft address a number of issues. The main revisions are explained below.
Expanding the Restrictions on Outbound Data Flows
The Second Draft expands the scope of cross-border data restrictions on so-called “important data” beyond the restrictions imposed on operators of critical information infrastructure (CII). According to the Cybersecurity Law, the cross-border transfer of important data collected and generated by CII operators during their operation in China should go through a security assessment conducted in accordance with the measures formulated by the Cyberspace Administration of China (CAC) in collaboration with relevant departments of the state council. Now, the Second Draft restates this restriction on CII operators and adds the similar restriction on non-CII operators. When the important data is collected or generated by non-CII operators, the administrative measures for the cross-border transfer of such data should also be formulated by CAC in collaboration with relevant departments of the state council (art. 30).
The administrative measures for non-CII operators mentioned above have not yet been promulgated. This does not mean that the obligations relating to outbound data flows for non-CII operators are lower than those of CII operators. Actually, the compliance obligations required for certain special industries may be more stringent. For example, generally, banking financial institutions are prohibited from sending any personal financial information out of China, as required by Article 6 of the Notice of the People’s Bank of China on Doing a Good Job by Banking Financial Institutions in Protecting Personal Financial Information.
However, the Second Draft fails to provide a clear definition of “important data.” Therefore, it is undoubtedly important to continue to pay attention to the definition of “important data” in the next step as well as the relevant administrative measures, which are still in the legislative process.
Strengthening the Supervision of Data Provided to Agencies Outside of China
Compared with the First Draft, the Second Draft further emphasizes that no data can be provided to any non-Chinese judicial or law enforcement agencies without the approval of the competent authority of China unless otherwise stipulated in an international treaty or agreement that China has concluded or acceded to (art. 35). In addition, the Second Draft includes new penalties or fines ranging from RMB 100,000 to RMB 1 million for entities that turn over data to foreign judicial or law enforcement agencies without authorization, and responsible individuals may also be fined between RMB 20,000 and RMB 200,000 (art. 46).
The provisions described above, if adopted, will provide a legal basis for a Chinese entity to refuse to provide data to overseas judicial or law enforcement agencies. On the other hand, it should be noted that such provisions may cause a foreign company to breach its obligation to provide materials relating to its Chinese subsidiaries to a foreign court or law enforcement agency, which may result in fines and even adverse judgments.
Improving the Requirements of Data Protection Measures
The Second Draft states for the first time that China will implement a classified and graded data protection system, and it clarifies the relationship between important data and classified and graded protection. While the important data catalogs will be defined at the central government level, regional agencies will establish and manage subordinate catalogs in relevant industries and areas and undertake special protection for the data included in the catalogs (art. 20).
This provision reflects the continuous development of China’s management system for important data. As mentioned above, however, it still fails to clearly define the term “important data” and leaves such definition to the release of relevant catalogs by various regions, departments, and industries. Meanwhile, although the Second Draft requires the classification and protection of data, it pays more attention to specific obligations for important data, such as the following:
- Those handling important data should clearly specify responsible personnel and management bodies for data security (art. 26);
- Those handling important data should periodically conduct risk assessments for their data-handling activities and submit a risk assessment report to the relevant competent department (art. 29); and
- The security administration of the cross-border transfer of important data collected and generated by CII operators in China should comply with the provisions of the Cybersecurity Law, and the administrative measures for the cross-border transfer of important data collected and generated by other data handlers in China should be formulated by the CAC and other departments of the state council (art. 30).
How to regulate and manage data other than important data will need to be further clarified by detailed implementation regulations.
Significantly Increasing the Legal Liability for Nonfulfillment of Data Security Protection Obligations
In the Second Draft, the penalties for illegally carrying out data processing activities are up to five times as high as the penalties previously stipulated in the First Draft. When any organization or individual fails to fulfill the data security obligations, penalties will include orders for rectification, warnings, fines between RMB 50,000 and RMB 500,000 for organizations, fines between RMB 10,000 and RMB 100,000 for responsible persons, and fines between RMB 500,000 and RMB 5 million for those who refuse to make corrections or cause major data leakages or other serious consequences (art. 44).
