The Standing Committee of China's National People’s Congress (NPC) on June 10 enacted the Data Security Law (DSL) which will come into effect on September 1.1 The NPC reviewed two earlier drafts of the DSL in July 20202 and April 20213 which WilmerHale analyzed at the time. This alert will focus on (1) the modification which the DSL has adopted on top of the two previous drafts; (2) the extraterritorial reach of the DSL; and (3) the restrictions the DSL imposes on cross-border data transfers.
(1) Compared with the previous drafts, the DSL would
(i) establish a national data security working coordination mechanism to coordinate important matters and core tasks related to national data security, such as creating catalogues of what constitutes important data4 (Articles 5 and 21);
(ii) authorize the creation of an even more stringent management system for protecting core national data related to national security, national economy or important public interests (Article 21);
(iii) require Chinese authorities to handle cross-border data transfer requests made by foreign judicial or law enforcement agencies based on international treaties and agreements, or the principles of equality and mutual benefit (Articles 36 and 38);
(iv) require data processors, including Chinese authorities, to protect data security when they conduct data processing duties (Articles 12 and 40); and
(v) impose hefty penalties of up to RMB 10 Million and suspensions of operations on entities and fines of up to RMB 1 Million on individuals bearing direct responsibility for violations of regulations on core national data and illegal transfers of important data overseas (Article 45).
(2) Extraterritorial reach
The DSL makes clear that China will hold foreign organizations and individuals accountable should they conduct data activity outside China that compromises China’s national security, its public interests, or the legal rights and interests of Chinese citizens or organizations (Article 2). The extraterritoriality is intended to enable Chinese authorities to penalize parties located overseas if they harm China’s interests. While this is presumably intended at least in part to address NGOs that assemble and publish data that China maintains should not have left China, it is unclear how Chinese authorities will implement this aspect of the DSL in practice.
The DSL also authorizes China to apply reciprocal countermeasures with respect to any country or region that imposes prohibitive or restrictive investment or trade measures that discriminate against China with respect to data or data development and utilization technologies (Article 26). This is consistent with China’s sanctions blocking statute.5
(3) Restrictions on cross-border data transfers
The DSL would amplify China’s protectionist perspective with respect to the regulation of cross-border data flows. In particular, the DSL would (i) require data processors as a whole to adhere to certain restrictions when transferring important data overseas; and (ii) bar Chinese parties from handing over information to foreign authorities without approval from Chinese authorities or via an official interface.
Data localization requirements are a critical component of China’s cybersecurity regime. China initially imposed requirements to store personal information and important data in China on critical information infrastructure operators (CIIOs) under the Cybersecurity Law (2016). Under the terms of that law, if a CIIO determines that it is necessary to transfer personal information and important data overseas, it must first conduct a data security assessment. The DSL goes further by requiring data processors other than CIIOs to follow relevant rules to be formulated by CAC and other government authorities when transferring important data collected and generated in China overseas (Article 31). The regulations and guidelines for such transfers are still evolving, especially rules governing specific industries such as the financial industry and the automobile industry.6 Notably, the DSL still lacks a clear definition of what constitutes “important data”.
An entity which illegally transfers important data overseas may incur a fine up to RMB 10 Million and/or face suspension of its business or revocation of business permits or licenses in serious cases, with persons directly responsible facing a fine up to RMB 1 Million (Article 45).
The DSL provides that the competent Chinese authority shall process requests for data from foreign judicial or law enforcement agencies in accordance with relevant laws and international treaties and agreements that China has concluded or acceded to, or in accordance with the principles of equality and reciprocity. The DSL also provides that domestic organizations and individuals may not provide data stored in China to foreign judicial or law enforcement agencies without the approval of the competent Chinese authority (Article 36). The slight change of language in the DSL compared with previous drafts means that the competent Chinese authorities shall be the main obligors to provide data in response to requests made by foreign judicial or law enforcement agencies, based on international treaties or the principles of equality and reciprocity. In the event that private parties receive requests to provide data to foreign agencies, prior approval from the Chinese government is required. Such private parties would include subsidiaries of foreign companies.
Entities that provide data to overseas judicial and law enforcement agencies without authorization may incur penalties of up to RMB 5 Million and face suspension of business or revocation of business licenses or permits in serious cases, and personnel in charge who are directly responsible for the provision, and other directly responsible personnel, may incur fines of up to RMB 500,000 (Article 48).
The DSL will complicate the ability of multinational companies (MNCs) in China to comply with foreign legal requirements and to defend themselves in foreign legal proceedings. On the one hand, MNCs may be subject to obligations such as those provided in the Clarifying Lawful Overseas Use of Data (CLOUD) Act (2018) in the United States to produce documents located overseas (such as in China), even when doing so would violate foreign law. On the other hand, acting as a blocking statute against such extraterritorial reach, the DSL would effectively block any such data export to foreign judicial and law enforcement agencies, not only in criminal, but also in civil and administrative proceedings, without prior Chinese government approval, and under an uncertain timeline. Thus, Chinese subsidiaries of foreign companies will be restricted from producing information overseas directly in response to a foreign law enforcement activity or judicial proceeding.
In short, the effectiveness of the DSL would create more challenges for MNCs in China to comply with increasingly demanding and inherently conflicting rules in different jurisdictions. We are closely monitoring other draft laws and regulations such as Draft Personal Information Protection Law, Draft Data Security Management Measures and draft regulations and rules applicable to CIIOs, which we expect to be issued in the near future.