Cybersecurity has become a primary focus for lawmakers, federal agencies, and the private sector. Cyberattacks have prompted official government actions in the form of Executive Orders, Operational Directives, ransomware guidance, ransomware notification legislation, and dozens of bills aimed at enhancing cybersecurity across industry sectors. A recent report by the Congressional Research Service highlights the different…
The Data Security Law (“DSL”), enacted on 10th June 2021 has entered into force on 1st September this year.
China’s framework legislation on data is coming to completion. It started with the establishment of principles and directions applicable to network security (with the Cybersecurity Law in 2017).
It is now proceeding with the principles established to govern data security and will then be completed with the Personal Information Protection Law (“PIPL”) recently set to come into effect on 1st November this year.
These three pieces of legislation can be considered the backbone of China’s rules on data and data processing. Although secondary legislation has been announced for the DSL and the PIPL and is expected to be issued in the forthcoming weeks and months, the basic principles are laid down.
In this note, we focus on the provisions of the DSL and its immediate effects for businesses handling or processing data.
Purposes and scope of application
The stated purposes of the DSL are to regulate data processing activities, ensure data security, promote data development and use, protect the rights of individuals and organisations, and safeguard national sovereignty, security and development interests.
“Data” is widely defined and includes any “record of information” in “any form”.
“Processing of data” comprises any handling of data, starting from the mere collection of data to transfer, storage, use or public disclosure of data (whether personal data or not).
Under such premises, and given the widespread presence and involvement of data in any business activity, any business operating in China is likely to fall within the scope of application of the DSL.
The provisions of the DSL are also of interest for businesses operating out of China, as they also have a stated extra-territorial application: where data processing activities harm the national security, public interests or the lawful interests of citizens or organisations of China, entities carrying out such activities outside China are also subject to legal liabilities.
Principles laid down by the DSL
The DSL states a general “principle of legality” for data collection: individuals or organisations collecting data must do so with lawful and justified methods. Also, no data can be stolen or obtained through other illegal means.
The principle of legality is also referred to when access to data is required by any public security agency or national security agency for the purposes of safeguarding national security or investigating a crime.
In such event, approval procedures must be followed and access by the authorities must be obtained in accordance with the relevant laws. On the other hand, the DSL also specifically adds a provision imposing on the relevant organisations or individuals an obligation to cooperate when access to data is required or an investigation is carried out by the authorities.
Although the DSL places the state authorities in a central position with regard to the further development and implementation of the DSL, also individuals and organisations have a role to play as they are given a right to complain and report to the departments responsible for data security any infringements of the DSL they may be aware of.
The DSL also establishes a principle of “consistency with the purpose or scope”: where any law or regulation requires specific purposes or scope in relation to data collection or use, data must be collected or used in accordance with such requirements.
This principle is similar to and consistent with the one expressed in the Information Security Technology – Personal Information Security Specification, which requires that the (personal) data to be collected should be related to the business activity or service for which it is collected, and also be limited to the minimum necessary for the performance of such business activity or service.
The Specification was issued soon after the Cybersecurity Law and, even if not binding, plays an important role in the implementation of such law and the definition of the principles applying to data processing.
Specific obligations are set out in the DSL with regard to processing of “important data”. Important data is defined or, more correctly, broadly referred to as data that will be categorised as such in a data categorisation and classification protection system to be established by the State.
The DSL indicates two criteria to follow in order to further identify important data:
the level of importance (of the relevant data) to China’s economic and social development, and
the degree of damage to the national security, social interests or the lawful interests of individuals or organisations if data is tampered, damaged, leaked or illegally obtained or used.
Catalogues classifying important data are therefore expected to be prepared at regional, departmental, as well as industrial and sectorial level, according to the data categorisation and classification protection system criteria set out in the DSL.
An indication of the level and specificity of the protections required for the various categories of data is also expected to be provided in the catalogues.
Some industries, like finance and telecommunication, have already started classifying data for security purposes, by issuing their own guidelines.
Since the DSL encourages such initiatives, it will be interesting to see whether other industries will follow the same path.
Consequently, a huge effort of coordination will necessarily have to be deployed by the central authorities in order to ensure consistency in the categorisation of data and establishment of protection systems amongst all levels.
The definition of the criteria to follow in order to establish what is to be considered “important data” is not a marginal issue, as it will impose specific obligations on entities processing this kind of data.
In particular, entities processing important data will be required to designate a data security officer and set up a management office to fulfil data security protection responsibilities.In addition, entities processing important data will have to periodically conduct risk assessments on their data processing activities, and submit a risk assessment report to departments responsible for data security duties.
