On June 10, 2021, almost a year after the release of its first draft, China's National People’s Congress Standing Committee passed the Data Security Law ("DSL") after its third reading. The DSL will take effect on 1 September 2021, leaving organizations less than three months to familiarise themselves with and get ready for one of the most significant pieces of PRC law in the data protection field. The first and second drafts of DSL were released by the highest PRC legislative body on 28 June 2020 and 29 April 2021 respectively and you can find the key takeaways of the first draft and main changes introduced by the second draft in our previous newsletters (available here and here).
It may be a relieve to many that the redline version against the second draft is less colourful than one may expect: the amendments are not sweeping. Nevertheless, the following key revisions should be noted:
According to the second draft of DSL, the central government is tasked with establishing a national level data categorization and classification system based on the level of importance the data to national security and the public interest, and the level of impact that any data leak, tampering, damage or illegal acquisition may have on national security, the public interest or the lawful rights and interests of citizens or organisations. At the regional and sectoral level, regulators are tasked with issuing specific catalogues to identify the scope of “important data” in their respective regions or sectors based on the national level data categorization and classification system. Such central-local/sector structure of data categorization system remains unchanged in the finalised DSL.
What has been added in the final DSL is the concept of "national core data", which refers to the data concerning national security, lifeline of the national economy, people’s livelihoods, and major public interests. Article 21 provides that a "more stringent regulatory system" shall be implemented on such national core data. However, the DSL does not elaborate further on what such stringent regulatory system would be, except that with regards to penalties, the authority may impose a fine up to RMB 10 million on top of other penalties for a violation of the requirements relating to national core data. It is expected that further clarifications and rules in particular on the parameters of "national core data" and the relevant "stringent regulatory system" will be released in subsequent implementing rules.
Some changes have been introduced to the provision regarding how to handle data request by foreign judicial or law enforcement organs. According to the first draft, if a foreign judicial or law enforcement authority requests access to data stored in China, such data should not be provided unless (i) approval has been obtained from the competent government authority, or (ii) a relevant international treaty applies. The second draft introduced the penalty clause for the violation of this requirement, which included the issuance of rectification orders, warnings, and a fine of up to RMB 1 million on the organisation and up to RMB 200,000 on the person in charge and other directly responsible personnel.
Under the final DSL, the requirements and corresponding penalties have been further tightened, specifically:
The above requirements under the DSL could potentially place MNCs in an awkward position: compliance with a foreign authority's data access request will lead to a violation of the PRC law while non-compliance of data request will result in a violation of the relevant foreign laws or court orders.
State authorities are bound by the DSL just as private parties under the DSL. In addition, the final DSL specifically includes additional circumstances when competent authorities are bound by duties of confidentiality. This includes circumstances when individuals and organisations file a complaint regarding a breach of the DSL, and more generally personal information, trade secrets, confidential business information and other data made known during the performance of duties. These additional obligations will assist to safeguard the interests of individuals during administrative enforcement actions and related procedures.
The final DSL adds a brand new and interesting clause: in developing and improving "intelligent/smart public services", the needs of the elderly and the disabled should be fully considered to avoid creating obstacles to their daily life. It appears that this is the first time in a PRC data protection regulation where the needs of the elderly and the disabled have been explicitly called out. This is significant in light of the hierarchy of the DSL, which is a high-level legislative piece providing policy and directional guidance.
As outlined in our newsletters, the DSL, together with the PIPL (which is expected to be released this year), represent the two most critical and highly anticipated laws in the area of data protection in 2021, almost 4 years after the effectiveness of PRC Cyber Security Law ("CSL") in 2017. The CSL, the DSL and the PIPL will represent three pillars of the Chinese data protection legislation system and together form an overarching framework governing the data processing and cybersecurity issues.
The gloves are off. Companies doing business in China should take active and prompt action - if not already – to assess whether and how the DSL applies to their data processing activities within and outside China, and what data security governing measures they should further put in place, before the effectiveness of the DSL on 1 September 2021. Below we set out a quick checklist that companies may use as an initial compliance assessment during the short transition period:
Unresolved issues, nevertheless, remain and further clarifications would be most welcome, e.g. the pending data-classifications and "important data" catalogues, what are the stringent requirements applicable to national core data, and the lack of requirements relating to export of "important data", in particular for non-CIIOs, to name a few. It is worth noting that the “Data Security Management Regulations” and the “CIIO Security Protection Regulations” have been included in the State Council’s legislative agenda for 2021. Hence, companies should keep monitoring the regulatory development of the implementation rules following the promulgation of the DSL.