Data Security Law of the People’s Republic of China - What Organisations Need to Know?

Key Contact:
 
Jillian-Chia-web.jpg
Jillian Chia

The Data Security Law of the People’s Republic of China (“DSL”) was formally passed on June 10, 2021 and will take effect starting September 1, 2021. Organisations will have a transition period of less than three months to self-review and self-assess their data processing activities, given the new obligations that will be imposed, as summarised below. 
 
Who does the DSL apply to?
 
The DSL applies to organisations and individuals who undertake data processing activities which include the collection, storage, use, refining, transmission, provision and disclosure of data. “Data” refers to any record of information in electronic or other forms. 
 
I am a company operating outside of China, would this law apply to me?
 
The DSL has extraterritorial application in that it may apply to organisations and individuals outside of China to the extent that they harm China’s national security, public interests, or the lawful rights and interests of citizens or organisations in China.
 
What are the obligations under the DSL?
 
The data security obligations under the DSL include establishing and improving data security management systems, organising and performing data security education and training, taking technical and other necessary measures to ensure data security,  strengthening risk monitoring and taking timely remedial measures.
 
The requirements include:-
 
  • Developing a Data Classification Framework: The DSL directs the development of a data classification mechanism, which should specify varying levels of data protection standards to categories of data in accordance with the data’s importance.

  • Enhanced protection for certain categories of data, such as “important data” and “national core data”: “National core data” would include data related to national security, lifelines of the national economy, important aspects of  livelihood and vital public interest.  Further, organisations that process “important data” must designate a person and an administrative department to be in charge of data security, to conduct periodic risk assessments and to submit reports to the relevant government authority. 

  • Cross-border data transfer controls: For cross-border transfers of “important data”, separate regulatory frameworks have been established for Critical Information Infrastructure Operators (“CIIOs”) and non-CIIOs. Further, companies and individuals in China are prohibited from providing data stored in China to any foreign law enforcement or judicial authorities without the approval of the relevant authority in China.

  • Obligations on entities who provide data trading services: Agents that provide data trading services are subject to certain obligations such as to request the data provider to identify the sources of data, to examine and verify both parties’ identities for a data transaction and to retain records.

  • Retaliatory measures: Where any country or region imposes discriminatory prohibitions, limitations or other such measures against Chinese investments or trades relating to data and technology, China may employ reciprocal measures against such country or region.

  • Antitrust and unfair trade practices: Unfair trade practices such as appropriation of data using discriminatory or other anti-competitive means are expressly prohibited.

  • Data access by government authorities: Companies and individuals are required to cooperate during investigations conducted by the Chinese authorities and the relevant authorities will be subject to strict approval procedures when requesting access to data for such investigations.
What are the penalties for violations of the DSL?
 
Severe punishments may be meted out for offences under the DSL, including suspension, revocation of business licences or permits, fines of up to RMB 10 million and potential criminal liabilities. The regulators may also order rectifications, confiscate any illegal gains, as well as impose  fines of up to ten times the amount of the illegal gains. Individuals directly responsible for violations may also be subject to fines of up to RMB 1 million and potential criminal penalties. 
 
Next steps
 
It is expected that additional guidance and regulations will be issued to further clarify the scope of the DSL. Given that the DSL will take effect soon, businesses with dealings in China or with Chinese counterparts are advised reassess their existing data processing activities and look into ensuring that their data processing complies with the obligations under the DSL.
 
The DSL (in Mandarin) can be accessed here.
 
Skrine only advises on Malaysian law and this alert is for informational purposes only.
 
For any queries on the DSL, please contact our partner, Jillian Chia at jc@skrine.com and we may assist to refer you to our PRC associate firms who specialise in this area. 


This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such.