June 10, 2021, the 13th National People’s Congress Standing Committee after the 29th meeting of the review of the “Data Security Law of the People’s Republic of China” (hereinafter referred to as the “Data Security Law”). The data security law will come into force on Sept 1, 2021.
The “Legislative Plan of the Standing Committee of the 13th National People’s Congress” published in September 2018 included the Data Security Law in the legislative plan for the first time, as a “draft law to be submitted for deliberation within the term of office with relatively mature conditions” 2. After two years of deliberation, the draft of the Data Security Law was issued for comment by the Standing Committee of the National People’s Congress (NPC) in July 2020 after the first instance, and was deliberated for the second instance on April 26, 2021, and officially released until now.
The Data Security Law will become an important part of the national security legal system represented by the National Security Law. It will also form a more complete basic legal system in the information field together with the Cybersecurity Law and the Personal Information Protection Law, which has been reviewed for the second time.
The key contents of the Data Security Act are summarized as follows.
1. Scope of application
The Data Security Law stipulates that this Law is applicable to data processing activities carried out within the territory of the Republic of China and their safety supervision. In terms of extraterritorial application, it further stipulates that anyone who conducts data processing activities outside the territory of the People’s Republic of China and impairs the national security and public interests of the People’s Republic of China or the legitimate rights and interests of citizens or organizations shall be investigated for legal responsibility in accordance with the law. (Article 2)
The Data Security Act further provides that “data” means any electronic or other record of information; “Data processing” includes the collection, storage, use, processing, transmission, provision and disclosure of data.
According to the above definition, “data” covers a very wide range. In the process of gradual transformation of government affairs and enterprises to digital, almost all aspects of production, operation and management will be included in the information records. The Supplementary Provisions of the Data Security Law further stipulate that data processing activities involving state secrets shall be governed by the Law of the People’s Republic of China on Guarding State Secrets and other laws and administrative regulations. Data processing activities carried out in statistics and archives and data processing activities involving personal information should also comply with relevant laws and administrative regulations. Therefore, the Data Security Law does not include data processing activities for state secrets. However, the Data Security Law applies to data processing activities in statistics and archives, as well as data processing activities involving personal information, but these data processing activities should also comply with the requirements of relevant laws and regulations. It remains to be seen how the requirements of the Data Security Act apply in practice to the business practices of enterprises. For example, the Data Security Law requires that data be protected by classification and classification, and only specific obligations are formulated for important data (as described in the sixth part of this paper). However, it may be necessary to further clarify whether other data except important data should be regulated, as well as the focus and rules of regulation.
According to the “Data Security Law”, data security refers to ensuring that data is effectively protected and legally utilized through taking necessary measures, as well as having the ability to guarantee continuous security. (Article 3) From the content of the whole “Data Security Law”, data security here includes not only the macro level of national security, but also the micro level of the implementation of data security measures by organizations and individuals.
II. Connection between the Data Security Law and the legal system of network and security
Data security is an important component of national security and network security.
The principle of the National Security Law stipulates that the state should build a network and information security guarantee system, enhance the network and information security protection ability, strengthen the innovative research and development and application of network and information technology, and realize the realization of…… Security and control of data (art. 25).
The “Network Security Law” also requires enterprises to fulfill the obligation of network security level protection, and take measures such as data classification, backup and encryption of important data (Article 21). We note that the coordination and convergence of the Data Security Law with the provisions of the above-mentioned Law and its related supporting regulations (and the draft for comment) still requires further observation, for example:
- “Data Security Law” provisions of important data related protection obligations and “network security law”, “data security management methods (draft)” in the relevant definitions and provisions of the connection;
- The connection between the data export control system stipulated in the Data Security Law and the export control requirements stipulated in the Export Control Law issued in 2020 and the data exit requirements stipulated in the Network Security Law, Data Security Management Measures (Draft for Comments), and Personal Information Protection Law (Draft for Second Review);
- The correlation between the data security review system stipulated in the Data Security Law and the security review system for foreign investment stipulated in the Foreign Investment Law and the Internet Security Review Measures.
Third, the principle of parallel data security and development
The Data Security Law first specifies in its general provisions that the state protects the rights and interests of citizens and organizations related to data, encourages rational and effective use of data, guarantees the lawful, orderly and free flow of data, and promotes the development of digital economy with data as the key element (Article 7).
