China's top legislature passed the Data Security Law (DSL) on 10 June 2021.
The DSL will take effect on 1 September 2021 and may apply to you if you work in, or operate an entity that carries out data handling activities within, the territory of the People's Republic of China (China). In addition, the DSL has an extraterritorial effect on the relevant entity if it carries out the data handling activities outside of China but harms China's national security, public interests, or the legitimate rights and interests of citizens or organisations.
Therefore, for those operating a business with a significant China element, or planning to expand their business into China, we have summarised here some of the key issues in order to give you a better understanding of the DSL.
Data
In 2017, China passed the Cybersecurity Law (CSL), which stipulates that the entity that constructs, operates and provides service through a network, shall maintain the integrity, confidentiality and availability of cyber data. Obviously, the CSL regulates the data in electronic form but makes room for any subsequent laws or regulations to regulate all kinds of data. As expected, the DSL, designed for this purpose, expands the scope of data as any record of information in electronic or other forms.
This difference indicates that if you are handling the data within China, you shall not only care about the data stored on your network but also the paper documents on your desk, filing cabinet or in your briefcase; especially those containing personal information, e.g. the list of employees, payroll, performance reports, etc.
In addition, the DSL categorises data into three layers - (a) Core Data of the State, (b) the Important Data, and (c) Ordinary Data - by considering their importance and the possible damages caused to the society if data were tampered with, destroyed, leaked, or illegally obtained or used.
If data has a bearing on national security, the lifelines of the national economy, people's main livelihoods and major public interests, it shall be deemed as the Core Data of the State and shall be subject to stricter regulations. However, the DSL does not provide further detail on the exact definitions of these three kinds of data. On the other hand, the term Important Data is used by regulations and standards in various contexts. However, as the definition of Important Data is yet to be clearly defined, we wait to see how the legislature will co-ordinate or unify the usage of this term in the different legal documents with respect to data security.
We believe that the legislature seeks to create a framework similar to the Multi-Levels Protection Scheme originated by the CSL, but the concepts are yet to be fully outlined at this stage - it will be expanded upon by the subsequent regulations and rules, which is common practice in China's legislature.
Data export
The issue of whether data collected within China can be legally transferred to overseas parties, and the process by which this can happen, is also an important one. For instance, the headquarters of your business, or other agents or business partners, are likely to need access to the relevant data gathered within China for one reason or other. Generally speaking, data is either subject to a localised storage requirement or data export control. However, the requirements of data export control and localised storage vary significantly according to the nature of the operating entity concerned and the type of data to be transferred. Therefore, different data export or localised storage requirements will apply depending on (a) whether the entity dealing with the data is identified as a Critical Information Infrastructure Operator (CIIO) and (b) the type of data being dealt with by the entity. The following sets out the various requirements:
(a)If your entity handles the Core Data of the State, although there is no clause in the DSL which sets out that the Core Data of the State must be stored within China and shall not be exported outside of China, this could happen because the Core Data of the State shall be subject to a stricter management system (See Article 21 of DSL).
(b)If your entity handles what is classified as Important Data:
(i)If the operating entity is identified as a CIIO, the Important Data collected and generated in China shall be stored within China; if it is necessary to provide data to overseas parties for business purposes, a security evaluation shall be conducted in accordance with the CSL (See Article 31 of DSL).
(ii)In cases where the operating entity is not a CIIO, DSL stipulates that the national cyberspace administration authority, together with relevant departments of the State Council of China, shall issue follow-up legislation in this regard.
(c)For entities handling Ordinary Data, the current law or regulation does not explicitly ban or restrict such exportation or requirement of localised storage, unless otherwise stipulated (see below for exceptions).
As referred to above, there are no statutory definitions of the Core Data of the State, the Important Data and the Ordinary Data. Therefore, you may need to pay extra attention to the follow-up legislation, even if you do not think your entity is a CIIO or you believe that you are solely handling the Ordinary Data.
Another important point to make about data export is: The DSL stipulates that organisations and individuals within China are forbidden to provide any foreign judicial department and law enforcement department with any data stored within China, unless approval has been obtained by the competent department. We understand this mechanism is a response to the long-arm jurisdiction of certain countries and an impact of the Law of China on Countering Foreign Sanctions (Anti Sanction Law) in the area of data security. The Anti Sanction Law stipulates that any organisation and individual shall not implement or assist in the implementation of the discriminatory restrictive measures taken by any foreign country against any Chinese citizen or organisation. The detailed guideline and procedure for obtaining approval in this regard under DSL is yet to be released.
National Security Review
As one of the purposes of DSL is to safeguard national sovereignty, security and development interests, it stipulates that the State shall establish a data security review system, where data handling activities that affect, or may affect, the country's national security will undergo a national security review; the decisions of which are final decisions and non-appealable.
We notice that the National Security Law of China, Measures for Cybersecurity Review, Foreign Investment Law of China and Measures for the Security Review of Foreign Investment, also require national security review in certain circumstances. It is possible that the legislator may consider introducing a general national security review procedure covering the areas of these specific laws and regulations.
How will the changes impact your business matters in China?
As a take-away of this article, we would like to draw your attention to the three items that may cause an impact on your China business: (a) the potential extraterritorial application of the DSL; (b) the data export control measures under this new law; and (c) the joint impact of national security laws and regulations in the different areas.
Gowling WLG will continue to follow the legislature closely to steer you through the intricacies of the data security regime in China.
For more insight on these changes, or to discuss any of your data security issues in relation to doing business in China, please contact Le Rong and Nelson Tian.
[] The Ordinary Data has not been defined by the DSL. We named the data other than the Core Data of the State and the Important Data as the Ordinary Data for logical purpose and convenience. It shall be subject to the definition in the subsequent regulations if any.
[] See Information Security Technology- Guidelines for Data Cross-Border Transfer Security Assessment (draft for comment) on 27 May 2017; Information Security Technology- Guidelines for Data Cross-Border Transfer Security Assessment (draft for comment) on 30 August 2017; Measures for Evaluating the Security of Transmitting Personal Information and Important Data Overseas (draft for comment); and Regulations on the Protection of the Security of Critical Information Infrastructure (Draft for Comment).
[] See Article 31 of the CSL.
[] The DSL does not clarify which authority is competent to approve in this regard because it depends on the nature of data. For example, if data to be exported to the foreign judicial department is relating to securities business, the approval should be obtained by the securities regulatory authority under the State Council and the competent department under the State Council. (See Article 177 of Securities Law of China)
[] See Article 12 of Law of China on Countering Foreign Sanctions.