On June 10, 2021, China adopted the new Data Security Law ("DSL") which took effect on September 1, 2021.
Together with the Cybersecurity Law (effective since June 1, 2017) and the new Personal Information Protection Law (which will come into force on November 1, 2021), the Data Security Law will serve as one of the three fundamental and framework laws regulating cybersecurity and data security protection in China.
The primary purpose of the DSL is to regulate data processing activities, guarantee data security, promote the development and utilization of data, protect the legitimate rights and interests of individuals and organizations, and safeguard the sovereignty, security and developmental interests of the State.
The term "data" refers to any recording of information by electronic or other forms meaning that in addition to digital and cyber information, information recorded in other forms also constitute data.
Data processing activities includes, but not limited to, the collection, storage, use, processing, transmission, availability and disclosure of data.
Data security refers to the adoption of necessary measures to ensure the effective protection and legal use of data, and the capability to guarantee the continuous security of data.
Below some of the key points as they are descripted in the law:
Data Categorization
The DSL establishes a data classification and hierarchical protection system to protect data by classification and level, depending on the importance of the data in economic and social development, and the damage caused to national security, public interests, or the legitimate rights and interests of individuals and organizations if the data is falsified, damaged, disclosed, illegally obtained or illegally used.
For example, data concerning national security, lifelines of the national economy, important people's livelihood, major public interests, etc. are core data of the State, and are subjected to a stricter protection and supervision.
Violation of the national core data management system or any activities that endanger China's national security and development interests can be subject to fine, suspension of business, revocation of business licenses, and in certain severe cases, criminal liability.
Obligations for Business Operators
Business Operators that carry out data processing activities must establish and improve a whole-process data security management system, organize data security education and training, and take corresponding technical and other necessary measures to ensure data security.
If a Business Operator fail to satisfy these requirements, this might lead to a fine or, in severe cases, the revocation of the business license
Processors of important data are required to regularly carry out risk assessments on their data processing activities on a regular basis and submit a risk assessment report to the relevant competent authority. The risk assessment report shall include the types and quantities of important data processed, information on data processing activities carried out, data security risks faced and countermeasures therefor.
All regions and departments should, under the data classification and hierarchical protection system, determine the specific catalogue of important data for their respective regions and departments.
Cross-border data transfer
For the cross-border transfer of important data, the DSL state that this matter should be regulated by the Cybersecurity Law and distinguishes the requirements on operators of critical information infrastructure (CII) from those that are not.
According to the Cybersecurity Law, CII refer to information infrastructure in important industries and sectors (such as public communications, information service, energy, transportation, water conservancy, finance, public service and e-government) and other information infrastructure that - once damaged, disabled or subject to a data leak - may severely threaten the national security, national economy, people's livelihood and public interests.
CII operators must comply with the cross-border data transfer rules established under the Cybersecurity Law, which require CII operators to locally store important data that is collected or generated in China. Whenever such data needs to be transferred overseas, a security assessment has to be performed.
Moreover, if there is a request made by foreign judicial or law enforcement authorities for the provision of data, no organization or individual within the territory of the People's Republic of China may provide foreign judicial or law enforcement authorities with the data stored within the territory of the PRC without the approval of the competent authorities.
Data trading process
For the first time, the DSL puts forwards some formal requirements on the data trading process on platforms that act as an intermediary service provider that provide a trading platform for data suppliers and data demanders.
An institution engaged in data transaction intermediary services shall require the data provider to explain the data source (meaning that the data is not acquired by theft or other illegal means), examine the identities of both parties to the transaction (Both parties should be legal organizations or natural persons), and keep the examination and transaction records.