China’s new Data Security Law includes more expansive and restrictive requirements on data localization, mandatory security level certification, and severe penalties on unauthorized foreign transfer of data.
After two rounds of drafts for public comments, the Data Security Law (DSL) in China was finally passed by the Standing Committee of the National People's Congress on June 10, 2021. The DSL will come into effect on September 1, 2021, leaving less than three months for business operators in China to accommodate the new data security regime.
The DSL introduces certain notable data security mechanisms, in addition to some updates and supplements to the existing data security regime established by the Cybersecurity Law (CSL). For instance, the DSL establishes a stricter regulatory framework for the protection of “national core data” on top of that for “important data.” In addition, the DSL reemphasizes the importance of the multilevel protection scheme (MLPS) that was previously set up by the CSL and enhances the data security obligations thereunder. Also, the DSL increases the amount of penalties for violation of unauthorized foreign transfer of data.
The data security obligations outlined in the DSL will potentially affect all business operators in China including multinational corporations. This LawFlash will highlight the key provisions in the DSL and its major implications on business operators.
The DSL regulates a wide range of data-related activities, which applies to any data processing activities including “collection, storage, use, processing, transmission, provision and disclosure” of data in both electronic and nonelectronic forms (Article 3). Moreover, Article 3 provides a broad definition of “data security.” It refers to “adopting necessary measures to ensure that data is effectively protected and legally used, as well as maintaining the capacity to ensure a sustained state of data security.”
With respect to the territorial scope, the DSL has certain extraterritorial reach that governs not only data processing activities within China, but also those carried out outside China that harm “the national security, public interests, or lawful rights and interests of citizens and organizations in China” (Article 2).
Under the DSL, China will establish a “categorical and hierarchical system” based on the “importance of the data in economic and social development as well as the extent of harm to national security, public interests, or lawful rights and interests of individuals or organizations that would be caused once the data is tampered, destroyed, leaked, or illegally obtained or used” (Article 21). On such a basis, some special data including “important data” and “national core data” are protected by stricter regulatory measures.
The CSL and other previous data protection regulations provide a general description of important data and relevant requirements for the important data protection but fail to provide the concise scope of important data. In the absence of a clear scope, business operators in China have to determine on their own whether the data they process constitutes important data, which brings many uncertainties for their compliance efforts.
Article 21 of the DSL provides that the Chinese government will publish an important data catalogue at the national level, and each region and department shall determine their own “catalogues of important data” accordingly. This means the Chinese government will set official criteria for the important data rather than allow business operators to decide the scope of important data at their discretion. After the catalogue is released, a framework of procedures to recognize important data will be developed. The establishment of these catalogues will better assist companies to navigate their specific compliance obligations.
Under the DSL, if business operators process data that falls under the important data catalogues, the following requirements will apply:
National Core Data
“National core data,” a new category of data, is introduced in the DSL. According to the DSL, China will “implement a stricter management system” for national core data, which is defined as “data related to national security, the lifeline of the national economy, important aspects of people’s livelihoods, and major public interests” (Article 21).
Companies violating this management system will face severe penalties, including a fine of up to RMB 10 million, cancellation of business licenses, and even criminal penalties (Article 45). Nonetheless, the definition of “national core data” and its management system are still very general under the DSL and need further interpretations.
Under the CSL, all personal information and important data collected or generated by critical information infrastructure operators (CIIOs) within the territory of China should be stored in China; if a CIIO has a business need to transfer such data outside China, it should undergo a security assessment approved by the government authority.
The CSL imposes data localization requirements on CIIOs only but leaves requirements for other companies blank. The DSL attempts to make up this gap by providing that the government will further formulate relevant regulations on the cross-border transfer of important data by companies other than CIIOs. It seems that even if companies do not constitute CIIOs, they may also be subject to restrictions on cross-border transfers if they process data that falls under the important data catalogues. The implementing rules are to be further published by the government.
The State Security Law enacted in 2015 established a national security review and oversight management system. As data security is a crucial part of national security, in correspondence with the State Security Law, Article 24 of the DSL builds up a system for “data security reviews” to examine any data activities that may be deemed to pose risks to national security. In addition, Article 25 also empowers the government to impose export control measures on data related to the protection of national security and interest and China’s performance of international obligations.
Like many other clauses of the DSL, Articles 24 and 25 do not contain any details of the data security review system and export control measures, the implementing rules of which are to be further published by the government authorities.
Given the high-speed development of the market of data transaction intermediary services, the DSL creates duties for data transaction agents. According to Article 33, when providing agent services for data transactions, agents “shall require the data provider to explain the source of data and shall review and verify identities of both parties to the transactions and maintain records of the verifications and transactions.”
For data transaction agents that fail to perform their duties, they will be subject to punishments including “request for rectification, confiscation of the unlawful gains, cancellation of business licenses,” and a fine of up to 10 times the value of the unlawful gains or a fine of up to RMB 1 million if there are no unlawful gains. Additionally, the directly responsible person will be subject to a fine of up to RMB 100,000 (Article 47).
The US CLOUD Act enacted in 2018 expanded the ability of law enforcement authorities in the United States to obtain foreign data, which aroused the worries of infringement of data sovereignty in the international society including China. The International Criminal Judicial Assistance Law of China promulgated in 2018 created a mandatory preapproval process before evidentiary materials relating to criminal proceedings could be exported out of China. The Securities Law amended in 2019 also provided a similar clause from the perspective of securities finance.
In light of this background, Article 36 of the DSL also requires domestic organizations and individuals to obtain approval from the competent government authorities before providing data stored within China to foreign judicial and law enforcement agencies. Compared to the previous regulations that cover only the fields of securities finance and international criminal assistance, Article 36 seems to be an all-inclusive provision in the prevention of unpermitted data leakage to foreign authorities that cover civil, administrative, criminal, and any other foreign judicial and law enforcement proceedings.
Entities providing data stored in China to foreign authorities without government approval may be subject to a fine of up to RMB 1 million, and the directly responsible person may be subject to a fine of up to RMB 100,000. If the violation is serious, entities may be subject to a fine of up to RMB 5 million and cancellation of business licenses, and the directly responsible person may be subject to a fine of up to RMB 500,000.
The MLPS was a system previously established by the CSL. Article 27 of the DSL reemphasizes the importance of the MLPS. The DSL states that the MLPS should be the fundamental ground of data processing through the information network, which means all entities carrying out data processing activities should comply with the data security requirements under the MLPS.
MLPS certification is a complex technology standard that requires companies to assess the current state of their information and network systems with servers located in China and the risks associated with them. Under the MLPS, companies are required to evaluate and determine the level to which the company’s information and network systems belong—from the lowest level 1 to the highest level 5—based on their relative impact on national security, social order, and economic interests if the system is damaged or attacked. Companies will be subject to various technical requirements depending on the classification of the systems. More administrative procedures (like filing with authority) are required if a company is classified as level 2 or above.
Section 4 of the DSL imposes multiple obligations for data security, including establishing and improving a data security management system; organizing data security training; taking technical and other necessary measures to ensure data security; enhancing risk supervision; and taking appropriate measures to prevent data breaches, etc. Violations of data security obligations may result in a fine of up to RMB 2 million and a suspension of related business, and a fine of up to RMB 200,000 on responsible persons.
As with many Chinese laws, certain provisions in the DSL only provide a general framework and details will be set out in implementation rules that have yet to be issued. Morgan Lewis will keep a close eye on legislative updates.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Gregory T. Parks