The Data Security Law[1] was passed by the 29th session of the standing company of the People’s Republic of China and will function as one of the pillars of cybersecurity laws of China. One aspect that makes it unique from other laws worldwide is its classification methods and different treatment. The brief will list all the critical elements of the data security law and how it could affect the companies (both Chinese and foreign).
Types of data
Data has been defined[2] as any record of information in electronic form or otherwise. The law also defines data handling as collection, storage, processing, transmission, use, disclosure, provision of data. The data has been divided into the following hierarchical structure:-
1) Core State data: The draft highlights[3] that the core state data includes national security, national economy, the livelihood of people and public interest, thereby requiring more robust data management systems. The draft does not explicitly provide a scope for this type of data. Any violation that affects the core state data attracts a heavy penalty[4] of up to RMB ten million (around eleven crores in Indian rupee). It also attracts a suspension of operations and permits, licenses.
2) Important data: The scope of important data is neither defined in this draft nor is it discussed in the CyberSecurity law where a mention of the same can be seen. A recent draft was released on Car data security management[5] where it has explicitly defined the scope of important data with respect to car data. This shows that the scope of important data under the data security law might not be as extensive as it seems to be.
The draft has given the Government and administrative regions the power to prepare a catalogue that will list the scope of important data. When a violation results in important data getting transferred abroad, such an organisation or individual will be penalised[6] up to one million yuan (around one crore in Indian rupee).
Jurisdiction
The scope of this law is not just restricted to China but also has an extraterritorial application. The law states[7] that in cases where data is handled to harm the country’s national security, public interest, the interest and rights of its citizens; the extraterritorial application will come into force. The law, however, does not define the scope of what amounts to national security or public interest. It is expected that the Government will release rules that will clarify such vague terms.
The jurisdiction also extends outside China concerning cross border transfer of data as the data has to pass through the Chinese Government before being transferred
Cross border transfer and Data Localisation
The provision on cross-border data transfer distinguishes[8] the requirements between operators of critical information infrastructure and operators of non-critical information infrastructure. Critical information infrastructure is defined under the Cybersecurity Law, 2017[9] as the information infrastructure in industries and sectors such as communications, energy, transportation, and more. Once attacked, it could be a threat to the national economy and public interest. The cybersecurity law establishes some rules that the critical information infrastructure operators are expected to follow and advises that the data be stored locally. When a cross-border transfer is deemed necessary, security assessments[10] have to be carried out following specific rules. The DSL provides that for operators of critical information infrastructure, the same provision has to be followed.
With respect to cross-border transfer to foreign law enforcement agencies, the DSL very clearly states that the data cannot be provided without the permission of competent authorities in China. The law also says that the authorities should approve the cross-border transfer of data for law or international treaties. This provision is quite far-reaching as it would make it very difficult to share documents containing personal data for litigation purposes in foreign countries. The law also establishes itself above international treaties, which the other party countries to any treaty would not approve.
For non-critical information infrastructure processing operators, they are supposed to comply with rules published by the Cyberspace Administration of China and other government departments.
Obligations of data processors
The law imposes the following general obligations on data processors: –
a) The data processors are expected to establish a data security management system for identifying data breaches and sending notifications.
b) They are also expected to comply with multi-level protection schemes. This scheme requires the operators to classify their systems based on the risk it poses to national security.
c) If the operator handles important data, a data security officer has to be appointed to manage risks and carry out assessments. These assessment reports should also be submitted to relevant bodies.
Impact on the foreign companies and investors
China has come up with these strong provisions not just considering the GDPR but by going beyond that. These are no mere compliance provisions as they call for strict penalties on a violation. Therefore, foreign investors will be more concerned about detailed due diligence[11] of the security systems of the target companies. Investors will also be interested to understand how the target company would adapt to these strict regulations and the measures adopted to face a cyber security risk. The target company can expect a more comprehensive indemnity clause covering data security.
Businesses will also have to be equally cautious and undertake a review of the entire system to understand the category of data collected and follow the provisions accordingly. For any cross-border data transfer, they have to be extra cautious of the information that goes out and take necessary permission.
Data Security Systems
The law provides for how data security systems are to be designed as follows: –
a) Hierarchical system- The law states that data will be secured through a hierarchical system based on the importance accorded to the data. The law also states that the significance of the data to the economy, social development, national security, public interest and so on should be considered parameters for deciding the hierarchical structure. Data forming a part of the above-said parameters should be given a stricter management system.
b) Data Security Review System- The law proposes setting up a review system to review decisions made on data security. In Cyber Security Law[12] currently, the Cyberspace Administrative Office is responsible for checking the network products procured by critical information infrastructure operators. The Data Security Law expands the scope of review beyond critical information infrastructure operators.
c) Data Security Emergency Response Team- The law also provides the establishment of a data security emergency response and handling system that should respond to emergencies. This can be considered to be similar to the Indian Computer Emergency Response Team.
d) Countermeasures- The law also provides specific countermeasures for situations where other countries might adopt discriminatory practices against China regarding investment and trade in technology.
