The Standing Committee of the National People’s Congress of the People’s Republic of China (NPC) announced the adoption of the new Data Security Law (the Law), which will regulate broadly defined data processing activities and provide detailed data security obligations (10 June 2021).
Compared to previous drafts, the final Law introduces stricter requirements in relation to the processing of state critical data (i.e. data related to national security, economic security, important people’s livelihood, or material public interest) and increases the penalties for non-compliance. In addition to steep fines of up to RMB 10 Million, these penalties may include suspensions of operations, revocation of operation permits or business license, sanctions for non-compliant transfer of ‘important data’ outside China and fines imposed on company officials directly responsible for violations.
The Law will have extra-territorial reach, expand data localisation requirements to any organisations processing ‘important data’ (and not only to operators of critical information infrastructure), and impose requirements on entities to obtain authorisation for disclosure of data stored in China in response to requests of foreign judicial or law enforcement agencies.
The Law will enter into force on 1 September 2021.