How to Comply With China’s New Data Privacy Law

China has entered the data security regulation conversation with a sense of urgency missing from many U.S. state privacy laws. While it is commonplace here for laws to take effect years after being passed – with amendments and commenting periods to boot – China promulgated their law earlier this month and has given organizations until September 1, 2021 to prepare.

This minuscule adjustment period might just bump the Data Security Law of the People’s Republic of China (DSL) to the top of your organization’s priority list. Even if your organization does zero business in China, the DSL has many international implications as well as a concrete statement of intent on how one of the world’s biggest superpowers plans to regulate the digital economy.

This is not China’s first stab at regulating data security. The PRC Cyber Security Law (CSL) was enacted in November 2016 and since has been regulating the use of systems and networks in digital data-processing activities.

The DSL serves to complement the CSL, rather than to replace it. It broadens its focus to include offline data-processing activities as well as digital ones, with a more activity-based approach to regulation. Let’s take a look.

Establishing China’s Data Security Priorities

Most laws we cover at ADCG outline specific data-handling guidelines that organizations must follow in order to comply. In contrast, the most relevant aspect of China’s law for an international audience is that it explicitly states China’s current stance on the evolving issue of data privacy.

Rather than looking at it from a human rights standpoint, China views proper and reasonable data usage as a necessary element of its broader goal: to develop and promote China’s digital economy. Viewing the law through this lens is crucial in order to unpack its implications on international business. While the DSL certainly touches on privacy at an individual level, make no mistake: China’s primary concern is its broader economic strategy.

Organizations looking for a specific set of rules to govern data transfers from China may have to wait. The DSL is a more general, principle-based law, so organizations should keep a keen eye on the development of additional supporting regulations that offer more concrete rules.

As you might expect, China does not limit the DSL to data actions within its borders. The scope of the law includes any processing activities outside of China that may undermine China’s public interests, national security or the rights of its organizations and citizens. However, the criteria for judging what extraterritorial activities apply and how organizations outside of China can be held liable is left ambiguous.

That being said, there’s no reason to believe that China is letting extraterritorial organizations off the hook; it’s more likely that the specifics will be ironed out in further legislation. In fact, Article 21 of the DSL specifically directs the state to develop a mechanism through which data can be categorized by importance or risk of harm.

Stronger Protection for Certain Data

It’s likely that higher protection standards will be allocated to activity that poses a greater threat to China’s interests, while a more free-flow approach will be granted to data activity deemed necessary for China’s economic and social prosperity.

The law details that “important data” – as deemed so by supervisory authorities and China’s national security agency – will be subject to enhanced protections. However, there is still no information on what data will fall into this category and what measures would need to be taken to protect that data.

Even stricter regulations will apply to “national core data”, the definition of which is left equally ambiguous. This will include data related to vital public interests such as national security, the economy and important people’s livelihoods. However, it is still unclear how this type of data differs from the less strictly-regulated “important data.”

Existing drafts suggest “important data” refers to any data that, if leaked, could undermine or threaten national or economic security, social stability, or public health may qualify. This could include government data, population data or health data. Thus, it’s not a given that the type of personal data regulated by the California Consumer Privacy Act will fall under the DSL’s jurisdiction.

However, the DSL does make it clear that processors of data that meet the criteria will need to assign the responsibility of DSL compliance to a data security officer, and data protection department.

The DSL also includes an obligation for processors of important data to submit regular risk assessments of their processing activity to authorities, outlining the nature of the processing, potential security risks and safeguards put in place to protect the data.

Data Transfers

Naturally, one of the most relevant parts of the laws to American organizations will be any new regulations governing cross-border data transfers.

Currently, the CSL maintains that important data collected in China must be stored locally, unless cross-border transfers are necessary for business needs. In such cases, the data may be transferred abroad, given a security assessment is conducted. However, this privilege is only afforded to organizations that are “critical information infrastructure operators.” Other organizations must wait for authorities to create regulations regarding data transfers.

Certain types of data may be regulated by China’s Export Control Law, which regulates the exports of nuclear items, military items, items used for both civil and military purposes, and any goods, services or technology related to the implementation of international obligations and the maintenance of national security. A more specific list of controlled items is set to be published by China’s export control administration.

The law maintains that, in order to export such items, organizations must seek an export license. Once an organization applies for a license, the Ministry of Commerce will decide whether or not to grant the request, taking into account the nature, sensitivity, destination and purposes of the exported items as well as the credit reputation of the organization. A license may be denied if the export in question does not align with China’s international obligations (such as treaties and agreements) or national security interests.

Organizations must await further clarification on the standards and definitions of “important data”, “national core data” and “controlled items.” However, if you think your organization processes such data, it’s never too early to reevaluate and strategically plan your Chinese business model, taking into account the risks of potential regulatory penalties for such activity.

If you choose to operate in China, be aware of your likely obligations under DSL, including designating specific personnel to the task of data security, establishing a data security management system, conducting security training, monitoring and responding to security risks and submitting formal risk assessments to Chinese supervisory authorities.

What Does This Mean for Businesses That Operate in China?

One of the biggest concerns for international organizations looking to do business in China is the existing power of the Chinese government to access their data, even if it is stored outside of China. The CSL granted very broad access powers to the Chinese government, and the DSL has doubled down on the notion that Chinese security authorities have the power to request access to data when access is necessary to protect national security or investigate crimes.

It is also notable that the DSL establishes the right of the Chinese government to discriminate against business from jurisdictions deemed to be discriminating against Chinese investment and trade. Thus, the law might create a basis for organizations to be treated differently under Chinese law depending on the country they are from.

Fines and penalties for violations of DSL depend on the nature of the violation.

• Organizations that breach the DSL’s data security protection obligations may be subject to a fine from RMB 50,000 ($7725 USD) to RMB 2 million ($309,000 USD) while individuals responsible may be fined up to RMB 200,000 ($30,900 USD).

• For violations deemed to impede or endanger national sovereignty, security or development interests, organizations will face fines between RMB 2 million and RMB 10 million ($1.5 million USD).

• Violations of cross-border transfers requirements carry fines of up to RMB 10 million for organizations and RMB 1 million ($154,500 USD) for individuals.

• For sharing data stored in China with foreign judicial or law enforcement agencies without first obtaining approval from the Chinese government, the fine is up to RMB 5 million ($772,500 USB) for organizations and RMB 500,000 ($77,250 USD) for individuals.

• Organizations that refuse to cooperate with access requests from the Chinese government may be fined up to RMB 500,000, while individuals face a maximum fine of RMB 100,000 ($15,500 USD) for such an offense.