This law applies to data handling activities conducted within the territory of China and the security supervision and administration over such activities. The DSL also has certain extra-territorial application which states “data handling activities conducted outside the territory of China, harming national security, public interests or legitimate rights and interests of citizens and organizations of shall be legally liable in accordance with laws".[1]

The DSL expressly outlines the data security regulatory framework. It specifies the head role of the central leading institution for national security especially in coordinating the data security work at the State level via the coordination mechanism. The DSL clarifies the respective data supervision responsibilities of various national public departments (for example, the State Cyberspace Administrative Departments, the public security organs and the national security organs) and industrial competent authorities, in avoidance of ambiguous and repetitive administration. 

Picture 1. Data security regulatory framework

The DSL specifically proposes a set of comprehensive and top-down design of data security mechanisms in Chapter III, that consist of: 

Hierarchical Data Classification Mechanism. [2]

• Classification Standard

Data, under the mechanism, is matrixed in accordance with its importance in economic and social development and degree of harm to national security, public interests or legitimate rights and interests of individuals and organizations when any security incidents.

• Important Data

Article 21 of the DSL specifies that Important Data shall require prioritized protection. As for the formulation of Important Data Catalogue, relevant departments under the coordination mechanism by the central leading institution for national security shall formulate the catalogue at the State level and then each region and sector shall develop its specific catalogue.

• Core Data

The notion of “Core Data" is proposed for the first time which refers to data in relation to the national security, the lifeline of the national economy, important parts of people's livelihood and major public interests. [3] Article 21 stipulates that Core Data shall be administrated at a more stringent level. Companies shall closely pay attention to any further legislative developments in relation to Core Data administration.

Data Security Risk Prevention and Incident Response Mechanism. A State level data security risk assessment, monitoring and early warning mechanism as well as an incident response mechanism will be established to prevent and mitigate any potential data security risk in a more centralized, unified and efficient way.[4]  

National Security Review Mechanism.[5] The DSL, in convergence with the National Security Law, stipulates that data handling activities that affect or may affect national security shall be subject to national security review.

Export Control Mechanism.[6] In line with the Export Control Law, data concerning national security and any international obligations under fulfillment by China is subject to export control.

Countermeasure Mechanism. [7] China may adopt equivalent countermeasures against any prohibitive or restrictive measures imposed by any country or region in terms of data related investment or trade.

The DSL places a raft of data security protection obligations on data handlers in the entire Chapter IV. It shall be noted that the DSL merely provides the scaffold and would require supplemental regulations, national standards and guidance for further implementation in practice. Companies shall keep a close eye to any legislative development for compliance purpose. Obligations under DSL mainly comprise:

Data Security Management System. Companies shall establish and complete lifecycle data security management system, take corresponding technical and other necessary measures to ensure data security and conduct relevant data security education and training. [8]

Multi-Level Protection Scheme (MLPS). The DSL by stating “data security protection obligations shall be fulfilled on the basis of MLPS when conducting data handling activities via Internet and other information networks" sets out the fundamental role of MLPS in data security protection. [9]

Data Collection and Handling. Data handling activities shall conform to social morals and ethics. [10] Data collection shall be legitimate and fair. [11]  The collection and use of data shall be limited to the prescribed purposes and scope by laws and administrative regulations, if any. [12]

Important Data Handling and Cross-border Transfer.

• Responsible Person

Important Data handlers shall specify the responsible person and the administrative body for data security to implement and fulfil data security protection obligations. [13]

• Regular Risk Assessment

Handlers of Important Data shall conduct risk assessments regularly and submit the risk assessment reports to competent authorities.[14]

• Data Localization and Cross-border Transfer

Important Data collected or generated by critical information infrastructure operators (CIIOs) shall be stored within the territory of China and shall pass the security assessment by the State Cyberspace Administrative Departments when truly necessary to be transferred outside the territory of China, as prescribed in Article 37 of the CSL. The cross-border transfer of Important Data of non-CIIOs shall be regulated by measures to be enacted by the State Cyberspace Administrative Departments together with relevant departments of the State Council. [15]

Security Risk Monitoring and Incident Response Obligations. [16] Data handlers shall enhance risk monitoring and take immediate remedies for any security bugs or vulnerabilities. Data handlers shall response quickly to any data breach and inform users and report to competent departments in a timely manner.

Enforcement Cooperation. Domestically, companies shall cooperate with the legitimate request for data retrieval by public security organs and national security organs.[17] Internationally, companies or individuals shall not provide data stored within the territory of China to foreign judicial or law enforcement agencies as requested, unless approved by competent authorities. [18]

Data Transaction and License Requirement. Companies conducting data handling activities shall obtain relevant license qualification as prescribed by laws (for example, ICP, IDC and EDI license under value-added telecommunication services). [19] Data transaction intermediaries shall review identity of parties involved in the transaction, obtain data source description and put documentation. [20]

Data development and utilization is the other limb of the DSL. Article 13 expressly stated that the State advances data development and data security as a whole. In general, the State promotes data development and encourages data application by setting up national data security standardization system, promoting data security testing, evaluation and certification services, building comprehensive data transaction administration system and etc.

The DSL mainly contains liabilities of correction order and warning by relevant competent authorities, suspension of relevant businesses for rectification, revocation of business permits or licenses, monetary penalties and criminal charges when constituting criminal offense. The monetary penalties imposed in DSL touches both company level and directly responsible persons in charge level as listed below.

Chart 1. Monetary penalties