China Passes New Data Security Law | Foley Hoag LLP – Security, Privacy and Law
On June 10, 2021, China passed a new data security law that will impact all companies operating or doing business with China. The law, which will enter into force in less than a month (September 1, 2021), is broad in scope, imposes extensive data processing obligations and provides for potentially severe penalties in the event of a breach. While many details surrounding the implementation remain unclear, given the extensive requirements of the law and stiff penalties for non-compliance, companies with a global commercial presence should start planning now.
The official Chinese version of the Data Security Law is available here. Although there is no official English translation yet, an unofficial translation is available here.
The data security law has a wide extraterritorial scope. It governs not only the data processing and management activities carried out in China, but also those outside of China that could harm the national security or the public interest of China or the legal interests of any citizen or organization. Chinese.
Hierarchical categorization of data
The law requires the Chinese central government to establish a categorization and hierarchical data classification system that will govern data based on its importance to China’s economy, national security, and public and private interests. Based on this system, as well as a detailed catalog of “important data” that will be formulated at the national level, each region and department in China will publish its own catalog of “important data”. Details of this system – including a definition of “important data”, which no Chinese law or regulation yet provides – are expected to be spelled out in future implementing rules.
The law also establishes a separate regulatory framework for “national master data”, which it defines broadly as any data “related to [China’s] national security, the lifeline of the national economy, important to people’s livelihoods and important to the public interest. This data is subject to stricter processing regulations, although these regulations are not specified in law, and violators will be subject to more severe penalties. Given the vague scope of this category (which allows for flexible interpretation by government officials), it is currently unclear how a company will be able to review its data processing activities to identify and protect “national master data”. .
Obligations for companies
Data security law imposes extensive obligations on entities and individuals engaged in data processing activities. In addition, the law defines “data processing” in a broad sense; it regulates any “collection, storage, use, processing, transmission, provision and public disclosure” of “any recording of information in electronic or other form”.
The law specifies many obligations that entities must fulfill. These obligations include:
- Establish a data security management system, adopt the necessary measures to protect data security and provide data security training;
- Monitor potential risks and, in the event of discovery of an incident or security defect, promptly inform users and adopt corrective measures;
- Comply with data security requirements under the Multi-Level Protection System (MLPS), for all entities that process data on the Internet or other information networks. MLPS, established under China’s Cyber Security Law of 2017, is a classification system for companies physically located in China. In short, the MLPS places different levels of security requirements on network operators depending on the impact a security incident would have on China’s national security, social order, or public interest.
The more sensitive the data processed, the more stringent a company’s data security obligations. For example, in addition to having to obey strict processing restrictions for “basic national” data, entities that process “important data” must appoint a data security officer, establish a security management department. data, perform periodic assessments to monitor potential risks and report findings to relevant government agencies.
Those who violate their obligations under data security law face severe penalties. Chinese authorities can impose fines of up to 500,000 yuan (about $ 77,000 in today’s dollars) on non-compliant entities, impose additional fines on those responsible, and impose corrective measures. If an entity does not take corrective action after receiving a warning, or if a security incident results in serious consequences (such as a large-scale data breach), the entity faces fines of up to up to 2 million yuan ($ 309,000), as well as the potential suspension of the activity and the revocation of the operating license.
In accordance with the emphasis of the Chinese National Security Law, violators face the most severe penalties regarding “basic national data.” Entities that misuse this data can be fined up to 10 million yuan ($ 1,545,000), be forced to cease operations, have their business licenses revoked, or be subject to sanctions. criminal. The law also imposes penalties on entities that do not cooperate with Chinese authorities’ data requests for law enforcement or national security matters.
Cross-border data transfers
For cross-border transfers of “important data”, the Data Security Law creates separate frameworks for Critical Information Infrastructure Operators (CIIO) ¾ defined in the Chinese Cyber Security Law of 2017 as the operators of key industries whose data could pose a major risk to Chinese national security or the public interest in the event of damage or loss ¾ and non-CIIOs. CIIOs must adhere to the requirements of the Cybersecurity Law of 2017, while non-CIIOs must follow rules that have not yet been issued by relevant state agencies.
Notably, the law expressly prohibits the transfer of any data “stored in China” to foreign judicial bodies or law enforcement agencies without the prior approval of “competent authorities” within the Chinese government. Neither the “competent authorities” nor the details of the approval processes are specified in the law, but entities that violate this requirement face fines of up to 1 million yuan ($ 155,000), with additional fines for those responsible. Entities whose violations result in “serious consequences” receive more severe penalties, including fines of up to 5 million yuan ($ 773,000), as well as potential suspension of the company and revocation of its license. .
These transfer bans will have a significant impact on cross-border disputes and other legal proceedings. For example, although the law does not specify what it means for the data to be “stored in China,” the law ostensibly applies to Chinese parties involved in civil cases in foreign courts; these parties may need to submit data as evidence in the proceedings, but they will need the approval of the Chinese authorities to do so.
Additionally, transfer bans create uncertainty for companies that are legally required to submit data to foreign authorities. Companies established in China that offer goods or services to data subjects in the European Union (EU) are subject to the EU’s General Data Protection Regulation (GDPR), which allows supervisory authorities to EU to request data in the exercise of their enforcement powers. China’s data privacy law requires these companies to obtain approval from the Chinese government before transferring data in response to GDPR enforcement requests. The approval process can be excessively long or unsuccessful, and thus a business can find itself caught between the requirements of Chinese law and those of an applicant country. The data security law does not provide any guidance for companies looking to overcome this dilemma, and it is unclear whether implementing rules that are yet to be released will resolve the issue.
As noted above, this law will come into force on September 1, 2021. Although the Chinese government is expected to issue implementing regulations that will explain unresolved details and procedures, it is unclear whether this will happen before the deadline.
Many of the law’s requirements appear proportionate to other data security laws, especially those of the GDPR; for example, both typically require companies to implement appropriate measures to protect data security, notify users in the event of an incident, and designate responsible agents (although the GDPR requires agents for a variety of situations, while data security law only requires agents for entities handling “important data”). But in many ways, the requirements of data security law are more extensive than those of GDPR; For example, the new Chinese law governs not only the personal data of Chinese citizens, but also data important to China’s national security and economy ¾ and it imposes much stricter data transfer restrictions than the GDPR. While many key implementation details remain unclear, companies doing business in China and with China should start examining their data processing activities for risks of non-compliance.
* Many thanks to Summer Associate, Ray Lefco, for providing us with the underlying research for this position.