The exponential growth in the value of data in our society has led to over 128 countries implementing some form of data protection legislation, in an attempt to regulate the usage of data and bring forth redressal mechanisms in the case of a breach. Although many of these countries have put in place mechanisms for data protection, these have progressively become inadequate due to technological development, and therefore the need for comprehensive data protection legislation is imminent around the globe. The General Data Protection Regulation (GDPR) is the foremost legislation in Europe regarding data protection which in many ways kickstarted the formulation of comprehensive legislation across the globe, with countries like India drawing inspiration from the same in its recent Draft Data Protection Bill. Surprisingly, the United States still does not have any federal-level consumer data privacy law, while China, one of the largest surveillance states has recently brought forth the Data Security Law (DSL) which was passed by the standing committee of the National People’s Congress party in China and intended to take effect from 1st September of 2021. The DSL operating along with China’s existing Network Security Law (NSL) as well as the supposed Personal Information Protection Law (PIPL) together, will create a comprehensive framework for data protection and regulation.
Purpose of the Law
The objective of the Act is to “regulate data processing activities, ensure data security, promote data development and use, protect the lawful rights and interests of individuals and organizations, and safeguard national sovereignty, security, and development interests.” The DSL’s applicability is not limited to the People’s Republic of China, as it also has extraterritorial jurisdiction over data processing activities outside the PRC which can supposedly harm “the national security, the public interests, or the lawful interests of citizens or organizations of the People’s Republic of China”. What may be considered harmful to these interests and organizations remains ambiguous and tips to the scale toward the Chinese agencies in deciding the nature of the harm, potentially in an arbitrary manner much like the crackdown on Didi Chuxing, a cab hiring service over allegations of transferring domestic data to the United States on the grounds of national data security. As proposed by multiple experts, this seems to be a part of a larger issue between the Chinese government and tech companies, with the government citing issues such as anti-competitive practices and privacy concerns. This leads us to question whether the growing Chinese legislature around data protection is going to further enable government crackdown, now with more legal backing.
Assessing the Law
DSL classifies data as “any record of information in electronic or other forms”, this classification being a rather broad one, is supplemented by legislation such as the PIPL with data pertaining to people falling under the ambit of ‘Personal Information’ and thereby being subject to the PIPL. More importantly, the DSL categorizes data into Core State Data and Important Data in order to better regulate data based on its nature. What constitutes as important data is determined by the ‘national data security work coordination mechanism’ along with relevant departments. The same is to be released through the means of an ‘important data catalogue’. On the other hand, data related to “national security, lifeline of the national economy, important people’s livelihood, vital public interests and other aspects” is considered Core State Data is regarded with higher austerity.
Article 5 stipulates that‘the leading central national security agency is responsible for the decision making and coordination related to data security works. The agency is responsible for research and development of major policies and oversees the implementation of the same. It is also expected to set up the previously mentioned national data security work coordination mechanism and coordinate ‘major matters’ with them. This national framework is supported by authorities on a regional and departmental level who are expected to oversee matters pertaining to their region or industry. These departments are also responsible for enabling redressal for complainants who may report any violations of provisions of the DSL. The departments are also expected to deal with these complaints with discretion and in a “timely manner and in accordance with law.”
Chapter II of the law deals with data security and development and lays emphasis on the State promoting better data security through ‘data development and use’ and by means of industrial development. It also holds that big data strategies will be implemented to develop data infrastructure. The DSL also sets out the establishment of national standards of data development, research on data security, supporting institutions that aim to educate and develop on different facets of data as well as a number of other strategies greatly focused on promoting growth in the field of data.
Chapter III relates to Data Security Systems and as defined in article 3, data security according to this law is “the ability to ensure that data remains in the condition of being effectively protected and lawfully used and equips the ability to continuously remain in secure condition.” Interestingly, article 23 calls for the setting up of a ‘data security emergency response mechanism’ whose role is to “implement the emergency plan, adopt appropriate emergency response measures, prevent the expansion of harms, eliminate security risks, and release warning information relevant to the public in accordance with laws.”. Article 24 then stipulates that the State will set up a data security review system whose role is to oversee data processing activities that affect or may affect matters of national security. And it is expressly mentioned that “Security review decisions issued in accordance with laws are final decisions.”, articles following this continue along the lines of national interests and security and grant the government discretionary powers to act in accordance.
Chapter IV, perhaps the most important section, sets out the obligations to be fulfilled by individuals and organisations partaking in data processing activities. These include, establishing and completing a data security management system across the entire workflow, organizing, and conducting training regarding data security, adopting necessary measures to promote data protection in accordance with the law and those entities carrying out data processing activities through the internet shall fulfil said obligations based on the “Multi-level Protection Scheme”. Noncompliance leads to penalties such as fines of CNY 2 million, revocation of business licenses or ‘demands to close down businesses.’ Breaches in the case of Core State Data attract a larger fine and bearing of criminal responsibilities if applicable. Apart from these general obligations, Chapter IV also lays down some specific obligations such as with regards to cross border data transfers and data intermediaries. Article 31 governs cross-border transfer of data and holds that such transfers by CIIO’s should be in accordance with the relevant provisions of the Cyber Security law of China, while other data processors are to follow regulations on international transfer of Important Data, formulated by the cybersecurity authority working together certain departments of the State Council. Article 35 also holds that organizations within PRC “shall not provide data stored within the territory” of the PRC “to foreign judicial or law enforcement agencies without approval from competent authorities” of the PRC. Following this, the law primarily lays down how the state entities should operate in order to facilitate this law, the penalties in case of a breach and supplementary provisions.
The DSL brings forth data regulations in a manner unlike any other that China has seen and is an expansive and broad law that has strict compliance requirements. Multinational companies are likely to be most affected by the introduction of the DSL and China’s increasingly stringent data protection framework calls for thorough auditing and operational changes in order to continue functioning within China. The law understandably, seems to be strictest toward Core State Data and also gives a fair amount of autonomy to the government in matters of national interest and security. However, the ground impact of the law and it’s functioning together with laws such as the PIPL and NSL can only be understood following implementation on September 1st 2021.