On 28 June 2020, a draft on the Data Security Law of China (“Draft DSL”) was tabled for discussion at the National People’s Congress (“NPC”) Standing Committee for the first time; five days later on July 3rd, the full text was released to solicit public comments. Two years have passed since it was included in the legislation plan of the NPC in September 2018 and four years since the idea of data security was brought up in the Notice on Issuing Action Plan of Promoting the Development of Big Data by the central government. The DSL is expected to be China’s next step in strengthening data regulation. Considering that President Xi Jinping has mentioned on many occasions the need to accelerate legislative developments to protect data security, as did its predecessor, the Cybersecurity Law, which took about 16 months from the first review to the promulgation, the Draft DSL is expected to pass relatively quickly. Therefore, it merits to pay close attention to the relevant legislative process.
Internationally, battles over data has intensified and even normalized among major nations. The United States intends to strengthen its digital power by using regulatory tools such as export control, the CFIUS regime (foreign investment review) and the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) to control data flow. China needs to take its own stance on data security as well. Accordingly, the Draft DSL includes provisions which, responds to how data discovery in cross-border law enforcement provided by the CLOUD Act should be handled, clarifies the interplay between data security and export control, and also contains a very broad provision that allows countermeasures to be taken in response to any discriminatory measures in investment or trade adopted by foreign countries or regions.
Domestically, data protection issues are emerging in multitude. Although the National Security Law and the Cybersecurity Law contains some doctrinal protections for data, they are far from sufficient. The establishment of a comprehensive and fundamental legal framework in data security has never been more imperative. The Draft DSL attempts to take on this mission. While security is the main theme of the legislation, it also places significant gravity on the development of data. The State Council’s proposal in April this year reemphasizes the need to promote data as a fundamental production factor. A standalone chapter focuses on rights and interests in data protection, the development of data governance and mining, as well as the promotion of data-oriented digital economy. It also includes a provision on encouraging and developing data trading markets while establishing trading norms.
The current draft contains 51 articles in 7 chapters. Key features of the draft legislation and its potential impacts are summarized below.
1. Applicable Scope and Extraterritorial Jurisdiction
The Draft DSL has a broad scope of application which is supplemented by its definition clauses. In Article 2, it states that the law applies to any data activity within the territory of China. This article is followed by the definition of “data”, as any record of information in electronic or non-electronic form; and the definition of “data activity” as activities such as collection, storage, processing, use, provision, trading, and disclosure of data. In contrast to the Cybersecurity Law or its implementing rules, which usually focus on personal data or important data, the definitions in the Draft DSL are all-inclusive and thus widens its scope. Compared with the Measures for Data Security Management (Draft for Comments), the Draft DSL even broadens the scope of data activities, taking a wider look at the data lifecycle.
Additionally, Article 2(2) sets out rules for extraterritorial jurisdiction which stipulates that it applies to data activities carried out by any foreign organizations or persons, wherever they occur, provided such activities bring damages to national security, public interests or the rights and interests of Chinese citizens and organizations.
2. Multi-level Enforcement Structure
The Draft DSL, similar to the Cybersecurity Law, appointed several authorities to carry out relevant duties with an overall coordinator at the central level. However, the new framework has not ameliorated the structural complexity of data governance in China. According to Article 6 of the Draft DSL, the central national security institution will be the principal data security regulator in China, responsible for the overall planning and coordination of data security work and relevant supervision and administration. This is consistent with the primary authority under the National Security Law.
Meanwhile, sectoral and regional regulators will assume data security administration duties in their respective industries and regions:
Each regional government or government department will take respective responsibilities for the security of data generated, aggregated, or processed; Sectoral regulators in the field of industry, telecommunications, natural resources, health, education, national defense technology, finance will supervise data security within their own sector; Public security organs and national security organs will undertake data security duties in accordance with other relevant laws and regulations; and the National Network Information Department – the primary authority under the Cybersecurity Law – will coordinate and supervise Internet data security.
However, given the vagueness of the industrial and geographic boundaries involved in data activities, this approach to power allocation may also cause some inconvenience to future law enforcement.
3. Data Classification and Protection of Important Data
The Draft DSL stays in line with the Cybersecurity Law and other sectoral guidelines and reiterates the classification and gradation management of data. For example, the so-called “Classified Protection 2.0” – the new cybersecurity classified protection requirements under the Cybersecurity Law include requirements on data classification, as well as sector-specific rules on classified protection of data in areas such as finance and industry. The Draft DSL further clarifies that the standard for such classification is based on “the importance of data in economic and social development, and the degree of harm to national security, public interest, or the legitimate rights and interests of citizens and organizations if the data is tampered with, destroyed, leaked, illegally acquired, or illegally used.”
On top of data classification, processors of important data will bear additional responsibilities. The Draft DSL specifies that a processor of important data must appoint a person in charge of data security and establish a governance structure. In addition, a processor of important data must conduct regular risk assessments and file with competent authorities. However, instead of defining what is important data, the Draft DSL authorizes regional governments and sectoral regulators to promulgate catalogues of important data within their own areas of competence.