Entities causing serious consequences may also be ordered to suspend relevant business or stop operation for rectification, and they may be subject to revocation of their relevant business permits or business licenses. Such penalties are newly added into the Second Draft and are undoubtedly more serious than monetary penalties for violations (art. 44).
Further Defining the Scope and Purpose of the Data Security Law
Compared with the First Draft, the Second Draft adjusts its applicable scope from “data activities” to “data processing activities and its security supervision and management” (art. 2). The definitions of “data processing” and “data security” are also modified as follows:
- Data processing refers to the collection, storage, use, processing, transmission, provision, transaction, and disclosure of data; and
- Data security refers to the ability to ensure that data is in a state of effective protection and legal use by taking necessary measures, as well as the ability to ensure a continuous state of the security of data (art. 3).
Imposing Obligations Regarding Data Security on Industry Associations
The Second Draft requires industry associations to adopt codes of conduct for data security, enhance industrial self-discipline, guide members to improve data security protection, improve the level of data security protection, and promote the healthy development of the industry (art. 10). This provision puts forward clear requirements and creates challenges to industry associations for their data compliance work, especially for some industries that handle important data.
Imposing Countermeasures Against Discriminatory Measures Relating to Data
Of relevance to foreign companies, the Second Draft calls for the imposition of countermeasures to be taken against the discriminatory measures adopted by other countries or regions relating to data, data development and use, or technology against China in investment, trade, and other areas. Such corresponding measures are clarified as being reciprocal measures (art. 25).
Emphasizing the Multi-Level Protection Scheme in Data Processing Activities
The Second Draft has a newly added provision that conducting data processing activities should be based on the Multi-Level Protection Scheme (MLPS) to establish and perfect a data security management system across the entire network workflow, organize and conduct data security education and training, and adopt the corresponding technical measures and other necessary measures to ensure data security (art. 26). The requirements of MLPS come from Article 21 of the Cybersecurity Law, which puts forward specific requirements for fulfilling security protection obligations by network operators. Furthermore, Article 59 of the Cybersecurity Law specifies the legal consequences for violating the requirements of MLPS, including ordering corrections, warnings, and fines. Accordingly, it is recommended that companies actively implement the MLPS and conduct relevant evaluation and rectification as soon as possible to avoid potential administrative penalties.
Adjusting the Qualification Requirements for Data Processing-Related Services
According to the First Draft, operators providing specialized online data processing and other services are required to obtain a business license or register in accordance with law, which has caused contention. Now, the Second Draft no longer emphasizes the licensing or filing requirements of operators who specialize in providing online data processing services (art. 33). We may need to wait for detailed implementation regulations specifying whether there will be new data processing permission requirements or what kind of data processing services will need to obtain a special license.
Increasing the Penalties for Refusing to Cooperate With Security Authorities
The Second Draft also provides penalties for refusing to cooperate with public security and national security authorities to access data. Such penalties include orders for rectification, warnings, fines between RMB 50,000 and RMB 500,000 for organizations, and fines between RMB 10,000 and RMB 100,000 for responsible persons (art. 46). Therefore, relevant organizations and individuals should cooperate with security authorities under the circumstances described above to avoid the stipulated legal liabilities.
Overall, compared with the First Draft, the Second Draft has become more stringent, and some problems that may arise with the application of laws have been minimized. Assuming nothing changes, the Data Security Law is very likely to be officially announced by the end of this year. However, most provisions in this law may still be issued on a systemic and principled level, and the implementation of these provisions will require the promulgation of supporting laws and regulations, as well as national and industry standards of relevant departments. The relevant entities in China should pay close attention to the subsequent legislative developments, especially the changes in the data classification system and data cross-border transfer management requirements, which may have a significant impact on business operations in the future.