Since the implementation of the “Cybersecurity law” in 2017, China’s legislation and new compliance requirements aiming at the protection of personal privacy, data security, and network security have always been under the close attention of enterprises engaged in e-commerce, relying on the Internet, big data and network users.
On July 4th, 2021, the Cyberspace Administration of China publicly launched a network security examination procedure on enterprises for the first time, including the leading ride-hailing service “DiDi Chuxing”, announcing that DiDi “has serious problems in collecting and using private information, which violates laws and regulations”. The Administration issued the punishment of the removal of the app from online stores, stopping new users’ registration and requiring rectification, releasing a strict regulatory signal.
On June 10th, 2021, the Standing Committee of the National People’s Congress passed the Data Security Law of PRC, which will come into force on September 1st, 2021, marking the acceleration of the legislative process of China’s network information security legal system. Although in the aforementioned Network Security examination against DiDi, the Administration quoted the Cybersecurity Law as the legal basis, it’s foreseeable that in future cases, the Data Security Law will enjoy no less significance than the Cybersecurity Law in such cases.
The Data Security Law mainly governs all data handling activities within the territory of the People’s Republic of China, including data collection, storage, use, processing, transmission, provision, and disclosure. If the data handling activities may also harm the national security, public interests, or the legitimate rights and interests of citizens or organizations of the People’s Republic of China, the jurisdiction may extend to overseas individuals or entities. Almost all enterprises relying on the Internet, big data, and the private information of users for their operations will be affected by the law.
The adoption of the Data Security Law marks a further step in China’s data security supervision system framework since the Cybersecurity Law came into effect and lay down the foundation for the construction of such relevant legal systems. The Data Security Law is the subordinate law of the National Security Law and it will serve as a basic and guiding legal document and become the legal basis for the formulation of a series of follow-up laws. In the future, the system for Data Security Review and Cross-border Data transfer stipulated by the Data Security Law will be linked and supplemented with laws and regulations such as the Cybersecurity Law (2017), the Personal Information Protection Law (Currently in draft format for its second deliberation) and Measures for Evaluating the Security of Transmitting Personal Information and Important Data Overseas (Draft).
Regulating Data Transactions
For the first time, the Data Security Law specifies that the data trading system shall be established and governed by the State, while also standardizing data transaction activities within the aforementioned market. This means that for the first time in the legislation, the legitimacy of data transaction and data transaction service providers has been recognized. Currently, led by the government, big data exchanges have been established in Beijing, Shanghai, Shenzhen, etc. We expect that data transactions will be more regulated, while also enjoying a more rational and profound development.
Department in Charge
The Data Security Law expands the power for the competent department in charge of these affairs from the network information department to the national security department, namely, the National Security Commission will create a coordination mechanism to coordinate all regions and departments in legal enforcement with the National Network Information Department in charge of the Network data security and related regulatory work for overall planning and coordination.
The supervision and management of Data Security will become an important part of China’s national security protection and all enterprises should strengthen their communication with the relevant competent departments, and timely and effectively improve their internal data security system governance.
Expectation on the Compliance of Enterprises
Under the Data Security Law, those conducting data handling activities shall, whether enterprises or individuals, fulfill the data security protection obligations, data security reporting obligations, and data security risk assessment.
The core of the Data Security Law requires data processors to treat national security and the public interest as the tier one consideration when conducting data handling activities, and increased management and protection measures should be established for National Core Data that have a bearing on national security, the lifelines of the national economy, people’s key livelihoods and major public interests.
More specifically, Article 27 of the law stipulates that data processors should “establish and perfect a data security management system across the entire workflow, organize and conduct data security education and training, and adopt the corresponding technical measures and other necessary measures to ensure data security.” Meanwhile, “Those handling important data shall clearly specify responsible personnel and management bodies for data security and fully implement data security protection responsibilities.”
What’s more, the Data Security Law limits the cross-border data transfer for foreign judicial law enforcement activities and requires these activities to be approved by the related authorities.
Compared with the Cybersecurity Law, which only requires the critical information infrastructure operators to conduct security review and evaluation on cross-border data transfers, the Data Security Law also introduces security review and evaluation obligations for general data processors when important core data is concerned; that is to say, if ordinary enterprises commit any data handling activities, it is also necessary to conduct internal data security control compliance.
According to Article 31 of the Data Security Law, the requirement for the data security governance will follow the laws and regulations separately stipulated by the competent authorities; as such supporting laws and regulations have not been promulgated yet, the supervision and the compliance requirements have not yet been tightened, however the trends have been set.
Under the Data Security Law, if an enterprise fails to fulfill the aforementioned obligations, inclusive of reporting and risk assessment obligations, under normal conditions, the enterprise will be faced with liabilities such as an order to correct, a warning, and a fine from RMB 50,000 up to 500,000. The individual directly in charge may be faced a fine from RMB 10,000 up to 100,000. If the circumstances for the failure are deemed as serious, the enterprise may be liable with an order to suspend business, the revocation of license or business certificate, and a fine from RMB 500,000 up to 2,000,000. The individual directly in charge will be faced with a possible fine from RMB 50,000 up to 200,000.
Meanwhile, if obligations related to cross-border data transfers are violated, the enterprise can be faced with a fine of up to RMB 5 million, with a fine to the individual in charge up to RMB 500,000; if the rules of management systems for core data of the State are violated and harm is caused to national sovereignty, security and development interests, the enterprise may be faced with a fine up to RMB 10 million, with a fine to the individual in charge rising up to RMB 1 million.
The specific circumstances on applying the aforementioned liabilities are to be separately promulgated by the relevant administrative regulations and measures.
In general, the Data Security Law embraces a strong backbone for National Security, with the relevant additional implementation measures to be clearly promulgated in the future. However, it is now vital for domestic enterprises to consider data compliance measures as one of the key factors on their agenda regarding product design and market layout, while an important part of compliancy shall be the coordination with the state for the construction of data classification & protection systems, and the establishment of the internal data management control mechanisms.