The “Data Security Law” will come into force on September 1, 2021

On June 10, 2021, the 29th meeting of the Standing Committee of the Thirteenth National People’s Congress passed the “Data Security Law”, which will come into force on September 1, 2021. This law is not only the fundamental law in the field of data, but also an important law in the field of national security. However, since most of the provisions of this law are principles, the relevant implementation rules, the regulations, or guidelines of the relevant competent authorities, etc. are urged to be released.    

Due to the above reasons, we only introduce two aspects of this law, the scope of “Data” regulated by this law; and enterprises’ main obligations and consequences of violations on the data security protection.

1. The scope of “data” regulated by this law.

The law stipulates that the term “Data” refers to any recording of information by electronic or other means. Compared to the “National Security Law” and the “Cyber Security Law”, this law has listed the common paper-based data into the scope of “Data”, which fills in the blank of the categories of “Data” in the current legislation system.

2. Enterprises’ main obligations and consequences of violations on the data security protection.

Articles 27 to 43 in Chapter 4 of the“Data Security Law” stipulate the main obligations as follows:

Article 27: a)  To establish a sound data security management system throughout the whole process, organize data security education and training, and take corresponding technical measures and other necessary measures to ensure data security. b) To carry out data processing activities by making use of the Internet or any other information network, the aforesaid obligations for data security protection shall be performed on the basis of the graded protection system for cyber security. c) Processors of important data shall specify the person (s) responsible for data security and the management body, and implement the responsibility of data security protection.

Article 29: To strengthen risk monitoring: a) Remedial measures shall be taken immediately upon discovery of any data security defect or bug.b) Disposal measures shall be taken immediately upon occurrence of a data security incident, users shall be timely notified, and reports shall be made to the relevant competent authority.

Article 30: Processors of important data shall, in accordance with the relevant provisions, carry out risk assessment on their data processing activities on a regular basis and submit a risk assessment report to the relevant competent authority.

Article 31: a) The Cyber Security Law shall apply to the security management for the cross-border transfer of important data collected and produced during operation by key information infrastructure operators within the territory of the People’s Republic of China. b) The administrative measures for the security management for the cross-border transfer of important data collected and produced during operation by other data processors within the territory of the People’s Republic of China shall be formulated by the state cyberspace administration in concert with the relevant departments under the State Council.

Article 33: In the provision of services, an institution engaged in data transaction intermediary services shall require the data provider to explain the data source, examine the identities of both parties to the transaction, and keep the examination and transaction records.

Article 35: Where a public security organ or State security organ needs to retrieve data for the purpose of safeguarding national security or investigating crimes in accordance with the law …… and the relevant organizations and individuals shall provide cooperation.

Article 36: No organization or individual within the territory of the People’s Republic of China may provide foreign judicial or law enforcement authorities with the data stored within the territory of the People’s Republic of China without the approval of the competent authorities of the People’s Republic of China.

Articles 45 to 48 of this law clearly stipulate the consequences of violating the above-mentioned obligations. According to the level and importance of data, and the specific circumstances of the violation, the violation party may be ordered to make rectifications, be warned, and/or may be concurrently fined not less than RMB50,000 Yuan but not more than RMB500,000; the person directly in charge and other directly liable persons may be fined not less than RMB 10,000 but not more than RMB 100,000; and for severe circumstances, the party may be ordered to suspend the relevant business or stop the business for rectification, and the relevant business permit or business license will be revoked.

In addition, it is worth noting that, as a sworn clause, Article 8 of the “Data Security Law” clarifies the basic principles for carrying out data activities, that is, “Whoever carries out data processing activities shall abide by laws and regulations, show respect for social morality and ethics, observe business ethics and professional ethics, be honest and trustworthy, perform the obligations of data security protection and undertake social responsibilities, and shall not endanger national security or public interests, or damage the legitimate rights and interests of individuals or organizations.” In view of this, if Articles 27 to 43 cannot be effectively applied to individual cases, it is very possible to apply Article 8 in individual cases. 

Generally speaking, for companies, recently, it is recommended to have a comprehensive understanding about the trend, basic requirements of data security, and initiate an internal compliance diagnose in accordance with the relevant laws and regulations. Moreover, it is also recommended to pay attention to the follow-up supplementary regulations.

In addition, it is worth noting that, as a sworn clause, Article 8 of the “Data Security Law” clarifies the basic principles for carrying out data activities, that is, “Whoever carries out data processing activities shall abide by laws and regulations, show respect for social morality and ethics, observe business ethics and professional ethics, be honest and trustworthy, perform the obligations of data security protection and undertake social responsibilities, and shall not endanger national security or public interests, or damage the legitimate rights and interests of individuals or organizations.” In view of this, if Articles 27 to 43 cannot be effectively applied to individual cases, it is very possible to apply Article 8 in individual cases. 

Generally speaking, for companies, recently, it is recommended to have a comprehensive understanding about the trend, basic requirements of data security, and initiate an internal compliance diagnose in accordance with the relevant laws and regulations. Moreover, it is also recommended to pay attention to the follow-up supplementary regulations.