The contents of such risk assessment reports will have to include the following information:
the categories and quantities of important data processed,
how data processing activities are carried out, and
data security risks and responding measures.
These obligations constitute an almost open window into their business for those entities whose main activity is data processing.
The concept of important data is also relevant with respect to cross-border transfer. Precisely, cross-border transfers of important data collected and generated by processing entities during their operation within the territory of China will have to follow rules to be formulated by the cyberspace administration and relevant departments of the State Council. At this stage, only draft measures have been prepared in this regard.
When entities processing important data are operators of Critical Information Infrastructures1 , cross-border transfer will have to follow the requirements under the Cybersecurity Law, i.e. the transfer overseas has to be really necessary for reasons of business requirements and a security assessment must be conducted in accordance with the measures formulated by the national cyberspace administration authority or other special applicable laws or administrative regulations.
The DSL also refers to what seems to constitute a category of data separate from important data: the “national core data”. This category includes data that is related to national security, lifeline of the national economy, important people’s livelihood, vital public interests.
The DSL simply states that for this data a stricter management system is required. Secondary legislation is expected to help further define this category of data and its specific implications in terms of compliance by entities processing it.
What is immediately applicable starting from 1st September 2021
In addition to setting out principles and referring to implementing secondary legislation, the DSL also sets out provisions that are immediately applicable.
The most relevant immediately applicable provisions require entities processing data to establish data security management systems across their entire workflow.
Data security training must also be organised and conducted.
Entities are also required to safeguard data security by adopting technical measures and anyother necessary measures.
If the data processing activities are carried out by using information network (i.e. through the Internet) the security protection obligations must be based on the Multi-level Protection Scheme provided for by the implementing regulations of the Cybersecurity Law.
Entities carrying out data processing activities are then also required to strengthen risk monitoring and, where risks are identified (for example, data security defects or leaks), adopt appropriate remedies.
In the event of data security incidents, data processing entities must, in addition to immediately adopt remedies, also notify users and report to the relevant regulatory authorities.
With regard to transfer of data overseas, a specific provision of the DSL requires any organisation or individual in the territory of China not to provide data stored within the territory of China to foreign judicial or law enforcement agencies without the approval from the competent Chinese authorities.
In this regard, the DSL states that data provision requests will be handled in accordance with the principles of equality and reciprocity or any applicable international treaties.
This provision may also have a significant extra-territorial effect depending on how the words “territory of China” will be interpreted.
It is worth noting that most of the obligations imposed onto businesses by the DSL are accompanied by sanctions in case of infringement. Such sanctions range from simple warnings and orders for correction to fines (imposed on the business and the person directly responsible), suspension of services or business and revocation of licences.
What is expected to happen
A categorisation of data and a classification protection system, according to the criteria set out in the DSL, will take place at various levels and in various industries.
As mentioned above, some sectors (finance and telecommunication) have already started elaborating their own classification systems. Other industries, like transport, hygiene and health, education, natural resources science and technology, are expected to do the same.
Catalogues of what is to be considered “important data” or just “data” in specific sectors or industries will be prepared, along with definitions of protection standards and classifications.
Similarly, codes of conduct, group standards on data security are expected to be issued by sectorial organisations in various industries.
Businesses should therefore carefully monitor the future developments and implementation of the principles and guiding provisions of the DSL in order to better understand the contents of the obligations imposed by the DSL and the extent of their liability with respect to data processing. Also, businesses should analyse their data collection and, more generally, data processing activities and methods, in order to verify whether they are compliant with the DSL provisions.
Such analysis and assessment should be first aimed at identifying the nature and importance of data processed, identifying data security risks, adopting appropriate remedies, verifying whether any transfer of data overseas is required or likely to happen, and ensure that security management systems are in place.
Businesses carrying out data processing activities may also expect to be required to cooperate with the authorities in their risk information acquisition, analysis, determination and warning, as well as in their data security review system.
1 The Regulations on the Security Protection of Critical Information Infrastructure define operators of Critical Information Infrastructures as operators of key network facilities and informational systems in important industries and sectors, such as public telecommunication and information service, energy, transport, water conservancy, finance, public service, e-government and science and technology industries for national defence, which may seriously harm national security, national economy, people’s livelihood and public welfare if the relevant data is destroyed, lost or leaked.
This article is written by Marco Vinciguerra and was published by HFG. We received permission to republish the article here for the ADCG community. The original posting can be found here.