On July 3, 2020, the Standing Committee of the National People’s Congress (NPC) published the draft Data Security Law (Draft Law) for public comment through August 16, 2020.1 The Draft Law constitutes a further step in the development of China’s data protection regime under the framework of the Cybersecurity Law (2017) which also awaits publication of the draft Personal Information Protection Law. Formulation of the Draft Law has been on the NPC’s legislative agenda since September 2018.
The Draft Law consists of 51 articles across seven chapters: General Principles, Data Security and Development, Data Security System, Data Security Protection Obligations, Security and Opening of Government Affairs Data, Legal Liability and Miscellaneous. Although undefined in the Draft Law, the term “national security” is a broad and expansive concept under the National Security Law (2015)2 and appears 11 times in the Draft Law. Its broad scope and extraterritorial reach pose particular risks for foreign companies as well as media organizations and their personnel. Most importantly, the Draft Law grants sweeping power in the name of national security to relevant Chinese government officials to access the data itself and regulate (including the powers to prosecute and investigate) data controllers regardless of whether they are located inside or outside China.
As the Draft Law applies to data within the territory of the People’s Republic of China without qualification for its two Special Administrative Regions under the One Country Two Systems concept (Article 2), it would apply to data in Hong Kong and Macau as well as Mainland China. In this respect, the Draft Law would further diminish Hong Kong’s separate status already diminished effective July 1 in the National Security Law of the Hong Kong Special Administrative Region.
“Data” is broadly defined under Article 3 of the Draft Law as “any electronic or non-electronic records of information”. In addition, “Data Activity” is defined as “such activities as data collection, storage, processing, usage, provision, transaction and publication;” and “Data Security” is defined as “the ability to ensure that data receives effective protection, will be used legitimately and remains in secure condition through the adoption of necessary measures”.
While the Draft Law primarily focuses on security, it would also foster the efficient utilization of government and other data to develop a digital economy and big data economy in China (Articles 13-18). While the Draft Law endorses internal exchanges and cooperation on data (Article 10), the country’s large population and relative weakness of personal protections on access to data is widely perceived as an important economic and strategic asset in China.
In particular, the Draft Law would:
- establish extraterritorial jurisdiction over companies and individuals outside China if their Data Activity harms the national security of China (Article 2).
- introduce a multi-level protection scheme to protect data based on its importance and the severity of harm to national security should such data be damaged, and require regional governments and sectoral government departments to produce catalogues of important data (Article 19).3
- establish a data security review system to review the impact of Data Activity on national security (Article 22).
- institute a data export system in accordance with law to fulfill international obligations subject to the protection of national security (Article 23).
- allow China to retaliate against discriminatory investment and trade measures imposed on China in relation to data and data development technologies (Article 24).
- require prior approval before any domestic organization or individual can transfer domestic data to any overseas law enforcement agency (Article 33), which is consistent with China’s standpoint on mutual legal assistance.
The principal elements of the Draft Law are summarized below:
The central national security leading organ, i.e., the National Security Commission of the Communist Party of China, a body outside and above the government, would be responsible for data security decision making and the formulation of national data security strategy (Article 6). Governments at all levels and all government departments would be responsible for the security of data produced, aggregated and processed in the performance of their respective tasks. Such sectoral departments as industry, telecommunications, natural resources, healthcare, education, national defense technology industry, and finance are specifically referenced in the Draft Law for the supervision and management of data security within their respective industries and sectors. As the National Security Law also identifies such other matters as energy and food within the concept of national security, other government departments are also likely to have data security responsibilities. At the same time, the state security and cyberspace administration authorities would have overarching duties within their respective responsibilities (Article 7).
Extraterritorial reach and retaliation against foreign government actions
The Draft Law makes clear that foreign organizations and individuals will be held accountable should they conduct Data Activity that compromises China’s national security, public interest or the legal rights and interests of Chinese citizens or organizations (Article 2).
China may also apply reciprocal countermeasures with respect to any country or region which imposes prohibitive or restrictive investment or trade measures that are discriminatory in their nature against China with respect to data or data development and utilization technologies (Article 24).
Where foreign law enforcement bodies need to retrieve data stored within China, organizations and individuals shall report the matter to the relevant competent authority, and may provide the data only after receiving permission. Where China has concluded or joined an international treaty or agreement with provisions on foreign law enforcement bodies retrieving domestic data, those provisions shall apply (Article 33).
Data development and utilization
China will give equal weight to data security and data development and utilization (Article 12). The government will implement a big data strategy and advance the buildup of data infrastructure. Provincial government shall formulate digital economic development plans as part of their national economic and social development plans (Article 13). China will foster and develop data development and utilization and data security products as well as a data industry system (Article 14). China will promote the development of data security assessment and certification services, and support the service activity of such assessment and certification institutions (Article 16). China will establish and develop a data transaction management system, and nurture a data transaction market (Article 17).
Data security protection
China will implement data protection by category and classification. Regional governments and sectoral government departments will be responsible for finalizing catalogues of important data for protection in their respective region, department or industry, and data listed in a catalogue will be subject to priority protection (Article 19). Measures to protect military data will be formulated by the Party’s Central Military Commission (Article 50).
Processors of important data will be required to conduct periodic risk assessments of their Data Activity and submit the risk assessment reports to the competent authority. The risk assessment report shall include: categories and quantities of important data controlled by said organization, how data is collected, stored, processed and used, as well as data security risks confronted and countermeasures taken (Article 28). However, the Draft Law lacks a clear definition of “important data” with respect to national security, creating potential for over or under-inclusivity.
China will establish a data security review system to review the actual and potential national security impact of Data Activity, and any relevant decisions will be final (Article 22). Data that is classified as a Controlled Item4 in connection with the performance of international obligations or protection of national security will be subject to export controls (Article 23).
Where public security and national security authorities need to retrieve data in order to safeguard national security or investigate a crime, they shall, in accordance with relevant State regulations, undergo strict approval procedures and proceed in accordance with the law; relevant organizations and individuals shall provide cooperation (Article 32). State organs will be required to collect and use data pursuant to law and administrative regulations and within the confines of their statutory duties (Article 35).
Where major security risks are triggered, the relevant organizations and individuals may be summoned to appear in in-person meetings with regulators, and shall take corrective measures to eliminate potential dangers (Article 41). Organizations or individuals which fail to perform data security protection obligations or take necessary security measures, refuse to correct wrongdoings or cause such serious consequences as massive data leakage will be punishable by confiscation of proceeds and a fine up to RMB 1 million, and the directly responsible supervisor and other directly responsible personnel will be fined up to RMB100,000 (Articles 42-43).
Civil liability, criminal liability, and public security administration penalties will also be applicable (Articles 43-48).
The Draft Law will constitute a substantial expansion of China’s data protection regime, and should be read together with other laws, regulations and national standards governing data, with more to come. For example, the Draft Law does not address Data Activity involving personal information which is expected to be addressed in the pending Personal Information Protection Law. Other than requiring prior approval for transmitting domestic data to overseas regulators, the Draft Law is also largely silent on data security protection when transferring data (especially personal information and important data) overseas, for example, there do not appear to be any new restrictions on the export of data by foreign-invested enterprises in China to their foreign parent or affiliates. The Draft Law if enacted in its current form will nevertheless grant the Chinese government sweeping power in the name of national security to regulate not only Chinese entities and individuals, including foreign-invested companies and other entities within China, but also foreign entities and individuals and entities and such parties in Hong Kong and Macau regarding their Data Activity.