4. New Regime: Data Security Review Procedure
The Draft DSL sets up a new regime – namely the “data security review”, which could be one of the review systems under the National Security Law. It states that for data activities that influence or may influence national security, a national security review will be conducted and the decision will be final without judicial oversight. Though it has not been specified what the “data security review” will encompass, it may closely relate to the cybersecurity review (a security review required of operators of critical information infrastructure if the procurement of their “network products and services” implicates China’s national security), or the security review of cross-border transfer of personal data and important data; both review systems having their basis in the Cybersecurity Law. The details of the data security review will have to await further regulations to be landed.
5. Data Trading and Data Exchange
A breakthrough in the Draft DSL is that it is the first statute which declares to establish and improve data trading systems and data trading markets, while also regulating data trading behaviors. Data trading is formally recognized in the definition as one of legitimate “data activities.” There have been doubts about the legality of data trading for long due to the lack of clear legal provisions. Though China has had specific data markets in name of certain places, such as Guiyang, Shanghai, etc., it is unprecedented that selling and buying data is removed from a grey area, legalized and even explicitly encouraged by the government. However, the Draft DSL does not define ownership of data. It is expected to be shaped as data trading norms develop in practice.
As intermediaries that facilitate data transactions, “data brokers” are also provided for in the Draft DSL and are afforded certain duties. A data broker must require data seller to explain data sources, verify the identities of the trading parties, and retain audit and transaction records. Otherwise administrative sanctions may be imposed. Similar provisions have previously appeared in the form of national standards, and this time they’re included in the law, reflecting the special concern of legislators in the relevant market.
6. Data Sovereignty and Control on Data Export
Cross-border data flow is an inevitable topic for the DSL to address, and great importance is attached to data access in cross-border law enforcement proceedings. In response to the US’s CLOUD Act, China passed the International Criminal Judicial Assistance Law in October 2018, which prohibits individuals and organizations from providing any evidentiary material or assistance to foreign enforcement authorities without obtaining the prior approval from competent Chinese authorities. The Draft DSL reaffirms this position in Article 33, but leaves an opening where an inter-government treaty states otherwise such assistance may be provided.On the other hand, China itself may have to collect evidence of data stored overseas. It is worth noting that the Article 32 of the Draft DSL also imposes stringent requirements and duties on domestic enforcers and public authorities for accessing data. It says such enforcement activities shall also be subject to authorities’ approval in accordance with the law.
So far data reporting obligations have been discussed more often abroad. Although similar obligation has been stipulated in some sectoral laws, such as the E-Commerce Law, these regulations mainly focus on financial institutions and platform enterprises, rather than individuals. The reaffirmation of this obligation under the Draft DSL may lead to increased attention from a wider range of subjects domestically, while more implementing rules are in need to clarify how enforcement authorities will exercise this provision.
In addition, the Draft DSL emphasizes the implementation of export control over data that might be considered as controlled items. It echoes the anticipated Export Control Law of China, which is also currently under the deliberation of the NPC. Thus, it remains to be seen what kind of data would be covered under China’s new export control regime.
At last, following the reciprocity principle, Article 24 empowers the Chinese government to promulgate countermeasures in case any foreign country or region adopts discriminatory measures against China in investment or trade related to data or data-related technologies. This clause may grant authorities very broad powers during times of international political frictions.
7. Open Access to Government Data: New Opportunities for Companies?
The large amount of data held by governments are, without doubt, valuable assets that can be processed and utilized. Chapter V of the Draft DSL encourages governments at all levels to share information with the public unless it is preserved by law. Unified, interoperable and safe platforms will be established to promote the development of such data. Before this, some regional governments have implemented local rules to push for government data transparency. The Draft DSL confirms this trend on a national level.
8. Companies’ Obligations in Data Security and their Potential Legal Exposure
All persons and organizations are required to follow relevant laws, regulations, and national standards when carrying out data activities. These duties not only include those indicated in Chapter IV, e.g. setting up data security management systems, conducting training, taking safeguard measures (Article 25), but also may refer to other laws or rules, e.g. how data should be collected lawfully (Article 29). As mentioned above, processors of important data will undertake additional responsibilities as well. The legal consequences of failing to fulfil these safeguard duties are:
fines of up to CNY 100,000 (approximately USD 14,245) for entities, and CNY 50,000 (approximately USD 7,123)for the person in charge; or
where refusing to make corrections or causing serious data leakage, fines of up to CNY 1 million (approximately USD 142,452) for entities and CNY 100,000 (approximately USD 14,245) for the person in charge.
In addition, the Draft DSL introduces two new roles: “data broker” under Article 30 and “online data processor” under Article 31, and also sets out their corresponding duties. The role of a data broker is described in part (5) above. An online data processor shall obtain relevant licenses or register in accordance with the law. Otherwise, either of them can face fines of up to ten times of the relevant illegal gains or CNY 1 million, and CNY 100,000 for the person in charge. They may even have business licenses revoked or be banned from the relevant businesses.
9. Looking Forward
Although the Draft DSL mainly codifies macrosystems and general principles, and restates more current regulations, it delineates the basic regulatory framework of data security. It echoes the existing Cybersecurity Law and the National Security Law with an emphasis on security. More ambitiously, it will bridge with the Personal Information Protection Law and the Export Control Law that are not yet introduced, and will establish data security across different fields of law. This interplay will bring intricate compliance duties for companies. But at the same time, it also acknowledges and encourages data markets and access to government data, showing that development of the digital economy based on data will be as important an axis of the DSL as security.