China Adopts New Data Security Law – Technology – China – Mondaq News Alerts

On June 10, 2021, China adopted a new Data Security Law that
will impact every business operating in or doing business with
China. The law, which will take effect in less than a month
(September 1, 2021), is sweeping in scope, imposes extensive data
processing obligations, and establishes potentially severe
penalties for violations. Although many of the details surrounding
implementation remain unclear, given the law’s extensive
requirements and severe penalties for noncompliance, companies with
a global business presence should begin planning now.

The official Chinese version of the Data Security Law is
available here. Although no official English translation
yet exists, an unofficial translation is available here.

Extraterritorial Jurisdiction

The Data Security Law has broad extraterritorial reach. It
governs not only data processing and management activities
conducted within China, but also those outside of China that would
harm China’s national security or public interest or damage the
legal interests of any Chinese citizen or organization.

Hierarchical Data Categorization

The law calls for China’s central government to establish a
hierarchical data categorization and classification system that
will govern data in accordance with the data’s importance to
China’s economy, national security, and public and private
interests. Based on this system, as well as a detailed catalogue of “important data” that will be formulated at the national
level, each region and department in China will issue its own
catalogue of “important data.” The details of this system
– including a definition of “important data,” which no
Chinese laws or regulations yet provide – are expected to be laid
out in future implementing rules.

The law also carves out a separate regulatory framework for “national core data,” which it broadly defines as any
data “related to [China’s] national security, the
lifelines of the national economy, important to people’s
livelihood, and important to the public interest.” Such data
are subject to stricter processing regulations, although these
regulations aren’t specified in the law, and violators will
face increased penalties. Given the vague scope of this category
(which allows for flexible interpretation by government officials),
it is currently unclear how a business will be able to review its
data processing activities to identify and protect “national
core data.”

Obligations for Businesses

The Data Security Law imposes extensive obligations on entities
and individuals engaged in data processing activities. Moreover,
the law defines “data processing” broadly; it regulates
any “collection, storage, use, processing, transmission,
provision, and public disclosure” of  “any record of
information in electronic or other forms.”

The law specifies numerous obligations that entities must
fulfill. These obligations include:

  • Establishing a data security management system, adopting
    necessary measures to safeguard data security, and conducting data
    security training;
  • Monitoring potential risks and, in the event of discovering a
    security incident or defect, promptly notifying users and adopting
    remedial measures;
  • Complying with data security requirements under the Multi-level
    Protection Scheme (MLPS), for all entities that process data over
    the Internet or other information networks. The MLPS, established
    under China’s 2017 Cybersecurity Law, is a
    classification system for companies physically located in China. In
    brief, the MLPS imposes varying levels of security requirements on
    network operators based on the impact that a security incident
    would have on China’s national security, social order, or
    public interest.

The more sensitive the data being handled, the more stringent a
company’s data security obligations. For example, on top of
having to obey strict processing restrictions for “national
core” data, entities that process “important data”
must designate a data security officer, establish a data security
management department, conduct periodic assessments to monitor
potential risks, and report results to relevant government
agencies.

Penalties

Those who violate their obligations under the Data Security Law
face severe penalties. Chinese authorities may impose fines of up
to 500,000 yuan (approximately $77,000 in today’s dollars) on
noncompliant entities, issue additional fines to responsible
individuals, and mandate remedial measures. If an entity fails to
adopt remedial measures after receiving a warning, or if a security
incident results in serious consequences (such as a large-scale
data leak), the entity may face fines of up to 2 million yuan
($309,000), as well as well as the potential suspension of the
business and revocation of the business license.

In line with law’s focus on Chinese national security,
violators face the steepest penalties where “national core
data” are concerned. Entities found to be mishandling such
data may be hit with fines of up to 10 million yuan ($1,545,000),
forced to cease operations, have their operating licenses revoked,
or be subject to criminal penalties. The law also imposes penalties
on entities that fail to cooperate with data requests from Chinese
authorities for law enforcement or national security matters.

Cross-Border Data Transfers

For cross-border transfers of “important data,” the
Data Security Law creates separate frameworks for Critical
Information Infrastructure Operators (CIIOs) ¾ defined in China’s 2017 Cybersecurity
Law as operators of key industries whose data that could pose major
risk to Chinese national security or public interest if damaged or
lost ¾ and non-CIIOs. CIIOs must follow the requirements of
the 2017 Cybersecurity Law, whereas non-CIIOs must follow rules
that have yet to be issued by relevant state agencies.

Notably, the law expressly forbids the transfer of any data “stored in China” to any foreign judicial bodies or law
enforcement agencies without the prior approval of “competent
authorities” within the Chinese government. Neither the “competent authorities” nor the details of the approval
processes are specified in the law, but entities that violate this
requirement face fines of up to 1 million yuan ($155,000), with
additional fines for responsible individuals. Entities whose
violations result in “serious consequences” receive
heavier penalties, including fines of up to 5 million yuan
($773,000), as well as the potential suspension of the business and
revocation of its license.

These transfer prohibitions will have a significant impact on
cross-border litigation and other legal proceedings. For example,
although the law does not specify what it means for data to be “stored in China,” the law ostensibly applies to Chinese
parties involved in civil cases in foreign courts; such parties may
need to submit data as evidence in the proceeding, but will need
the approval of Chinese authorities to do so.

Moreover, the transfer prohibitions create uncertainty for
companies that are legally obligated to submit data to foreign
authorities. Companies established in China that offer goods or
services to data subjects in the European Union (EU) are subject to
the EU General Data Protection Regulation (GDPR), which allows EU
supervisory authorities to request data when exercising their
enforcement powers. China’s Data Privacy Law requires such
companies to obtain Chinese government approval prior to
transferring data in response to GDPR enforcement requests. The
approval process may be prohibitively lengthy or unsuccessful, and
so a company may find itself trapped between the requirements of
Chinese law and those of a requesting country. The Data Security
Law provides no guidance to companies seeking to navigate this
dilemma, and it is unclear whether the yet-to-be-released
implementing rules will address the issue.

Next Steps

As noted above, this law will take effect on September 1, 2021.
Although the Chinese government is expected to release implementing
regulations that will explain unresolved details and procedures, it
is unclear whether this will occur in advance of the deadline.

Many of the law’s requirements seem commensurate with other
data security laws, particularly those of the GDPR; for example,
both generally require that firms implement appropriate measures to
safeguard data security, notify users in the event of an incident,
and designate responsible officers (although the GDPR requires
officers for a variety of situations, whereas the Data Security Law
only requires officers for entities processing “important
data”). But in many respects, the Data Security Law’s
requirements are more expansive than those of the GDPR; for
example, China’s new law governs not only the personal data of
Chinese citizens, but also data important to China’s national
security and economy ¾ and it has much stricter data
transfer restrictions than the GDPR. Although many key implementing
details remain unclear, companies doing business in and with China
should begin reviewing their data processing activities for
noncompliance risks.

*Many thanks to summer associate, Ray Lefco, for providing us
with the underlying research for this post.

To view Foley Hoag’s Security, Privacy and The Law
Blog please click
here

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Read the original article

Author: Data Privacy Channel