The DSL's broader context is cast in very general terms, representing a policy framework for future legislative development rather than a detailed prescription of data handling requirements. For example, Article 7 sets out a guiding principle that the DSL is intended to encourage the lawful, reasonable, and effective utilization of data as part of a broader goal of promoting the development of China’s digital economy. In addition to general requirements for the state coordinate collaboration in areas such as the development of a big data strategy and the development of data security standards, Article 19 calls for the establishment of a “data transaction market” to facilitate the free flow of data in line with China’s strategic aims. However, this broader context of strategic central planning of China’s digital economy is key to understanding the specific measures that will be of most interest to multinational businesses operating in China.
The DSL's key obligations for multinational businesses also are cast in very general terms, making it essential that they monitor the progress of supporting regulations and measures that (we hope) will provide specifics. The shortness of timescale for implementing the DSL makes this vigilance particularly important.
We have highlighted below the key measures introduced by the DSL of importance to multinational businesses operating in China:
Scope and Extraterritorial Application
Article 2 provides that the DSL applies to the overall process of the collection, storage, use, processing, transmission, provision and publication of any information recorded in either electronic or other forms. Unlike the PRC Cyber Security Law (CSL), which only regulates data processing activities in cyberspace, the DSL has general application to both online and offline data processing activities.
The other key difference between the DSL and the CSL is that whereas the CSL mainly regulates systems and networks, the DSL mainly regulates data processing activities. Meanwhile, similar to the CSL, the DSL has extraterritorial reach, applying to data processing activities conducted outside China to the extent they may undermine China’s national security or public interests or the legitimate rights of any citizens or organizations in China. The DSL does not, however, specify how liabilities may be imposed on organizations or individuals outside China.
Data Classification Framework
Article 21 of the DSL directs the state to develop a data classification mechanism that will designate different levels of data protection standards to categories of data determined according to the data’s importance to economic and social development and to the risk of harm to national security, public interests or the legitimate interests of citizens and organizations if such data were falsified, destroyed, leaked or illegally obtained or utilized. The DSL does not go into any further detail as to how the data classification framework will be constructed or the specific standards that will apply to it. We expect industrial supervising authorities will be involved in the development of industry-specific criteria for the classification of data and the specific data protection standards that would apply in each case.
In fact, some local governments and industrial supervising authorities have already taken action to classify data falling within their scope of regulatory authority. For example:
- In 2016 Guizhou provincial government issued the Guidelines for Categorization and Classification of Data on Governmental Data, to sort governmental data into different categories by their themes, related industries and services. Guizhou's governmental data are designated into the following categories by topic:
- comprehensive government affairs data;
- economic management data;
- land and resources data; and
- energy related data.
- In 2018, the China Securities Regulatory Commission released the Data Classification Guidelines for Securities and Futures Industry, which apply to securities and futures industry institutions and other business service institutions and IT service vendors that provide securities and futures related data classification services.
- In 2020, the Ministry of Industry and Information Technology (MIIT) issued the Classification Guidelines for Industrial Data, which apply to the MIIT, industrial enterprises, platform enterprises, etc. in sorting out and classifying industrial data. It is clear, then, that there are some useful data classification precedents to draw from.
Enhanced Protection for "Important Data" and "National Core Data"
Article 21 of the DSL refers to “important data” (a concept introduced in the CSL) and creates a new concept of “national core data.” “Important data” is not defined in the DSL or in other currently effective laws or regulations. The national data security working coordination mechanism, a procedure to be established by the national security agency under Article 5, will develop a catalogue of important data at the central level while local authorities and industry supervising authorities will in turn identify important data within their regulatory remits, as well as specify enhanced protections applicable to each category. As matters stand, then, it is difficult to understand in precise terms what “important data” is and how it will be regulated. We would note, however, the draft Data Security Administration Measures issued by the Cyberspace Administration of China (CAC) in May 2019, which defines “important data” as data that, if leaked, could directly affect national security, economic security, social stability or public health and safety, such as unpublished government information, large scale population data, generic health data, geographic data or data relating to mineral resources. The definition of “important data” here is stated to not generally include business, production and operational information, internal management information or personal information. The Guidelines for Cross-border Data Transfer Security Assessment, which is also in draft status, provides in the Appendix A the guidelines on “important data” identification, defining the scope of important data based on different industries and regions.
