Those familiar with the EU’s GDPR and its UK equivalent will recognize many concepts and requirements of the PRC’s Personal Information Protection Act which came into effect on November 1, 2021 (which we discuss here). However, the other major element of the PRC’s data protection regime is very much focused on national security and may be less familiar.
Data security, especially when it has an impact on national security, is a politically sensitive topic in China and we have seen a number of legislative developments in this space, most notably the cybersecurity law of the People’s Republic of China (CSL) which came into effect in 2017 and the new Data Security Law of the People’s Republic of China. Law (DSL) entered into force on September 1, 2021.
There are complicated implications under DSL that – in addition to regulatory challenges of a routine nature – can also have a structural impact on the Chinese operations of international companies.
What is covered by DSL?
DSL applies to all data activity. Here, “data” is defined broadly, referring to any recording of information in electronic or non-electronic form and the term “data activities” refers to activities comprising, collection, storage, processing, ‘use, provision, trade or publication of data.
As expected, the DSL takes an extraterritorial approach and, in addition to land-based data activities, applies and can be enforced against any organization or person outside of the PRC that conducts data activities that endanger national security, the public interest or the legitimate interests of the citizens and organizations of the PRC. This potentially exposes the international companies concerned to considerable legal uncertainty.
Data that is designated as “important data” is particularly sensitive. This term was used (but not defined) in the earlier CLS and is also a feature of DSL. The use of “important data” triggers a number of legal obligations (Art. 27 & 30, DSL):
- to specify a person and a department who will be in charge and be responsible for data security
- carry out regular risk assessment (RA) on relevant data processing activities and submit an RA report to the competent authority; an RA report should include details of the categories and amount of important data processed, processing activities, safety exposure and management actions, and
- the obligation to follow special rules (yet to be formulated) when such important data is exported; If a company qualifies as a “Critical Information Infrastructure Operator” (CIIO), its important data must be stored onshore, and any export must be subject to prior administrative authorization.
The exact scope of important data needs to be clarified by an important data classification system which remains to be established. The classification envisaged will take into account:
- the importance of the respective data in economic and social development, and
- the seriousness of the damage it could cause to national security, public interest, legitimate interests of individuals / organizations if the data were altered, sabotaged, disclosed, obtained / used illegally.
The issue of “state secrets” – which can be a headache for foreign companies when dealing with Chinese counterparts – is explicitly excluded from the DSL and is regulated separately by the Law on the Protection of Foreign Secrets. State.
Even if your business does not use “important data”, there may still be some general statutory legal principles that you should follow when organizing data-related activities.
Some of them relate to higher expectations for corporate social responsibility (CSR). For example, Article 28 of the DSL stipulates that data processing activities and R&D on new information technologies must contribute to economic and social development, promote the well-being of people and be morally compliant. and social ethics.
The obligations under the DSL, which are more generic in nature with respect to computer security and apply to all businesses, are as follows:
- Establish and complete a data security management system covering the “whole process” (of data processing), and take the respective technical and other measures necessary to ensure data security. If the data processing activities are carried out on the basis of an information network like the Internet, the data security obligations should be carried out on the basis of the Chinese multilevel protection system (等级 保护 制度).
- Strengthen risk monitoring during data processing. Corrective action should be taken immediately when risks such as security breaches or vulnerabilities are discovered. In the event of a security breach, immediate action must be taken and the incident reported to users and the relevant authorities as soon as possible.
Some of these obligations were already covered by the previous CSL and are now repeated with some slight differences under the LIS.
Actions to take now
DSL remains very general but is now quickly supplemented with implementation details. For example, at the end of September 2021, draft national standards on the classification of “important data” were published. As the regime evolves so rapidly, companies need to keep a close eye on legislative developments in the area of data security.
International companies should pay particular attention to their cross-border data transfers (both intra-group and to third parties). The potential sensitivities associated with the concept of important data may result in the need to review and adjust data transfer models to mitigate regulatory exposure under PRC laws.
In addition to this, Chinese affiliates will need to report to Chinese authorities and obtain prior authorization before they can transfer data onshore to their foreign headquarters or if necessary to complete a transfer by a foreign court or law enforcement agency. (Article 33, DSL). This requirement will become a real challenge for international companies, especially when organizing a global survey requiring data cooperation from the PRC.
Businesses should already be implementing the minimum compliance measures discussed here and should review data practices now and as more details on compliance emerge.