China passes new data security law strengthening control over digital information

10 Jun, 2021 21:54
source: Singularity Financial

Singularity Financial Hong Kong June 10, 2021 – China’s top legislative body has passed a data security law, strengthening Beijing’s control over digital information amid a crackdown on local technology giants and market access disputes with the U.S.

The legislation was approved Thursday by the National People’s Congress Standing Committee, state broadcaster China Central Television said. The full text of the final legislation wasn’t immediately released.

The law represents “another important piece in the overall data protection regulatory jigsaw in China,” said Carolyn Bigg, a lawyer who specializes in intellectual property and technology matters with DLA Piper in Hong Kong. Companies will still need to wait for guidance and technical standards on the practical measures they must take to comply, she said.

Why is this new data security law significant?

On April 29, 2021, the Standing Committee of the National People’s Congress of China (“NPC”), the country’s top legislator, released the updated draft Data Security Law (the “DSL”) and draft Personal Information Protection Law (the “PIPL”) for public comments. The commenting period ends on May 28, 2021 and comments can be submitted through NPC’s official website.

In 2016, China promulgated its first landmark legislation in the cybersecurity and data protection area, the Cybersecurity Law (“CSL”) (Covington alert available here), which primarily focuses on cybersecurity and the protection of the country’s Critical Information Infrastructure (“CII”).

To further address the rising concerns related to the protection of personal information and “important data” (left undefined in the DSL, but used broadly to refer to data that is important from a national security perspective), China followed up with two more significant legislative proposals in 2020: the first drafts of the DSL and the PIPL. The DSL is designed to regulate data processing activities that could have a national security impact, in particular those related to “important data,” while the PIPL focuses on protecting personal information. The second drafts of both of these laws have now been released for public comments.

Once finalized, these three laws, the CSL, DSL, and PIPL, will form an over-arching framework that will govern data protection and cybersecurity in China for years to come.

Beyond these three laws, the proliferation of sectoral specific rules, as well as other Chinese laws such as the Anti-espionage Law and the Encryption Law, could make data compliance in China more complex.

While some laws do not appear to be primarily focused on data protection and cybersecurity, they may have indirect impacts on data processing activities in specific sectors or under specific scenarios. For example, besides the CSL, operators of CII are also subject to data security obligations under the Anti-espionage Security Prevention Work Regulation (“Anti-espionage Regulation”), which was released by the Ministry of State Security on April 26, 2021 and took effect on the same day. The Anti-espionage Regulation requires that, among other things, CII operators must adopt technical measures to ensure data security of their network and their “core information technologies.”

Moreover, the Encryption Law, which took effect in January 2020, mandates CII operators carry out a security assessment and go through a national security review for their use of encryption. It remains to be seen how this complicated web of regulatory requirements may be consolidated or whether the divergence will remain even after the finalization of the DSL and the PIPL.

Given the sweeping scope and the broad territorial reach of these laws, companies that process Chinese personal information or non-personal data should closely monitor these developments in the coming months.