What is China’s Data Security Law?

Scope of Application and Extraterritorial Effect of DSL

The DSL applies to and regulates data processing activities by organizations and individuals, and security supervision of such activities within the territory of China. The DSL also regulates data processing activities conducted outside of China that harm China’s national security or the public interest, or the legal interests of citizens and organizations in China. It would be right to state that DSL has extensive and extra-territorial application. It imposes a number of obligations on organizations and individuals even those that are not based in China regarding data categorization and classification, data risk controls and risk assessments, cross-border data transfers, and data export controls.

The DSL applies to data recorded in electronic and other forms including digital and cyber information, and information recorded in other forms such as paper records. Data processing activities regulated by DSL include, without limitation, the collection, storage, use, processing, transmission, provision, or disclosure of data.

Organizations and individuals need to understand and fulfill the following requirements of the DSL in order to avoid unnecessary compliance risks and penalties:

1. Data Categorization and Classification Under DSL

The DSL categorizes data into two main classes: National Core Data, and Important Data. The DSL prescribes stricter regulation and protection of the “National Core Data” that covers data related to national security, the lifeline of the national economy, and people’s livelihoods and that is important to major public interests.There is no clarity on which category of the data will fall under the important data under the DSL at the moment. The Chinese government will set official criteria for the industry specific important data rather than allow business operators to decide the scope of important data at their discretion. However, under the CAC Draft Data Security Administration Guidelines published in May 2019, important data refers to data that, if leaked, may directly affect national security, economic security, social stability, public health, and safety.

As described under Article 21 of the DSL, the government of China will establish a hierarchical data classification management and data protection system focused on the importance of different types of data to the national economy, national security, and public interest.

The relevant departments which shall be responsible for the development of the hierarchical categorization and multilevel data security schemes are as follows:

• The national data security coordination mechanism will coordinate with the relevant departments to formulate an important data catalogue at the national level.
• Different administrative regions and regulatory authorities of different industrial sectors (the relevant departments) will formulate their own specific important data catalogs with protection requirements.

This will affect how organizations structure their own data classification programs regarding important data and multilevel data protection schemes to protect certain categories of information.

2. Cross Border Data Transfers and Data Localization

Critical Information Infrastructure (the “CII”) refers to information infrastructure in important industries and sectors (such as information service, public service, and e-government) and other information infrastructure that, if leaked, may severely threaten the national security, national economy, people’s livelihood, and public interests.

The DSL has different cross-border data transfer requirements for the CII operators from those of non-CII operators. Article 31 of the DSL provides that CII operators must comply with data localization and cross-border data transfer measures prescribed under the CSL and subsequent measures. Under the CSL, CII operators are required to ensure that important data, collected or generated in China, is stored within China. CIIs can only transfer data out of China when:

• There is a genuine business necessity;
• The network operator conducts a security assessment in accordance with the measures jointly defined by China’s Cyberspace Administration (the “CAC”) bodies and the relevant departments under the State Council; and
• The CII obtains the consent of the concerned individual to transfer personal information outside of China (unless such consent is implied because the individual is the one sending such information).

Whereas all non-CII operators transferring "important data" outside of China will be required to comply with the rules to be formulated by the CAC and authorities under the State Council.

Most importantly, the DSL explicitly prohibits organizations and individuals from providing any data stored in China to foreign law enforcement authorities or other foreign judicial departments without obtaining prior approval from the Chinese government. Organizations need to understand this obligation would significantly impact their cross-border data transfers for the purposes of legal proceedings.

3. Data Security Management System

The DSL requires that organizations must adopt technical, organizational, and other data security measures to safeguard the protected data categories. Organizations must establish and complete a data security management system. The DSL also imposes obligations on organizations to deploy data security training and organizations are required to designate individuals and departments responsible for data security.

As per Article 29 of the DSL, organizations should also strengthen their risk monitoring measures and take timely remedial measures in the event any security flaw, vulnerability, or other risk is discovered.

Furthermore, under the DSL, organizations that are processing data through the internet are required to comply with the Multi-level Protection Scheme ('MLPS'), a classification system for companies physically located in China and adopted under the CSL. Under MLPS, organizations should:

• Ensure their networks are protected against interference, damage, or unauthorized access, and
• Classify their infrastructure and application systems in five separate protection levels and fulfill protection obligations as described under Article 27 of the CSL.

4. Risk Assessments

Under the DSL, China will establish a uniform, authoritative system for data security risk assessment reporting. Article 30 of the DSL imposes an obligation on all organizations to periodically carry out risk assessments of their data handling activities and practices for the handling of "important data". Organizations are also required to send these risk assessments to the relevant regulatory departments. Organizations should include the following information in such risk assessment reports:

• The categories and quantities of important data processed;
• How the data processing activities are carried out; and
• Relevant data security risks and response mechanisms.

5. Data Incident Response and Notifications

Similar to data incident response obligations under the CSL, the DSL also requires organizations to have incident contingency planning. As per Article 29 of the DSL, organizations have the obligation to immediately remediate the incident, promptly notify relevant individuals, and report such data security incidents to the regulatory department(s). As required under Article 23 of the DSL, a national data security emergency response mechanism will be established by the Chinese government requiring regulatory departments to initiate emergency response plans in the event of a data security incident.

6. Data Trading Intermediary Services Obligations

The DSL requires that organizations engaged in data trading intermediary services shall require the data provider to fulfill the following requirements:

• Explain the source of the data;
• Examine the identity of both parties to the transaction; and
• Keep audit and transaction records when providing services.

7. Other General Obligations

• Organizations and individuals are required to adopt a legal and legitimate way to collect data, and should not steal or obtain data in other illegal ways.
• Where laws and administrative regulations contain provisions on the purposes and scope of data collection and use, organizations must collect and use data within the purposes and scope prescribed by laws and administrative regulations.

Penalties for Non-Compliance

Chapter VI of the DSL provides that organizations and individuals who fail to comply with DSL requirements may face enforcement notices/warnings and fines up to RMB 1 million in severe cases, as well as sanctions with very significant operational consequences such as suspension of business, etc.

Individuals and organizations that fail to meet data security protection obligations of the DSL may be subject to an order to correct, a warning, and/or a fine of not less than RMB50,000 but not more than RMB500,000. Furthermore, criminal liability may be imposed if a violation of the DSL amounts to a criminal offense; such criminal liability may extend to individuals or directors of organizations.

The DSL also provides individuals a right to complain and bring civil claims against any non-compliance with the DSL.

How Securiti Can Help

Global privacy regulations are encouraging organizations to be responsible custodians of their consumers' data and automate privacy and security operations. In order to operationalize compliance, organizations need to incorporate robotic automation in order to keep up with the current digital landscape. Several organizations offer software that helps companies comply with global privacy regulations, but these solutions have been restricted to mainly process-driven tasks or rudimentary data-driven functions.

Securiti combines reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with China’s Data Security Law, as well as other privacy and security regulations all over the world. See how it works. Request a demo today.