Data is considered a fundamental resource in China and data security has become a major issue related to national, economic, and social development. Aiming to protect national interests, the new Data Security Law was passed by Chinese authorities in June 2021, coming into force on September 1st, 2021.

The purpose of the Law is to regulate a wide range of issues related to data activities. These issues include the collection, storage, use, exchange, and publication of any kind of data.

Below are some highlights of the Law.

Extraterritorial effect and cross-border data transfer requirements

The Data Security Law has broadened the extraterritorial jurisdiction previously provided by the Network Security Law, applying to data activities conducted both in the PRC and abroad.

According to the Cybersecurity Law, data collected and generated by critical information infrastructure operators are bound to be stored within the territory of China. With the Data Security Law, whenever such data needs to be transferred overseas, a security assessment should be performed first.

Moreover, the DSL stipulates that any provision of data stored in the PRC that is made in response to a request by any foreign judicial body or law enforcement authority will be subject to the prior approval of the competent authority. Entities or individuals failing to comply could be fined up to RMB 5 million for enterprise and RMB 500,000 for an individual.

Compliance obligations and data management systems

The Law imposes the following obligations on entities and individuals carrying out data activities:

Establish a data security management system, carry out security training, and implement necessary security measures;
Strengthen risk monitoring procedures and notify users and authorities of security incidents;
Regularly conduct risk assessments of the data activities for processors of important data, and report results to related authorities.

According to Article 21, authorities will establish a categorical and hierarchical system for data protection which will be based on the importance of the data in economic and social development as well as the extent of harm to public security and interest.

Data related to national security, economy, and major public interests are considered core state data. For this kind of data, a stricter management system will be implemented.

Each region and department shall determine the catalog of important data based on the categoric and hierarchical protection system.

Compliance for data intermediary service providers

The new Law has clarified some requirements on data trading procedures for intermediary platforms such as Tianyancha, Qichacha, Tianyuan Data, etc. Intermediary service providers shall be required to explain the data’s source, shall review and verify the identities of both parties to the transactions, and store records of the verifications and transactions.

Penalties

For entities and individuals failing to comply with the Law, the penalties imposed could be severe. Corporates could be fined up to RMB 10 million and face potential criminal penalties, while individuals directly responsible could be fined for up to RMB 1 million and face potential criminal penalties. It is therefore essential for companies and individuals to start making necessary changes to remain complaint.

Key takeaways

While the new Law is strengthening data protection in China, this is still a general outline for data security procedures and more specific laws are expected to follow and clarify further requirements.

It is however worth noting how conducting regular cybersecurity audits and implementing the appropriate data risk management systems for companies and individuals in China will become increasingly important.

Orcom C&A will keep you promptly updated on the developments related to the Data Security Law. In the meantime, please contact our legal department for any questions related to this topic.