Existing Laws on data protection and its relations with the new law
The Cyber Security Law[13] became the first pillar of data protection in China in 2017. Following this, the Data Security Law and Personal Information Protection Law were passed within two months in 2021. These three laws are said to be the basis of China’s policies on data protection. Each of them is interconnected, and it is thereby essential to understand their purposes and relations: –
a) The Cybersecurity Law does not focus too much on data protection; it instead provides for essential obligations to be followed by data operators and comprehensively discusses critical information infrastructure operators. The Data Security Law deals with data protection by providing data classification and hierarchical systems and additional obligations.
b) The Data Security Law has clarified that non-critical information infrastructure operators need not follow the Cyber Security Law for cross-border data transfers, clearly establishing both laws’ scope.
c) The Personal Information Protection Law[14] acts as the privacy law for China. Recently, China released its provisions on Car Data Security Management[15] that not only clarified specific terms in the Data Security Law but was also drafted in consonance with The Personal Information Protection Law.
China has been regularly coming up with more rules that connect the three pillars, thereby establishing a robust legal system.
Analysis
The following are the areas that stand out in the law: –
a) The law uses vague terms such as national security, public interest, and so on to measure certain requirements necessary for maintaining and protecting data. This is not surprising as apart from addressing consumer concerns through these laws, China has constantly been leveraging laws to address its concerns of its population moving away from party ideologies. This is also evident in the draft of Recommendations for Internet Information Service Algorithms[16] released on the 27th of August, seeking to regulate internet algorithms.
b) The law has addressed various areas of data protection, such as classifying types of data with specific parameters and setting up a hierarchical data security system. It does seem to be a decision made considering administrative ease rather than a robust, practical application. The effects of such classifications will be better understood once the law is implemented in full scale.
c) The law seems to be relatively robust in addressing breaches and slip-ups through very high penalties. But the practical implementation of the same is yet to be seen.
d) The law also imposes additional obligations similar to the EU GDPR. Though this is a good step, the law required companies to comply with these provisions within the 1st of September, a very short timeline. As of now, there is no information available to indicate the number of companies that have complied with the law. But it is expected that the majority of them would have attempted to do so given the hefty penalties.
e) A lot of principles that are laid down are pretty broad and not sufficiently detailed. While providing for how cross-border data transfer should be carried out, the law does not adequately explain how the companies should obtain the necessary permission.
f) The law has not sufficiently considered the requirements of other countries with respect to cross-border data transfer. Cross-border data transfer cannot happen with a simple request from a foreign jurisdiction as per the law. This has put the companies in a tough spot as providing data without the relevant authorities permission would violate China’s laws, whereas not complying with the request from a foreign jurisdiction could violate that countries laws
Conclusion
The Law is quite rigid and vague in accounting for data protection issues. It has, however, neatly covered various aspects of data protection which other countries have rarely considered.
The Government has also been consistent with releasing new rules and regulations to substantiate the Data Security Law. Nonetheless, with a sudden wave of rules and regulations, businesses and investors will have to focus on revising and redoing their existing models. The law, as such, is quite strong in its procedure. It is not clear whether the practical implementation will be as robust as in the papers. If it turns to be a success, the law has a long-arm reach and could influence legislators in other countries.
Citation
Harinie Seenivasan, Understanding China’s Data Security Law, Metacept-Communicating the Law, accessible at https://metacept.com/understanding-china’s-data-security-law
Resources
[1] Data Security Law of the PC, China Law Translate, retrievable from: https://www.chinalawtranslate.com/en/datasecuritylaw/
[2] Ibid, Article 3.
[3] Ibid, Article 21.
[4] Ibid, Article 45.
[5] Several Provisions on Car Data Security Management (for Trial Implementation), National People’s Congress, retrievable from http://www.cac.gov.cn/2021-08/20/c_1631049984897667.htm
[6] Ibid, Article 46.
[7] Ibid, Article 2.
[8] Jenny Sheng, China Adopts New Data Security Law, Pillsbury Law, accessible at: https://www.pillsburylaw.com/en/news-and-insights/china-adopts-new-data-security-law.html
[9] Cyber Security Law of the People’s Republic of China, New America, retrievable from:https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-cybersecurity-law-peoples-republic-china/
[10] Ibid, Article 37.
[11] Daniel Cohen, et.al, China: Impact of the new China Data Security Law for International Investors and Businesses, Mondaq, accessible at: https://www.mondaq.com/china/data-protection/1095630/impact-of-the-new-china-data-security-law-for-international-investors-and-businesses
[12] Supra note 8.
[13] Ibid.
[14] Personal Information Protection Law of China of the People’s Republic of China, National People’s Congress, retrievable from http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml
[15] Supra note at 5.
[16] Notice of the State Internet Information Office on the “Regulations on the Management of Recommendations for Internet Information Service Algorithms (Draft for Solicitation of Comments )” Public Solicitation of Comments, Cyberspace Administrator of China, retrievable from: http://www.cac.gov.cn/2021-08/27/c_1631652502874117.htm