The DSL does set out some general provisions applicable to the handling of “important data.” Article 27 requires the processors of important data to identify a data security officer and a data protection department responsible for fulfilling data security protection obligations under the DSL. Article 30 provides that the processors of important data must carry out regular risk assessments of their data processing activities and submit risk assessment reports to their supervising authorities. Risk assessment reports must specify the classes and quantities of important data, how the important data are being processed, the data security risks the processor may be subject to and safeguard measures responsive to the risks identified.
The concept of “national core data” was introduced in the finalized version of the DSL, the last minute inclusion making its terms of reference even more scant than “important data”. The DSL broadly defines “national core data” as data related to China’s national security, lifelines of the national economy, important people’s livelihoods and vital public interests. The DSL provides that more stringent requirements shall be imposed to protect national core data, but the DSL does not provide further detail as to how the scope of “national core data” will be determined or how such data must be protected. The vagueness of the provisions relating to “national core data” and “important data” will be troubling for multi-national businesses seeking to comply with the new law.
Regulation of Cross-Border Data Transfers
The position of cross-border transfers of data from China has been clouded for a number of years now. There are a number of industry-specific data transfer restrictions in place in China. The CSL introduced more general controls on transfers of personal data and important data. Article 31 of the DSL cross-refers to the CSL in this regard. The CSL provides that "important data” collected and generated by “critical information infrastructure operators” (CIIO) within mainland China must be stored locally, unless cross-border transfer is necessary for business needs, in which case the data may be transferred abroad, provided that a security assessment is conducted. Article 31 further provides that non-CIIOs must comply with the rules on cross-border transfer of important data to be formulated by the competent authorities, which have not been promulgated yet.
Article 25 separately provides that in order to perform international duties and safeguard national security and interests, China will implement export controls on the data that is considered to be “controlled items” as defined under the Export Control Law (Export Control Law) effective from December 1, 2020, which defines controlled items as dual-use (civil and military), military, and nuclear items, and other goods, technologies and services related to the implementation of international obligations (such as non-proliferation) and the maintenance of national security.
Data related to the controlled items, such as technical materials, are explicitly defined as “controlled items” in and of themselves under the Export Control Law. The China’s export control administration (i.e., the Ministry of Commerce (“MOFCOM”)) will formulate and publish the list of controlled items and may decide to impose temporary control on items not included in the controlled items list.
The Export Control Law requires exporters to seek an export license from MOFCOM prior to exporting controlled items from China. Factors MOFCOM may consider when deciding whether or not a license should be granted include (i) China’s national security and interests, (ii) China’s international obligations and commitment, (iii) the type of export, (iv) the level of sensitivity of controlled items, (v) the destination of the export, (vi) end users and end uses and (vii) credit records of the exporter.
Article 36 of the DSL introduces a requirement for official prior approval for the provision of data stored in China to foreign law enforcement or judicial agencies. The competent Chinese authority will respond to data requests by foreign judicial and law enforcement agencies in accordance with international treaties or agreements to which China is a party or based on the principle of equality and reciprocity. Such data shall not be provided without the approval of the competent Chinese authority.
Data Access by Chinese Authorities
The CSL and the Regulation on the Network Inspection by Public Security Authority grant broad powers for Chinese public security authorities and national security authorities to request access to data held by businesses having operations in China. Multinational businesses have long-standing concerns about the boundary of these powers and the risk that Chinese authorities making very broad requests for data, including data located offshore. Article 35 of the DSL reiterates these broad powers for Chinese public security and national security authorities to request for data for the purpose of protecting national security or investigating crimes. This provision does state that authorities must complete strict approval procedures, but these approval procedures are not specified.
Retaliatory Measures
Article 26 of the DSL provides that where any jurisdiction imposes discriminatory measures against Chinese investment or trade in data and technology, China may employ equivalent measures against that jurisdiction.
The detail here is obviously very slim, but it is clear that there is risk that a multi-national business operating in China may receive different treatment under the DSL based on the trade policies of its home jurisdiction.
