Navigating China Episode 19: China’s new Data Security Law: what multinational businesses need to know

China’s Data Security Law (DSL) has come into force and takes effect on 1 September 2021. The speed of its passing has left multinational businesses scrabbling to understand the key compliance obligations. While many of the practical compliance steps will be detailed in measures and guidelines to be published over the coming weeks and months, here’s what we already know:

1. The DSL applies to data in general, and forms part of the broader China data framework. The DSL covers personal and non-personal data, and pays particular (but not exclusive) attention to the security of “important data” and a new category of “national core data”. The DSL sets out a data security framework with which organisations processing data in China – or processing China data outside of China (i.e. extra-territorial effect) - must comply.
   

   “Important data” remains defined (as per the Cybersecurity Law (CSL),and measures published under the CSL) as data which, if leaked, may directly affect national security, economic security, social stability, public health and safety; but there are now helpful indications that industry regulators will issue lists of industry-specific “important data”. “National core data” is a subset of important data, meaning data that is related to national security, national economic and major public interests as well as people’s key livelihoods. The DSL stresses the connection between this new DSL and compliance with the CSL, industry guidelines and other administrative regulations regarding data security/protection as well as state secrets laws.

   As for “personal information”, the DSL sits alongside existing data privacy laws such as the Personal Information Security Specification (PIS Specification) and the Draft Personal Information Protection Law (Draft PIPL), all of which (plus regulations under the CSL) should be read together when creating data security compliance programmes.

2. The DSL confirms – rather than changes - data localisation requirements. Multinational organisations facing the most challenging data localisation requirements under the DSL are those designated as critical information infrastructure operators (CIIOs). The DSL confirms that CIIOs must comply with data localisation and cross-border data transfer measures under the CSL and subsequent measures. In practice this does not require all important data and national core data (and personal information) processed by CIIOs to be stored and accessed only in China, but security impact assessments and liaison with the relevant regulators will be required to access or store any such data outside of China. (The DSL unfortunately does not give a final view on who is a CIIO, and so the situation remains that the only clear way to identify whether or not your organisation is a CIIO is to wait for the relevant regulator(s) to notify you as such).
   

   As for other organisations processing important data and national core data (and personal information), new measures on cross-border data transfer will be published in due course by the China regulators. In the meantime, multinationals are advised to continue to refer to the 2017 draft measures and (as regards personal information) the PIS Specification, meaning that the current position remains most such data can be accessed or stored outside of China provided certain key compliance steps (including, inter alia, explicit consent, impact assessments and contracts with data recipients, plus local copies) are taken; and hopefully the Draft PIPL will simplify this further for “personal information”.

   The DSL reiterates the Chinese Government’s intention to “actively carry out international exchanges and cooperation in the data sector, participate in the formulation of international rules and standards related to data security, and promote the safe and free flow of data across borders” (Article 11). As such, it does not appear that the DSL will in practice move China towards stricter data localisation.

3. Overseas government data requests require prior approval. Prior approval must be sought from the relevant China authorities before data collected or stored within Mainland China is provided to overseas judicial or law enforcement bodies. It is unclear whether this may apply to requests for data from other overseas regulators such as industry regulators.
4. The DSL will provide more details on data security management; risk assessments. The DSL confirms that technical, organisational and other data security measures must be adopted to safeguard the protected data categories; and there are more robust obligations on organisations to deploy data security training. However, the DSL only outlines these principles, and details of the practical steps to be taken by different organisations and for different classes of data will be published in due course. These sit alongside the detailed data security obligations under the CSL (and data privacy regulations) and numerous TC260 technical standards, but are more focused on data rather than systems/application security. It explicitly states that the new DSL data security measures should be adopted alongside the organisation’s MLPS programme. We anticipate that, similar to the TC260 technical standards, detailed guidance on practical data security measures to be deployed will be published by the China regulators in the comings weeks and months. The trend of China publishing very specific local technical security compliance measures will continue, meaning that multinational organisations cannot simply rely on compliance with international security standards (such as ISO) and expect that be sufficient for China infrastructure and data.
   

   One particular point that is emphasised in the DSL is that regular risk assessments must be conducted for processing of “important data”. The DSL indicates that risk assessment reports should include as a minimum: types and amounts of important data being handled; the circumstances of the data handling activities; the data risks faced and how they have been addressed, etc. This adds to the growing data record-keeping obligations in China.

5. Data classification and tiered security measures to be introduced. One interesting new aspect of the overall data security management measures introduced by the DSL is a tiered data classification system against which organisations must assess their data and adopt the relevant tiered security measures. This appears to be similar to the tiered classification of systems under the MLPS scheme. Data will need to be categorised based on its potential impact on national security and public, individual and/or business interests. We await details of the classification scheme, but multinational businesses are advised to identify/map – and tag – their China data now, to expedite the assessment once they are published.
6. Additional resources to fulfil dedicated roles. The DSL requires organisation to designate individuals and departments responsible for data security. In practice multinational organisations may need to identify roles on the ground in China – alongside regional or global data security functions – to fulfil these.
7. Incident contingency/emergency response planning and incident reporting for all data. In line with other data incident response obligations under the overall China data framework (under the CSL etc.), the DSL stresses that incident contingency planning must be undertaken with regard to data incidents. The DSL also provides for reporting of data incidents. Multinational organisations should make sure that their China incident response plans and tests cover not just personal information but all data.
8. Operational impact of sanctions remains significant. Failure to comply with the DSL may result in enforcement notices/warnings and fines (on organisations and directors/managers) of up to RMB 1 million in severe cases, as well as sanctions with very significant operational consequences such as removal of business operating licences and suspension of business. Individuals have an express right to complain about non-compliance with the DSL; and there are also opportunities for individuals or organisations to bring civil claims. We continue to recommend that multinational businesses pay particular attention to contractual obligations regarding compliance with China data/IT security laws, not least as they continue to evolve.
9. Specific offences. The DSL introduces a new offence where organisations or individuals steal or obtain data through other illegal methods. The DSL also reinforces purpose limitation restrictions under the CSL, PIS Specification and Draft PIPL etc.
   

   Multinational businesses that purchase data from intermediaries in China should note that the DSL imposes new obligations on those intermediaries selling data commercially, notably to provide evidence of the source of the data being sold and keep records.

   Finally, the DSL alludes to potential for the China authorities to impose sanctions (e.g. under competition laws) where data handling activities endanger, inter alia, public interest, eliminate or restrict competition, or harm the lawful rights and interests of persons or organisations.

Interestingly the DSL has the express aim of promoting the development and use of data as a key factor with the digital economy. Article 13 indeed states that the DSL gives “equal emphasis to ensuring data security and promoting the development and use of data; using the development and use of data and industry development to promote data security, and using data security to ensure the development and use of data and industry development”. This highlights the continued opportunities (as we have already seen under the CSL and China data privacy frameworks) for businesses to do more with their data - such as via AI and big data analytics - than may be possible in other parts of the world but while remaining good corporate citizens by complying with a robust data security compliance framework.