Then, the second chapter of the Data Security Act explicitly supports data security and development. Relevant support measures include the implementation of big data strategy, the promotion of data infrastructure construction, and the development planning and design of digital economy (Article 14); Support the development and utilization of data to improve the intelligence level of public services (Article 15); Strengthen research on data development and utilization and data security technology (Article 16); Promote the training of data talents (Article 20) and other general strategies and guidelines to encourage and support the development of digital economy and the development and utilization of data, and also require the formulation of relevant standards for data development and utilization technology and data security (Article 17); Promote data security detection, evaluation and certification (Article 18), and establish and improve the data transaction management system (Article 19).
It can be seen from the system design of “Data Security Law”, intended to encourage and establish a variety of data-related system support measures, and combined with the management and requirements for data, to promote and coordinate the balanced and orderly development between the digital economy and data security.
4. Data security law enforcement subject and job responsibilities
Article 5 and Article 6 of the Data Security Law clearly define the supervision of data security and the work responsibilities of different law enforcement units. “Data security law regulation central leadership national security agency decision-making and coordinating role of the country’s data security work, and formulate a plan to carry out the national data and guide the safety strategy and major policies, to coordinate the national important matters and important task of the data security, the establishment of national data security work coordination mechanism. “National data security work coordination mechanism” is first proposed in the data safety “formal draft, it is responsible for” to coordinate relevant departments to formulate important data directory “(article 21),” to coordinate relevant departments to strengthen data security risk of information acquisition, analysis, work analysis, early warning “(22). In addition, under article 7:
- All regions and departments shall be responsible for the data collected and generated in the work of their respective regions and departments and for the safety of the data;
- Competent departments of industry, telecommunications, transportation, finance, natural resources, health, education, science and technology shall assume the responsibilities of data security supervision in their respective industries and fields;
- The public security organs and the state security organs shall, within the scope of their respective functions and duties, assume the responsibilities of data security supervision;
- The State Cyberspace Administration is responsible for overall planning and coordination of network data security and related supervision.
Five, the basic system of data security
As a basic law in the field of data security, the third chapter of the Data Security Law establishes a series of basic systems in the field of data security, constructs the basic framework of China’s data security system, and lays a foundation for the development and improvement of the system of data security system in the future. These new basic regimes include:
1. Data classification and classification protection, important data protection system and national core data protection system
“Data Security Law” stipulates that the state according to the importance of data in economic and social development, and once tampered, damaged, leaked or illegally obtained, illegally used, the harm to national security, public interests or the legitimate rights and interests of individuals and organizations, the implementation of classified protection of data. The national data security work coordination mechanism shall coordinate with relevant departments to formulate important data catalogs. Data related to national security, the lifeblood of the national economy, important people’s livelihood, and major public interests are core national data, and a stricter management system will be implemented. All localities and departments shall, in accordance with the data classification and grading protection system, determine the important data protection catalogues of their localities, departments, relevant industries and fields, and give priority protection to the data listed in the catalogues (Article 21).
The Data Security Law has put forward special requirements for the processing of important data :(1) the person in charge of data security and the management organization shall be established for the processing of important data (Article 27); (2) important data processing, data processing activities should be conducted on a regular basis to carry out risk assessment and report to the competent department to submit the risk assessment, assessment should include the amount and type of important data processing, data processing activities, the data security risk and its countermeasures, etc. (article 30).
Regulation of important data was first proposed by the Cyber Security Law in 2016, which mainly requires data localization and exit security assessment of important data collected by operators of critical information infrastructure. Then release the related draft, for example, the information security technology data exit safety assessment guide (draft), the data safety management regulations (draft) “to list all kinds of important data and definitions, the data safety management regulations (draft)” to important data processing and puts forward the corresponding requirements.
“Data Security Law” will establish the processing rules for important data, reflecting the continuous deepening of the important data management system. However, the “Data Security Law” still failed to make a clear definition of important data, but left it to various regions, departments and industries to issue relevant lists, reflecting the complexity of data classification and definition in practice.
Article 31 of the Data Security Law clearly states that the provisions of the Cybersecurity Law of the People’s Republic of China apply to the exit security management of important data collected and generated by the operators of critical information infrastructure in the operation of the People’s Republic of China. Measures for the exit safety administration of important data collected and generated by other data processors in their operations within the territory of the People’s Republic of China shall be formulated by the Cyberspace Administration of China in conjunction with the relevant departments of the State Council. It can be seen that for the operators of key information infrastructure, the exit of important data still follows the provisions of Article 37 of the “Cybersecurity Law”. Local storage is the principle, and exit must undergo security assessment. For other data processors, the important data collected and generated by them will also be regulated by special important data exit safety management measures. At present, the method has not been introduced, therefore, the general data processor’s important data exit is still to be further clarified and clarified by legislation.
