On April 29, 2021, China issued a second draft version of the Data Security Law (“Draft DSL”). The Draft DSL will be open for public comments until May 28, 2021.

While the framework of this version of the Draft DSL is the same as the prior version issued on July 3, 2020, below we summarize the material changes in the second version of the Draft DSL.

Data Protection Policy Based On Hierarchical Classification and Category

Article 20 stipulates that a data protection policy based on the hierarchical classification and categorization of data and the “important data catalogue” shall be established at the national level. Nonetheless, the Draft DSL does not provide the definition of important data, which may be defined in future implementing rules.

Administration of Cross-Border Data Transfer

Article 30 differentiates how the cross-border transfer of important data is to be treated by critical information infrastructure (“CII”) operators and by other data processors. Specifically, the Cybersecurity Law of China would apply to the administration of transfers of important data collected and generated by CII operators during their operations in China.  The Cyberspace Administration of China, together with the relevant department of the State Council, would make relevant rules to govern cross-border transfers of important data by other data processors.

Licensable Data Processing Service

Article 33 stipulates that service providers shall obtain permits for relevant data processing services, as required by laws and regulations. However, the Draft DSL does not list the specific data processing services that will require a license.

Penalties

Article 44 significantly increases the strength of penalties. In cases of failures to perform obligations related to data security, data processors will be subject to fines varying from 50,000 to 500,000 RMB, as well as orders for correction and warnings. Additionally, the personnel directly in charge of, and other personnel responsible for, data processing activities will be subject to fines varying from 10,000 to 100,000 RMB. In cases where there are failures to make corrections or that result in serious consequences, data processors will be subject to fines varying from 500,000 to 5 million RMB. In addition, these processors may be subject to suspensions or shutdowns of business, or revocations of permits or business licenses. Lastly, in the relevant violation cases, personnel directly in charge of, and other personnel responsible for, data processing activities will be subject to fines varying from 50,000 to 500,000 RMB.

Article 46 adds penalties to the following types of data processing activities: where (1) data processors reject access to data by public security and/or state security authorities under laws for the purposes of maintaining national security or conducting criminal investigation; and (2) data processors provide data to a foreign judicial organ or law enforcement agency without the approval of a competent authority.

In addition, the Draft DSL clarifies the definition of “data processing” and “data security” and addresses antitrust issues related to platforms, graded cybersecurity protection obligations and industry self-discipline rules.