When compared to the EU or the U.S., China has lacked a comprehensive data protection and data security law that regulates in detail requirements and procedures relating to the collection, processing, control and storage of personal data. In recent years, China has seen developments on data protection both in legislation and in practice. Recently, another significant draft law on data security was issued by the Chinese legislative authority. On June 28 to June 30, 2020, the 20th Session of the 13th Standing Committee of the National People’s Congress of China (the “NPC”) deliberated on the draft of the Data Security Law (the “Draft”), and on July 3, published the Draft on the NPC’s official website for public comment. The public comment period for the Draft will end on August 16, 2020. It is expected that the Draft will be finalized within the year and that the regulatory requirements relating to data security eventually will be reflected in law in China.
The Draft includes seven sections and 55 articles in total, covering data security and industrial development, the data security regulatory system, data security protection obligations and government data security and access. We highlight the framework of the Draft below:
Section 1 of the Draft provides the applicable scope of the law. Under the Draft, “Data Activities” are defined as the collection, storage, processing, usage, provision, and publicity of data that records information in electronic or non-electronic forms. It is expressly stipulated in Section 1, Article 2 that not only are Data Activities conducted in China subject to the Data Security Law, but also that organizations and individuals outside of China conducting Data Activities that damage the national security or public interest of China or the legal interests of citizens and organizations of China, will be held legally liable under the law as well.
According to Section 7 (Supplementary Articles), Data Activities involving national secrets will be subject to the Law on Keeping Confidentiality of State Secrets and other relevant administrative laws and regulations of China. The Central Military Commission will develop the measures regulating military Data Activities.
Promotion of Data Usage While Maintaining Data Security
Section 2 of the Draft generally illustrates that China insists on maintaining data security that promotes the usage of data through (i) enhancing research of technology for data development and usage; (ii) establishing the data security standardization system; (iii) improving data security inspection assessment and certification; (iv) advancing the data transaction management system; and (v) facilitating education and training on data usage technology and data security in colleges, schools and enterprises.
Data Security Regulatory System
Section 3 of the Draft provides that classified data protection will be applied based on the level of importance of the data and will establish a unified, effective and official data security risk assessing, reporting, sharing, monitoring and warning mechanism. China also will develop a data security emergency response mechanism to mitigate damage and a data security review system. A security review will be a final decision.
Section 3 also stipulates that China will impose export controls on data that falls into categories of controlled items. It further stipulates that China will take countermeasures when faced with other countries’ prohibitions, restrictions or similar measures taken with respect to trading and investment relating to data and/or technologies of data development and usage.
Data Security Protection Obligations
Section 4 of the Draft imposes multiple obligations with respect to conducting Data Activities, including:
- compliance with laws and regulations;
- improvement of a data security management system, establishment of data security education and training and technical and other necessary measures;
- favoring economic and social development and improvement of people’s happiness in line with social morality and ethics;
- enhancing risk inspection, taking remedial measures in case of data security defects or bugs, informing customers and reporting to regulatory authorities in case of security incidents;
- periodic risk assessment and reporting to the regulatory authorities by important data processors (of the categories, amount, collection, storage, processing, usage of the important data, along with security risks and countermeasures);
- legitimate methods to collect data, within necessity;
- requesting data source notification, reviewing identities of parties and keeping records by agents of data transactions;
- obtaining necessary legal permits or registration for specialized online data processors;
- cooperation by organizations and individuals during evidence collection by police and national security authorities in accordance with legal procedures; and
- reporting to competent Chinese regulatory authorities upon request by regulatory authorities abroad.
Government Data Security and Access
Section 5 of the Draft mainly provides the responsibilities and obligations of government authorities with respect to maintaining data security and publicity of government data (excluding those not open to the public), such as:
- e-government construction;
- compliance with laws and regulations;
- establishment and improvement of the data security management system;
- strict approval procedures for and supervision of government data storage and processing services by third parties;
- government data publicity in accordance with fairness, justice and convenience principles; and
- establishment of the Open Directory of Government Data.
Section 6 of the Draft allows interviews of relevant organizations and individuals by regulatory authorities in the case of relatively large risks in Data Activities, and it requires relevant organizations and individuals to take necessary measures to remedy and mitigate those risks.
Organizations and individuals conducting Data Activities that fail to fulfill the data security protection obligations or take necessary measures will be subject to correction orders, warnings or penalties ranging from RMB 10,000 to RMB 100,000 (including penalties on individuals directly in charge ranging from RMB 5,000 to RMB 50,000) and, in the case of refusals to rectify or of serious consequences, such as massive data leaks, penalties ranging from RMB 100,000 to RMB 1 million (including penalties on individuals directly in charge ranging from RMB 10,000 to RMB 100,000).
Data transaction agents who fail to perform the relevant obligations, such as checking the legal source of the data to be traded and/or the identities of the trading parties, where such failure results in an illegal data transaction, may be subject to a correction order, confiscation of illegal gains, penalties and penalties on the individual directly in charge.
The Draft provides relatively general stipulations on data security without detailed regulations that may be referred to during practical enforcement. It is estimated that once the Draft comes into force, it will constitute a significant part of China’s legal framework on data security.