The Data Security Law puts forward the concept of “national core data” for the first time. At present, the “Data Security Law” has not yet specified the “stricter management system”, but Article 45 has stipulated the penalty for violating the national core data management system (the maximum penalty is up to 10 million yuan), we understand that the scope of national core data and related management system may be issued in follow-up supporting.
2. Data security risk control system
“Data Security Law” requires the state to establish a unified, efficient and authoritative data security risk assessment, reporting, information sharing, monitoring and early warning mechanism, the national data security work coordination mechanism to coordinate the relevant departments to strengthen data security risk information acquisition, analysis, analysis, early warning work (Article 22). The specific content of this system and the obligations of relevant government departments and enterprises will be further clarified by relevant supporting regulations in the future.
3. Data security emergency disposal mechanism
The State establishes a data security emergency response mechanism. In the event of a data security incident, the competent department concerned shall initiate the emergency preplan according to law, take corresponding emergency disposal measures, prevent the expansion of hazards, eliminate security hidden dangers, and timely release warning information related to the public to the society (Article 23). How this regulation connects with the Emergency Response Law and other existing laws and regulations needs further observation.
4. Data security review system
The State establishes a data security review system to conduct a national security review of data processing activities that affect or may affect national security. The safety review decision made in accordance with the law shall be final. (Article 24).
The Data Security Law does not specify the specific content of the data security review system. Furthermore, its relationship with the existing security review system for foreign investment stipulated in the Foreign Investment Law and the relevant security review system for key information infrastructure operators stipulated in the Network Security Review Measures needs to be further observed.
5. Data export control system
The State shall, in accordance with law, implement an export control system for the data of controlled items related to the fulfillment of international obligations and the maintenance of national security. The Export Control Law issued on October 17, 2020 stipulates the export control requirements for goods, technologies, services and other items, and defines export control.
In addition, the “law of network safety, data safety management regulations (draft)” and “personal information protection law” after the second version (draft), respectively, provides critical information infrastructure operators, network operators, important data and personal information data exit safety assessment requirements, but the details have not been clear. “Data Security Law” Article 31 provisions of other data processors of important data situation security management measures have not yet been introduced. The coordination and connection between the data export control and the data exit security assessment system should be further clarified in the future legislation.
6. Mechanism for countermeasures against discriminatory measures
Where discriminatory prohibitions, restrictions or similar measures are taken against China in respect of investment and trade in data and technologies for data development and utilization, China may take reciprocal measures according to actual conditions (Article 26).
VI. Obligations of data security protection
The fourth chapter of “Data Security Law” stipulates the various obligations that units and individuals should abide by under the national data security protection system. These basic obligations include:
- To carry out data processing activities, data security management system of the whole process should be established and improved, data security education and training should be organized, and corresponding technical measures and other necessary measures should be taken to ensure data security. Where data processing activities are carried out through the Internet and other information networks, the above-mentioned data security protection obligations shall be fulfilled on the basis of the hierarchical network security protection system (Article 27);
- Risk monitoring should be strengthened for data processing activities, remedial measures should be taken immediately when data security defects, loopholes and other risks are found, and disposal measures should be taken immediately after the occurrence of data security incidents, timely inform users and report to relevant competent authorities in accordance with provisions (Article 29);
- Acquisition of data by legal and legitimate means (Article 32);
- Cooperate with the requests of public security and state security organs to retrieve data for the purpose of safeguarding national security or investigating crimes (Article 35);
- The competent authorities of the People’s Republic of China shall, in accordance with relevant laws and the international treaties and agreements concluded or acceded to by the People’s Republic of China, or in accordance with the principle of equality and reciprocity, handle requests for the provision of data by foreign judicial or law enforcement agencies. No organization or individual in China may provide data stored in China to foreign judicial or law enforcement agencies without the approval of the competent authorities of the People’s Republic of China (Article 36).
In addition to the above basic obligations, “data security law” also engaged in data trading intermediary services institutions put forward a special data security obligations, namely engaged in data trading intermediary services institutions, should require the data provider to explain the source of data and audit the identity of both sides of the transaction, and retain audit, transaction records; In our opinion, data business providers and intermediary platforms engaged in data business transactions should pay full attention to this requirement (Article 33).
