Cybersecurity & the New Data Security Law of the People’s Republic of China.

According to Section 1 of the DSL, the purpose of this law is

• to regulate data processing activities,
• to guarantee data security,
• to promote data development and usage,
• to protect legitimate rights and interests of individuals and organizations and
• to maintain China’s national sovereignty, security and development interests.

The Data Security Law is divided into a total of seven chapters and 55 paragraphs. The key provisions primarily concern

• data security regulations on national and local government levels,
• data security obligations for data processors along with
• the penalties for violations.

In addition to the Chinese Cybersecurity Law 中华人民共和国网络安全法, which was adopted in 2017, and Personal Information Protection Law 中华人民共和国个人信息保护法, which is currently being revised, enacting the Data Security Law emphasizes the establishment of a fundamental legal framework for data and information security in China.

Application – also outside China

Section 2 of the DSL stipulates that the law shall apply to all data processing activities carried out in the territory of the People’s Republic of China (including Hong Kong and Macau). With regard to extraterritorial application, the DSL also stipulates that specific data processing activities outside the People’s Republic of China may incur legal liability. This pertains to operations detrimental to national security or the public interests of the People’s Republic of China or the legitimate rights and interests of Chinese citizens or Chinese organizations.

Important terms

• Data
  Section 3 of the DSL contains a comprehensive definition of the term “data”. “Data in this sense of this law means all records of information in electronic or non-electronic form.” This means that in addition to “network data” as defined in the Cybersecurity Law, the data category also includes “records of information by other means”. According to this definition, information archived in paper form and other records of information in written form are also “data”. The standardized treatment of electronic data and other forms of recorded information as per the DSL has major practical implications.
• Data processing
  Data processing includes the collection, storage, use, processing, transmission, provision and disclosure of data.
• Data security
  Data security includes ensuring that data is effectively protected and only used for legal purposes, as well as ensuring consistent security by implementing the necessary measures.

Data security level

Section 21 of the DSL aims to establish a system of classifying and rating data on the national level in China. However, the DSL itself does not contain detailed instructions regarding how to classify data and implement the classification and protection levels.

Nevertheless, a definition of critical national data can be derived from Section 21 (2) DSL. Accordingly, critical national data is data that relates to national security, the national economy, important basic human needs, as well as important public interests. Correspondingly, this data is subject to a stricter administrative system.

In addition, Section 21 DSL requires that the local Chinese government and local Chinese authorities establish a specific catalog of important data in their region, department and in the relevant industries in accordance with the national data classification and protection level system. As a consequence, this enables the local government to flexibly adapt the protection of important data based on the varying requirements. At the same time, this also means that the local government has extensive freedom when it comes to classifying the data.

Focus on cross-border data transfer

• Control
  In addition, the DSL also contains strict regulations governing cross-border data transfer. According to Section 25 of the DSL, the Chinese government monitors the cross-border transfer of data relating to controlled goods defined in the Export Control Law and related to upholding national security and interests and the fulfillment of the international obligations of the People’s Republic of China.
  Moreover, Section 31 DSL also regulates the cross-border data transfer of critical information infrastructures. The data, which is collected and obtained by companies in China, continues to remain within the scope of Section 37 of China’s Cybersecurity Law. In addition, security management for important data has been added. The Cyberspace Administration of China is authorized to cooperate with the responsible department of the State Council to define suitable security management measures for cross-border data transfer.
  Section 36 of the DSL also clearly states that organizations and individuals are not allowed to disclose their data stored in China to foreign judicial or law enforcement authorities without the approval of the responsible Chinese authority.
• Fines
  Companies violating the DSL’s provisions regarding the unlawful transfer important data across to foreign countries face fines of up to 10 million yuan (approximately 1.3 million euros).

Measures to counter foreign “data discrimination”

To better address foreign legislation and law enforcement, Section 26 of the DSL describes “data discrimination” countermeasures. According to the Chinese government, discriminatory prohibitions, restrictions or similar measures could be imposed with respect to investment or trade with data and technologies for developing and utilizing data. Accordingly, China can implement appropriate countermeasures depending on the specific circumstances.

What do companies need to do now?

Before the DSL comes into force on September 1, 2021, companies need to identify and understand the requirements of the DSL, and implement measures to avoid or at least minimize compliance risks. Moreover, these requirements arising from the DSL also comply with the international standard ISO27001 for information security:

• Management for data security according to Section 27 DSL
  When processing data, companies must set up a data security management system. Section 27 of the DSL also stipulates regular employee training in data security. In addition, a separate area of the management should be responsible for the company’s data security.
• Regular Risk assessments according to Section 30 DSL
  Regular risk assessments regarding the processing of important data are mandatory. The processor must report the result of the assessment to the responsible authority.
• Compliant data collection according to Section 32 DSL
  Companies should ensure legally compliant data collection. According to Section 32 DSL, the unlawful collection of data by an organization or individual is strictly prohibited.
• Store important data in China
  Company data may no longer be simply transferred from China to foreign countries, e.g. to locations in the EU or the USA. Therefore, digitally separating business activities in the People’s Republic of China represents a practical solution. For international companies such as Apple, Tesla or Volkswagen, the law means localizing their data.
• Cooperation with Chinese security authorities according to § 35 DSL
  Companies are obliged to make their stored data available to the security authorities for the purpose of maintaining state security or investigating criminal acts.