On June 10, 2021, almost a year after the release of its first draft, China's National People’s Congress Standing Committee passed the Data Security Law ("DSL") after its third reading. The DSL will take effect on 1 September 2021, leaving organizations less than three months to familiarise themselves with and get ready for one of the most significant pieces of PRC law in the data protection field. The first and second drafts of DSL were released by the highest PRC legislative body on 28 June 2020 and 29 April 2021 respectively and you can find the key takeaways of the first draft and main changes introduced by the second draft in our previous newsletters (available here and here).
What are the Key Changes under the Finalised DSL Compared to the Second Draft?
It may be a relieve to many that the redline version against the second draft is less colourful than one may expect: the amendments are not sweeping. Nevertheless, the following key revisions should be noted:
A new concept of "National Core Data"
According to the second draft of DSL, the central government is tasked with establishing a national level data categorization and classification system based on the level of importance the data to national security and the public interest, and the level of impact that any data leak, tampering, damage or illegal acquisition may have on national security, the public interest or the lawful rights and interests of citizens or organisations. At the regional and sectoral level, regulators are tasked with issuing specific catalogues to identify the scope of “important data” in their respective regions or sectors based on the national level data categorization and classification system. Such central-local/sector structure of data categorization system remains unchanged in the finalised DSL.
What has been added in the final DSL is the concept of "national core data", which refers to the data concerning national security, lifeline of the national economy, people’s livelihoods, and major public interests. Article 21 provides that a "more stringent regulatory system" shall be implemented on such national core data. However, the DSL does not elaborate further on what such stringent regulatory system would be, except that with regards to penalties, the authority may impose a fine up to RMB 10 million on top of other penalties for a violation of the requirements relating to national core data. It is expected that further clarifications and rules in particular on the parameters of "national core data" and the relevant "stringent regulatory system" will be released in subsequent implementing rules.
Handling Data Requests from Foreign Judicial or Law Enforcement Organs
Some changes have been introduced to the provision regarding how to handle data request by foreign judicial or law enforcement organs. According to the first draft, if a foreign judicial or law enforcement authority requests access to data stored in China, such data should not be provided unless (i) approval has been obtained from the competent government authority, or (ii) a relevant international treaty applies. The second draft introduced the penalty clause for the violation of this requirement, which included the issuance of rectification orders, warnings, and a fine of up to RMB 1 million on the organisation and up to RMB 200,000 on the person in charge and other directly responsible personnel.
Under the final DSL, the requirements and corresponding penalties have been further tightened, specifically:
- Approval is required for all kinds of data provision: the current drafting of DSL appears to suggest approval from competent government agency applies to all kinds of data provision to foreign judicial or law enforcement organs, including those that are covered by international treaties or agreements that China has participated. The competent authority shall handle the data request in accordance with such treaties or agreements, or under the principle of equality and mutual benefits. It is unclear how the authorities will handle such requests in practice.
- More stringent penalties: The final DSL imposes additional penalties for breaches which lead to serious consequences, including a fine up to RMB 5 million, and a fine of less than RMB 500,000 on related responsible personnel.
The above requirements under the DSL could potentially place MNCs in an awkward position: compliance with a foreign authority's data access request will lead to a violation of the PRC law while non-compliance of data request will result in a violation of the relevant foreign laws or court orders.
Confidentiality Obligations of the Competent Authority
State authorities are bound by the DSL just as private parties under the DSL. In addition, the final DSL specifically includes additional circumstances when competent authorities are bound by duties of confidentiality. This includes circumstances when individuals and organisations file a complaint regarding a breach of the DSL, and more generally personal information, trade secrets, confidential business information and other data made known during the performance of duties. These additional obligations will assist to safeguard the interests of individuals during administrative enforcement actions and related procedures.
Consideration for the Needs of the Elderly and the Disabled
The final DSL adds a brand new and interesting clause: in developing and improving "intelligent/smart public services", the needs of the elderly and the disabled should be fully considered to avoid creating obstacles to their daily life. It appears that this is the first time in a PRC data protection regulation where the needs of the elderly and the disabled have been explicitly called out. This is significant in light of the hierarchy of the DSL, which is a high-level legislative piece providing policy and directional guidance.
Relationship with the PIPL and the CSL
As outlined in our newsletters, the DSL, together with the PIPL (which is expected to be released this year), represent the two most critical and highly anticipated laws in the area of data protection in 2021, almost 4 years after the effectiveness of PRC Cyber Security Law ("CSL") in 2017. The CSL, the DSL and the PIPL will represent three pillars of the Chinese data protection legislation system and together form an overarching framework governing the data processing and cybersecurity issues.
- The CSL is the first comprehensive legislation forming the backbone of data protection from a perspective of cyber security. It stipulates cyber security obligations for "network operators" and "critical information infrastructure operators" ("CIIOs") in China.
- While the CSL touches upon data security, it remains general and lacks a focus on a framework for data security governance. As a response, the DSL is now adopted to further enhance data security by establishing a fundamental and categorised data security system applying to potentially all data processing activities, regardless whether they are online or offline.
- Unlike the security-centric requirements under the CSL and the DSL, the PIPL focuses on the personal information protection and safeguarding rights of personal information subjects. The DSL will likely also apply to personal information, given that Article 53 of the finalised DSL states that processing of personal information will "also" need to comply with other laws and regulations. This suggests that, for one thing, processing of personal information is also covered under the DSL, and for the other, more specific rules and regulations governing personal information will be set out separately under the yet-to-be-finalised PIPL.
The gloves are off. Companies doing business in China should take active and prompt action - if not already – to assess whether and how the DSL applies to their data processing activities within and outside China, and what data security governing measures they should further put in place, before the effectiveness of the DSL on 1 September 2021. Below we set out a quick checklist that companies may use as an initial compliance assessment during the short transition period:
- Have you classified the data you process? Although definitive catalogues are still pending, companies may start to consider whether any data you process is likely to be viewed as "national core data", "important data", or/and "personal information"?
- Where the data you process falls into those highly regulated categories of data, have you put in place relevant protection measures and procedures accordingly per the DSL and other applicable sectoral and industrial rules and guidelines? For example, do you have in place periodic risk assessments for the processing of "important data"?
- Have you adopted measures to minimise your data processing security and risks, and emergency plans to respond to data incidents?
- Have you identified any data processing that may be subject to the national security assessment?
- Have you established a data security governance system within your company? For example, have you carried out relevant employee training, followed the Multi-Level Protection Scheme to grade your network system, appointed a person-in-charge for data security, etc.?
- Do you export data outside China? Be ready for more details on cross border data transfer requirements by having a clear understanding of the data flow of your company.
- Have you put in place measures and mechanisms to respond to authorities’ requests to access data you hold?
Unresolved issues, nevertheless, remain and further clarifications would be most welcome, e.g. the pending data-classifications and "important data" catalogues, what are the stringent requirements applicable to national core data, and the lack of requirements relating to export of "important data", in particular for non-CIIOs, to name a few. It is worth noting that the “Data Security Management Regulations” and the “CIIO Security Protection Regulations” have been included in the State Council’s legislative agenda for 2021. Hence, companies should keep monitoring the regulatory development of the implementation rules following the promulgation of the DSL.