VII. Open and security requirements of government data
Under the background of the steady advancement of e-government in China, the security protection of government data is urgent. On the one hand, it is necessary to continuously promote the transparency and openness of government data and improve the level of social governance. On the one hand, due to its particularity, government data is also related to national security. Once it is abused or illegally leaked, it will also cause harm to the country and society. In this context, Chapter V of the Data Security Law has made clear requirements for the security and openness of government data. Including the state organs should be engaged in data activities within the scope of statutory responsibilities, should establish and improve the data security management system, timely and accurate disclosure of government data, the construction of safe and controllable government data open platform.
What needs special attention is that Article 38 requires state organs to keep confidential personal privacy, personal information, trade secrets, confidential business information and other data they come to know in the course of performing their duties according to law, and not to disclose or illegally provide to others. Article 40 stipulates that when a state organ entrust others to build and maintain an e-government system, store and process government data, it shall go through strict approval procedures and supervise the entrusted party to fulfill the obligation of data security protection. The Agent shall perform the obligation of data security protection in accordance with the requirements of laws and regulations and the contract, and shall not retain, use, disclose or provide administrative data to others without authorization. Based on this, cooperating with the government, or for the government to provide third party service providers should pay special attention to this requirement, on the one hand, access program remains to be seen, on the other hand, the part in the practice of e-government service supplier data for other commercial purposes, the data safety “, this behavior is specified as illegal.
VIII. Legal liability for breach of data security obligations
Chapter VI of the Data Security Act establishes legal liability for breaches of various data security obligations. Article 44 stipulates that in the course of supervision, if the competent authority finds that the data processing activities have large security risks, it may conduct an interview with the relevant organizations and individuals and require them to rectify and eliminate the hidden dangers. In addition, the chapter on data processing activities of the organizations and individuals, data transaction intermediary institutions, state organs, data security supervision duties of different subjects, such as national staff in violation of the provisions of the data safety “in the corresponding obligations of legal liability provisions in detail, and clearly the case constitutes a crime, shall be investigated for criminal responsibility according to law.
The Data Security Law stipulates the legal consequences for units and individuals who violate the data security protection obligations, in which: The maximum fine for the unit is RMB 2 million yuan, and the unit can be ordered to suspend related business, suspend business for rectification, and revoke the business license or business license. The maximum fine of RMB 200,000 yuan is also stipulated for the supervisor directly responsible and other directly responsible personnel. It is worth noting that the corresponding stricter legal consequences are clearly stipulated for those who violate the national core data management system, endanger national sovereignty, security and development interests, and provide important data overseas in violation of the provisions of the Data Security Law (Art45 and 46).
The Data Security Law also separately stipulates the legal liability for relevant illegal acts such as not cooperating with the public security and the State Security to retrieve data, providing data to foreign judicial and law enforcement agencies without approval, and violating regulations by intermediary service units engaged in data trading.
9. Our observations
“Data Security Law” as China’s first data security related special laws, for China’s data security governance system to establish a legislative basis and institutional framework, established data security protection and basic ideas and general guidelines.
Considering the data security law involved in the field of universality, complexity and principles specified in the data security law, on the basis of existing network security, and how it is being drafted by the personal information protection act and other laws and regulations of cohesion, how to form a complete set of corresponding design, be born each specific data security system, How to achieve steady and orderly development of digital economy under the premise of data security is a huge challenge, and we can foresee many issues in the future practice.
Data activities are crucial to the operation of enterprises, the development of cities and the promotion of government affairs, especially in the context of the rapid development of new technology fields such as big data, artificial intelligence, cloud computing and blockchain as well as the digital economy. The Cyber Security Law, which came into force in 2017, has set up a new compliance framework for companies’ data activities. However, the regulation mainly focuses on the field of personal information and important data, and unified data security legislation has not been carried out, and the legal and law enforcement framework for important data field is still being explored and formed.
The introduction of the “Data Security Law” will undoubtedly provide a basic legal basis and reference for all kinds of enterprises and institutions, as well as the legal and safe use and processing of data in the process of government affairs, and will further promote internal and external data security compliance work, the implementation of various data security obligations.
For all industries, especially enterprises in key industries such as finance, telecommunications, transportation and natural resources that may involve important data, it is necessary to pay close attention to data classification and important data protection system, improve data security risk prevention mechanism and data security event emergency handling mechanism, etc. As far as trading platform is concerned, it is necessary to strengthen the audit mechanism for data sources and both sides of the transaction. For enterprises that provide data processing and services for all kinds of enterprises and public institutions, the various systems stipulated in the Data Security Law will also directly affect their future business model and obligations. We suggest that enterprises assess whether they have any compliance problems in accordance with the provisions of the Data Security Law as soon as possible, and carry out the corresponding system and compliance construction.