China's Big Data Era. New law for Data Protection

10 Aug 2021

In the past few years, China has digitalized its society at an astonishing pace, and data seem to have become the core asset of the government and companies. As such, national security have risen in China over its data protection, and as a result China’s first Data Security Law will go into force soon. It provides for tremendous changes including for Chinese data processors, Chinese data stored outside of China, Chinese data that is required by Foreign governments and heavy fines.

The new law

The Data Security Law (“Law”) was officially issued on June 10, 2021 and will be implemented on September 1 of this year.This Law, together with the Cyber Security Law implemented on June 1, 2017 and the Personal Information Protection Law, forms a comprehensive legal framework in the field of data security, that will protect data and tries to solve data leakage.

Data protection in China under the new regime

As the very first law on data security in China, this Law provides the legal basis for data supervision, tries to fill the blank of data security protection legislation, and tries to improve the legal system of cyberspace security governance.

The Law promotes the overall decision-making and coordination of data security to the central national security leading organ for the first time, which is consistent with the National Security Law. According to the Law, the national security organs, public security organs, national cyberspace administration authority and the competent departments of industry, telecommunications, education, science and technology shall all regulate the data security.

As there are so many state departments involved, it can be seen that data security management goes deep into normal life.

Which data?

Data in this Law refers to any record of information in electronic or other form. It means all kinds of “records of information” kept in any devices like computers, mobile phones, servers and clouds, etc., and the Law puts forward the classified and graded data protection system (“System”) to distinguish whether the “records of information” is core data. In this regard, the Law points out that such System should be established based on the importance of data in the economic and social development, as well as the extent of harm caused by tampering, destruction or illegal disclosure of data.

It is worth mentioning that the Law also emphasizes for the data that have bearing on national security, the lifelines of national economy, people's material livelihood and major public interests shall constitute the core data of the State and shall be subject to stricter management system.

Duties on data processors

Data processors will have to set up a data security management system. They will need to appoint a person for data security and have a department for this monitor risks and conduct risks assessments periodically. In the case of a breach, they will need to take immediate action. For important data they need to work together with the government.

Data inside and outside of China

Some companies store Chinese collected data on foreign servers, and the data processing (collection, storage, use, processing, transmission, etc.) involved are also in foreign countries.

The Law stipulates that if the data processing outside of China are found to damage the national security, public interests or the legitimate rights and interests of citizens and organizations of China, they will still be investigated for legal responsibility according to law.

This means that even if the data collected in China is stored on foreign servers, if it involves damaging the legitimate rights and interests, national security of China and other entities in China, the data processor may still face the risk of being investigated for the legal responsibility.

Need for approval in case of foreign data requests

Furthermore, without the approval of the competent authorities of China, organizations and individuals within the territory of China shall not provide data stored in the territory of China to foreign judicial or law enforcement organs. This indicates that if the enterprises are facing the data providing requirements from foreign judicial or law enforcement organs in the future, the provision of domestic data must be approved by the regulatory authorities.

Heavy fines

If the data processer violates the national core data management system and endangers national sovereignity, security and development interests, the data processers will face the risk of imposing a fine of more than 2 million RMB but less than 10 million RMB, suspending business, revoking business license, or even pursuing criminal responsibility. This is also a warning to all data processors that they should always strictly abide by the Data Security Law and relevant rules while enjoying the convenience and economic benefits brought by data, otherwise they will be in a situation where the loss outweighs the gain.

Companies need to know how to protect whose data where

Data is key for China. As such Data protection and national security have become more and more intertwined. For companies it is key to know how data needs to be protected in accordance with China’s laws. At the sametime, it needs to be checked that this is also in compliance with the laws of other countries. As such, knowing whose data need to protect in which manner where, will become key in order not to face scrutiny by the Chinese government.

China's Big Data Era. New law for Data Protection

Related content

China’s first legal Measures on Artificial Intelligence (AI)

Generative AI in China with socialist characteristics: draft measures

TikTok and data privacy in China: security assessment with CAC