This article is written by Aristotle Gottumukkala, pursuing a Diploma in International Data Protection and Privacy Laws from Lawsikho. The article has been edited by Zigishu Singh (Associate, LawSikho).
Nearly one year after its introduction, two drafts, and three reviews, China’s Data Security Law (DSL), was officially passed on 10th June 2021 by China’s national legislature. Touted to be the world’s most stringent data protection law, China’s Data Security Law (DSL) has officially come into full force on 1st September 2021. With the inception of DSL, China has introduced a complex comprehensive data protection regime to put its prime focus on the processing and protection of all types of data and further lay strong foundations for the development and welfare of China’s national security. The cutting-edge part of this legislation is the hierarchical classification of data according to its importance to the Chinese national security and based on that importance of the said data, categorization and protection will be carried out and of course, the wide extraterritorial scope of DSL mandates international organizations that collect any kind of data in China or with China to follow the newly laid rules. DSL is regulated in a way so that it may simultaneously work in tandem with China’s Cybersecurity Law 2017 and the Personal Information Protection Law 2021, with an aim to build world-class cybersecurity as well as data protection regulations which will further be pushed towards to set as the gold standards in the respective fields. DSL outlines how companies must manage and process their data, and the sole focus is on the processing activities of those companies- whether international or native, that collect and process data and have their main establishment within the territorial limits of China. DSL is expected to land a significant blow on the present data processing activities by the companies which will further show its impact on the business operations in China, as the new rules are more stringent with harsh punishments that attract criminal liability as well as heavy fines. Like every other law in China, this DSL is straightforward, hard-hitting, and has some harsh penalties for the violations of the law.
China is the world’s second-largest economy and it is marching towards a future fused with Artificial Intelligence and a complete digital experience. When a country is having such a highly ambitious aim then it must ensure proper safeguards and regulations but China has fallen short in protecting its netizens from cyber-attacks due to lack of proper cybersecurity regulations and data privacy laws. Incidents such as the CSDN in which the largest software programmers’ website of china was hacked and more than 6 million users’ information was leaked. Another incident can be considered where the biggest Chinese online forum known as Tianya was hacked and more than 40 million users’ account information has been leaked. Several popular websites such as 7k7k games, 360buy, Duowan, and Dangdang were all hacked and millions of users’ data were exploited and even a few of the websites’ databases, which included personal information were published online. China’s reliance on technology is rapidly increasing, and when a nation as big as China is relying upon technology then the responsibility of providing data security and protecting the information of the citizens lies on the Government. Having taken all these aspects under consideration, China has come up with DSL. One of the criticisms about DSL is that it was rushed, as the entire law was just given two months’ time to implement, however, DSL gives significant importance to China’s core interests; national security, public interest, and national economy, and an ounce of data processing or collection or storage or usage or disclosure or publication relating to these subjects will be under strict surveillance under DSL. Before the passing of DSL in July 2021, it was released to the public for reviews and comments in July 2020 and April 2021. There weren’t many amendments but a few additions were made in terms of penalty for violation, which was increased. The DSL has been in force since September 2021, and since then, companies in China are trying hard to comply with the said law to ensure transparency.
The DSL solely or largely focuses on ensuring safe and proper processing activities by the companies within China and here are some of the key highlights of the DSL.
The scope of DSL is very wide but the prime purpose behind DSL is to protect the rights and interests of the citizens, to ensure a high level of data security, to develop data usage procedures, to ensure national security and sovereignty. DSL will act as security supervision on all the data processing activities by the companies within the territorial limits of China. The scope of DSL also gives the power to the state for an extraterritorial reach only if it is found that any data related to China has been processed outside of China and poses a threat to its national security. According to DSL, the definition of data even applies to any kind of cyber information created electronically or in hard copies or other forms. Whereas the definition of data processing is comprehensive and according to DSL, it applies to all the activities such as a collection of data, usage, storage, transfer, publishing, and disclosing. Though the DSL has defined Data, Data Processing, and National Core Data, it has left the huge task of defining Important Data to the native regulators according to their own sectors.
Classification of data
The world’s first data classification system has been introduced with DSL. The data will be classified according to the kind of threat or damage that it would cause in case of any type of data breach to China’s national security, national economy, and public interest. If the data is close or falls within the ambit of these three fields then the data management, processing activities, and data protection must be conducted very carefully, as the regulations will be more stringent and the penalties will be harsher in case of any kind of breach. These strict regulations can be found mostly in two specific categories of data and they are “National Core Data” and “Important Data”.
National Core Data
Any data which is related directly or indirectly to the national security or national economy or public interest is called national core data and this data has stricter regulations.
This concept was introduced in Cybersecurity Law and adapted into DSL. Companies must take appropriate measures to appoint a reasonable person and establish a data protection department to carry out periodic risk assessments and report the same to the relevant, higher authorities.
Not only China but every country is involved in the cross-border transfer of data. With the implementation of DSL, the cross-border transfers mechanism and management were made stricter and classified into various specifications. In case of a cross-border transfer of important data, the data collected within China through Critical Information Infrastructure Operators – CIIOs- are governed by the CSL 2017 and are bound to be stored within the territorial limits of China. When the time comes for cross-border transfer then a prior security assessment carried out by the Cyberspace Administration of China – CAC and the State Council-appointed relevant departments must be completed. DSL also prohibits sharing of any kind of data stored in China to the lawful enforcement or judicial authorities situated outside of China without prior approval from the Chinese government. If the data is transferred without prior approval, then it leads to suspension of business licenses or huge penalties. This regulation of DSL has created a rift among the companies that are established in China and offer their services to the data subjects in the European Union, as they must comply with the EU GDPR. However, DSL requires such companies to obtain prior approval from the concerned Chinese Government before transferring any kind of data outside of China.
Penalties under DSL are very harsh and strict and they include suspension of business licenses, criminal penalties, fines upto 10 RMB million, and if any individual is found guilty of any kind of data breach then he/she shall be subject to be fined up to 10 RMB million along with criminal charges. In a few cases, a warning may be given along with an order to correct the violation within the specified time or a fine between RMB 50,000 and RMB 75,000 may be imposed, if any specific obligations were failed to comply with.
The real impact of DSL will come to light in the near future. As the law was passed a few months ago, it will be too soon to judge the kind of impact that it will have on businesses. But one thing is certain, that DSL will surely have a major impact on the native tech giants rather than international companies, and with the strict cross-border transfers rules, this will consume more time and potentially affect businesses in the long run. DSL is an addition to the list of data protection laws around the world and it is indeed very complex in nature and harsh towards its native businesses in terms of regulations only with a view to protect its national security and promote transparency.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/L9vr7LmS9pJjYTQ9