China Cybersecurity And Data Protection: China Releases Draft Data Security Law.
Legal News & Analysis - Asia Pacific - China - Regulatory & Compliance - Cybersecurity
16 July 2020
On 2 July 2020, the Standing Committee of the 13th National People’s Congress published a draft of the proposed new Data Security Law for public consultation. This starts the formal journey through the legislative process of the first law dedicated to data security in China. If enacted, it will have a profound impact on data security practices in China as well as on those foreign organisations and persons processing data from China. The deadline for submitting comments is 16 August 2020. Given its importance, we encourage entities to submit comments on the law through the online portal1 and keep abreast of developments.
In this e-bulletin we highlight the key provisions of the draft law and set out our observations.
Currently, China does not have any dedicated national legislation on data security. Both the Data Security Law and the Personal Information Protection Law were on the Standing Committee’s legislative agenda (published in September 2018) for its five-year term. In June 2020, both laws were included in its legislative work plan for 2020. The draft Data Security Law was submitted to the Standing Committee for initial reading and is expected to go through a total of three readings before being submitted to a vote. However, the Standing Committee has not indicated a timeline for the legislative process.
I. Key concepts and regulatory bodies
The draft Data Security Law defines data as electronic or non-electronic records of information. It introduces the concept of “data activities”, which include the collection, storage, processing, use, provision, trading and public disclosure of data. Data security means the capability, by taking necessary measures, of ensuring that data is effectively protected and legally used and continues to be secure.
Different authorities are given jurisdiction over data based on their administrative regions and industries. However, the draft law does not clearly delineate the boundaries of these powers which are bound to overlap.
Local governments are made responsible for data security in their respective regions, with responsibility given to industry regulators for their respective industries. Public security authorities (namely the police) and national security authorities are responsible for supervising data security. Overall responsibility for coordinating data security efforts and supervising compliance sits with the Cyberspace Administration of China.
II. Protection of important data
Multi-level classified protection regime
The draft Data Security Law proposes a multi-level classified protection regime depending on (i) the importance of the data to social and economic development and (ii) the harm caused to national security, public interest and a person’s rights and interests by its loss, disclosure or misuse. Local governments and industry regulators are each required to draft a catalogue of important data that should be afforded a higher level of protection. The draft law does not, however, define important data or lay down any guidelines for determining the level or class of data.
Both the Ministry of Industry and Information Technology (MIIT) and the China Securities Regulatory Commission currently publish guidelines on determining the levels and classes of data. Under the MIIT guidelines, data is generally classed according to its use in the relevant business functions, whilst the protection levels are determined by the operational and economic impact to the industry of the loss, disclosure or misuse of the data. It is not clear if the multi-level classified protection regime would follow this approach nor whether each regulatory body would be required to publish its own guidelines or whether there would be a unified set.
It is also unclear from the draft law how the classification and levels will interplay with the catalogue of important data drafted by the regulatory bodies and local governments. Additionally, catalogues published by local governments and industry regulators could conflict and the draft law does not currently deal with how any such conflict should be resolved.
Processors of important data are required to conduct a periodical assessment of data activities and submit the report to the regulatory bodies. The report should include information on the types and volume of important data; the collection, storage, processing and use of such data; and the data security risks and corresponding measures to address these.
The draft law defines data activities but unfortunately does not define processor or process. We hope this will be defined in the next draft in a manner consistent with other laws such as the Civil Code.
Data security officer and management department
Processors of important data are required to appoint a data security officer and designate a management department to take responsibility for data protection. No further details on how such positions should be staffed or their duties are currently included in the draft law.
III. Measures affecting foreign persons and foreign investment
National security review
The draft Data Security Law proposes a data security review regime, under which data activities affecting (or likely to affect) national security will be subject to national security review. The authority which is to conduct the security review is not specified in the draft law and no guidance is given on how the impact of data activities on national security should be assessed. Interestingly, data activities by Chinese persons are not excluded from the national security review provisions, although usually such regimes are designed to scrutinise data activities by foreign persons. The relationship between this review and other national security review regimes is also not currently covered in the draft legislation.
Data will be subject to export control if it falls in the scope of items restricted from export either due to the country’s performance of its international obligations or for the protection of national security. The Standing Committee recently released the second draft of the Export Control Law, which is likely to be voted through before the Data Security Law.
Countermeasures against unfair treatment
The draft law grants the government the power to take countermeasures if any country or region takes restrictive, prohibitive or similar discriminatory measures against Chinese investment or trade relating to data or data technologies.
Providing data to foreign law enforcement bodies
The draft law provides that organisations and individuals are not permitted to provide data stored within China to foreign law enforcement authorities at their request, without the prior approval of the Chinese authorities. This applies to any data stored in China irrespective of the nationality of the organisation or individual that controls the data.
Under the draft law, the Chinese government has the power to hold liable any organisation or individual outside of the Chinese territory who conducts data activities that jeopardise China’s national security or public interest or harms the legal rights and interests of Chinese citizens or organisations. The draft does not specify how the law is to be enforced against foreign organisations or individuals or which authority will enforce it. The extraterritorial effect provision appears to be too far reaching for it be implemented in practice, but the concept is expected to remain in the draft.
IV. Requirements for data business
Online data processing service providers are required to obtain a relevant license or make an appropriate filing, which is to be administered by telecom regulators. It is unclear what businesses will be caught as online data processing services could potentially cover a broad range of services that process data online.
The draft law also proposes regulating data trading activities and markets. Providers of data trading intermediary services should require data providers to explain the sources of data, review the identity of the trading parties, and keep a record of the transactions.
V. Centralised data security regimes
The draft law will establish a unified mechanism for assessing and reporting data security risks, sharing relevant information, and providing early-warning across the country. The government will also establish a data security contingency response mechanism, under which relevant regulatory bodies will implement the contingency plan to eliminate the security risks, contain the damage and publish warning to the public.
For further information, please contact:
James Gong, Herbert Smith Freehills