China: New data security laws in China
To print this article, all you need is to be registered or login on Mondaq.com.
With online data privacy protection not having been a priority
for too long, companies should be aware that China is now stepping
up its game with the new Data Security Law (DSL) that was passed on
10 June 2021 and comes into effect on September 1, 2021. A separate
draft of the Personal Information Protection Law (PIPL) has also
been in draft circulation and is expected to be passed and come
into effect at the end of 2021. The official Chinese version can be
and an unofficial English version can be found here.
In contrast to the focus on personal information in the PIPL,
the DSL addresses data of all types with perhaps more emphasis on
the handling of non-personal information. So what does this mean
for you as a company operating and collecting data in or related to
Jurisdiction & Scope
The overarching goal of the law is clear: to more directly
connect data security and national security. The law’s
jurisdiction includes not just data-related activities in China but
also outside of China which could harm China’s national
security, public interest, or the legal interests of citizens and
organizations in China. As mentioned above, many of the specifics
of the law are yet to come, but the mandate is there to include
obligations for building better training, education, and data
security management systems as well as protections and risk
mitigation for cybersecurity and data breaches.
The processing of “important” data must be supervised
by a specific person and company department charged with
maintaining data security, risk assessments, and reporting to the
relevant government authority. Even stricter regulations and
penalties will apply for mishandling so called “core state
data” which is seen as endangering the nation’s
sovereignty, security, or development interests.
Perhaps the most direct impact to international companies with
operations in China (as well as Chinese companies with operations
abroad) is the increased scrutiny on cross-border data
Different requirements will exist for different types of data.
Certain “important” data will be subject to government
approval before being transferred out of the country while other
data collected or produced by critical information infrastructure
operators must conform with the security management requirements
for export of data under the 2017 Cybersecurity Law. Certain other
types of “controlled data” will also be subject to export
control regulations with these regulations to be further
Finally, there are government approval requirements when data is
to be transferred out of the country by a company or individual to
a foreign judicial or enforcement authority. Here we can clearly
see the elevation of data security to an issue of national security
and China’s increasing willingness to create and use its own
laws as responses to the laws of other countries which are seen to
have a direct impact in China.
For the most part, we will have to wait for more specific
implementing regulations to come out to get a sense of the true
effect on multinational companies doing business in China. But even
before such implementing regulations arrive, companies engaged in
cross-border business should review what type of information is
collected, processed, and most importantly, transferred out of the
country in anticipation of tighter requirements coming into effect.
This includes starting to think about a preliminary playbook for
responding to foreign regulators’ requests for information
residing in China.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from China