Significant Penalties for Breaching the DSL
The consultation drafts of the DSL saw a progressive increase in the penalties applicable to offences under the law: administrative fines under the DSL include those for (i) breach of data security protection obligations, (ii) violation of requirements for protecting national core data, (iii) violation of the cross-border transfer rules for important data, (iv) refusal to cooperate with data access requests by Chinese authorities and (v) provision of data to foreign judicial or law enforcement agencies without approval.
- Breaching the DSL’s data security protection obligations, including Articles 27, 29 and 301, may subject the entity carrying out data processing activities to a fine from RMB 50,000 to RMB 2,000,000 depending upon the circumstances; persons directly in-charge and other directly responsible personnel may be subject to fines ranging from RMB 10,000 to RMB 200,000 depending upon the circumstances.
- The penalties for the violation of national core data protection requirements are the most severe. If such violation damages national sovereignty, security and/or development interests, it would result in a fine from RMB 2,000,000 to RMB 10,000,000. Serious violations may even result in criminal liabilities.
- Entities violating the cross-border data transfer requirements for important data may be subject to a fine from RMB 100,000 to RMB 10,000,000 depending upon the circumstances; persons directly in-charge and other directly responsible personnel may be subject to a fine from RMB 10,000 to RMB 1,000,000.
- Refusal to cooperate with a data access request by Chinese authorities may subject the entity to a fine from RMB 50,000 to RMB 500,000; persons directly in-charge and other directly responsible personnel may be subject to a fine from RMB 10,000 to RMB 100,000.
- Entities failing to obtain an approval before providing data stored in China to foreign judicial and law enforcement agencies may be subject to a fine from RMB 100,000 to RMB 5,000,000; persons directly in-charge and other directly responsible personnel may be subject to a fine from RMB 10,000 to RMB 500,000.
Further, except for the administrative fines referred to above, the entity violating the foregoing requirements may also be ordered to suspend their relevant business, suspend operation for rectification, or (in extreme circumstances) see their licenses or permits revoked.
Conclusions
The DSL is a landmark piece of legislation for China, reflecting China’s vision of a centrally planned digital economy, dealing specifically with how data will be regulated within this construct. The introduction of the Personal Information Protection Law, expected later this year, will add further clarity, regulating the handing of personal data specifically.
As was the case with the CSL, important clarifications are due under the DSL. The DSL provides for a high-level regulatory framework, with much need for implementing measures, such as the rules for the classified data protection mechanism and cross-border transfers of important data.
For multi-national businesses, much will turn on the scope of “important data,” “national core data,” and data that is considered to be a “controlled item” under the Export Control Law. Companies that process data falling in these categories will need to carefully evaluate their business models for China, with localization or other forms of strict regulation being potential consequences. More broadly, China’s move to establish a “data transaction market” will raise questions about foreign access to and participation in these markets. We recommend that multinational businesses closely monitor regulatory and enforcement developments, with hope that implementing measures soon bring greater clarity.
1 Article 27: The carrying out of data handling activities shall be in accordance with laws and regulations, establishing and completing data security management systems for the entire process, organizing and carrying out education and training on data security, and employing corresponding technical measures and other necessary measures to safeguard data security. The carrying out of data processing activities through information networks, i.e., the Internet, shall fulfil the duties to protect data security on the basis of the multi-level protection system for cybersecurity. Those processing important data shall clearly designate persons responsible for data security and data security management bodies to implement responsibilities for data security protection. Article 29: The carrying out of data processing activities shall strengthen risk monitoring, and when data security flaws, vulnerabilities, or other risks are discovered, remedial measures shall be immediately employed; and when data security incidents occur, methods for addressing them shall be immediately employed, users are to be promptly notified as provided, and reports are to be made to the relevant regulatory departments. Article 30: Those processing important data shall follow periodically carry out risk assessments of their data processing activities as provided, and send risk assessment reports to the relevant regulatory departments. Risk assessment reports shall include the types and amounts of important data being processed; the circumstances of the data processing activities; the data risks faced, methods for addressing them, and so forth.
Authored by Mark Parsons and Sherry Gong.