Coming soon? The Second Draft of the PRC Data Security Law Released

Although the Second Draft DSL has not introduced sweeping changes to the First Draft DSL, some of the changes are nevertheless significant. Considering that most Chinese laws will in general undergo no more than three rounds of readings by the legislative body, the Second Draft DSL will be an important indicator as to the extent to which the provisions under the current draft will be adopted. We summarise in this newsletter the key changes set out in the Second Draft DSL.

1. State-level "important data" catalogue

As discussed in our previous article, the First Draft DSL sets out a "skeleton" of tiered system for data security, while the parameter of "important data" under such a system has been left to be addressed by local regulators. Unlike the First Draft DSL, Articles 20-21 of the Second Draft DSL provide that the "important data" catalogue is to be formulated by the State, while regional and sectoral regulators will issue specific important data catalogues applicable to relevant sectors and industries. This State-level unified approach, if finally adopted, would be welcomed by organisations as the catalogues, when published, will assist in determining, with potentially greater legal certainty and consistency, whether their data processing will involve "important data" in China.

2. Emphasizing the MLPS implementation

Article 26 of Second Draft DSL emphasises that a comprehensive data security management system should be established on the basis of the multi-level protection scheme (“MPLS”), which is an important set of data security requirements enshrined under Article 21 of the Cybersecurity Law (“CSL”). In fact, ever since the effectiveness of the CSL in 2017, regulators have released a number of rules and guidelines on the MLPS and businesses were penalised for failing to comply with the MLPS. By emphasising the MPLS, the Second Draft DSL reinforces a tightened trend in enforcing the implementation of the MLPS. Businesses are recommended to self-check whether there exists any gap in complying with these legal requirements.

3. Expanded scope of the cross-border data transfer rules

With respect to the cross-border transfer of important data (which was not discussed in the First Draft DSL despite highly anticipated), the newly added Article 30 of Second Draft DSL establishes a separate framework for cross-border transfer of "important data" by Critical Information Infrastructure Operators (“CIIOs”) and non-CIIOs, with the former complying with rules established under the CSL and the latter complying with separate rules to be published by Cyberspace Administration of China ("CAC") and the State Council.
As explained in the legislative note, the expanded scope of important data export restrictions from CIIO to non-CIIO is to meet the practical needs in the data security supervision. This echoes the stricter data export requirements under the draft Data Export Security Assessment Measures and the draft Data Security Management Measures released in 2017 and 2019 respectively. However, in the absence of any further clarification on important data export rules relating to non-CIIOs, businesses will likely encounter a legal dilemma where their export of important data could be subject to much legal uncertainty.

4. Enhanced Penalty

Article 44 of the Second Draft DSL significantly enhances the penalty for violating data security obligations in the following three aspects:

• firstly, the maximum amount of fines for an enterprise for violating data security obligations has increased from RMB 1 million (approximately USD 156,000) to RMB 5 million (approximately USD 780,000) and the maximum amount of fines on persons directly responsible for the breach has increased from RMB 100,000 (approximately USD 15,600) to RMB 500,000 (approximately USD 78,000);
• secondly, while the First Draft DSL only imposes personal liability on "directly responsible managerial persons" (直接负责的主管人员), the Second Draft DSL further extends personal liability to "other directly responsible persons" (其他直接责任人), suggesting not only employees holding managerial positions, but staff further down the line may also be subject to personal liability; and
• thirdly, the Second Draft DSL adds additional categories of penalty for severe breach: enterprise may be ordered to suspend its business, suspend business for rectification, or have its permit or business license revoked in the event of refusing to take corrective measures or has caused a large amount of data leakage and other serious consequences.

Apart from the above, the Second Draft DSL includes two new sub-provisions in relation to penalty on data provision, but from different angles: enterprises will be punished for failure to cooperate with PRC authorities regarding data access requests and will also be punished for unauthorized provision of data to foreign law enforcement agencies without PRC authorities' approval.

Observation

The Second Draft DSL emphasises that "data protection" in China extends beyond personal data protection and it is critical to also consider "important data" protection. As a whole, the Second Draft DSL has responded to some key and hot-button issues and tightened the provisions under the First Draft DSL, as evidenced by, for example, further regulations on the export of "important data" by both CIIOs and non-CIIOs, enhanced penalties and tightened restrictions on the provision of data to overseas law enforcement agencies. Nevertheless, there remains some unresolved issues, e.g. the absence of "important data" export rules, in particular for non-CIIOs. While further clarifications would be most welcome to enable companies to understand and comply with the new law, it appears that the finalised DSL will be coming soon.