The DSL not only applies to domestic companies in China, but also covers data-related activities conducted by foreign entities and individuals. Article 2 of the DSL provides that, not only data processing and security supervision activities conducted in China, but also data processing activities taking place outside the territory of China to the detriment of national security, the public interest, or the lawful rights and interests of citizens and entities of China, will fall under the scope of the DSL. It is worth noting here that, under the DSL, the term “data" refers to any record of information in electronic or other forms, and “data processing" activities include the collection, storage, use, refinery, transfer, provision, or public disclosure of data.

From the corporate compliance perspective, foreign entities whose business and activities include processing the data of Chinese citizens, or whose data processing activities may have a substantial impact on China, should be cautious about potential liabilities under the DSL.

In general, companies’ obligations under the DSL include:

1) establishing and improving a data security management system that integrates every part of data processing activities;

2) organizing and carrying out data security education and training;

3) taking necessary technical measures to safeguard data security;

4) strengthening risk monitoring and taking timely remedial measures;

5) for entities who carry out data processing activities via information networks, such as the internet, performing the above data security protection obligations by obtaining certifications under the multi-level protection system (a mechanism mandated by the Cybersecurity Law); and

6) for “important data" processors, performing strict data security obligations.

Under the DSL, “data security" refers to taking necessary measures to ensure the state of effective protection and lawful utilization of data and the capability to safeguard the continuing state of security (Article 3 of the DSL).

More specifically:

a.  Establish and deploy a data classification system

The DSL emphasizes that China will establish a classification and hierarchical data protection system at the national level (Article 21), which can be viewed as high-level guidance for companies’ establishment of their data classification. The DSL provides that to establish a data classification protection system, the regulators must consider the level of importance to the state’s economic and social development, as well as the degree of harm caused to national security, public interests or the lawful interests of citizens and entities if the data is tampered with, destroyed, leaked or illegally obtained or utilized (Article 21). Once their system has been established, companies should conduct self-examination and self-correction as soon as possible to ensure that their own classification system will comply with the national system.

b.  Formulation of important data catalogs at national, regional and industry levels

Since the Cybersecurity Law took effect, the definition and scope of “important data" has been anticipated but has not materialized. For enterprises carrying out data-processing activities, there is no clear guidance available to help them determine what data can be categorized as “important data".

Under the DSL, China will establish a national mechanism to coordinate relevant authorities to prepare an “important data" catalog. More importantly, based on the national level important data catalogue, each regional and industry authority will then determine a regional, ministry, as well as relevant industry and sectoral important data specified lists. This means that in addition to national level legislation, companies must also be mindful of the important data catalogues issued by the local governments in the areas where their business operates, and by the relevant authorities governing the industry of their business. This may present a challenge to small and medium-size companies with limited resources for data compliance.

Article 6 of the DSL may shed some light on the targeted industries that may need their own important data catalogs. This provision of the DSL stipulates that “regulatory authorities in industrial, telecommunications, transportation, finance, natural resources, public health, education, and scientific technology are responsible for the regulation of data security in their respective industries or sectors". By looking at existing and future rules and industry standards issued by relevant ministries, it is possible to glean more information on key industries of special concern in relation to data protection. For example, on May 12, 2021, the Cyberspace Administration of China (CAC) published the Several Provisions for the Administration of Automotive Data Security (Draft for Comments) (《汽车数据安全管理若干规定 (征求意见稿)》), which is China’s first ministerial regulation for data security management in the automotive industry, and is a regulatory response to data security issues that have brought increasing attention in the development of smart cars.

c.  Enhanced requirements for protection of important data

The DSL also puts forward a number of regulatory requirements for the protection of important data, including:

• Designated person and department: An entity processing important data must designate a person in charge of data security and a management department to perform data security protection obligations (Article 27, paragraph 2). Similar requirements can be seen in the Cybersecurity Law, which requires a network operator to appoint a person in charge of cybersecurity. The Second Draft of the PRC Law on the Protection of Personal Information (《中华人民共和国个人信息保护法 (草案) (二次审议稿)》) also requires a personal information handler to appoint a responsible person. However, for now, it remains unclear whether such designated person under the DSL should or could be the same responsible person under other relevant laws, and nor does the DSL specify the composition of the data security management department or its membership requirements.

• Risk assessment: Entities that process “important data" must periodically or regularly conduct risk assessments in terms of their data processing activities, and submit risk assessment reports to the appropriate government authority. The risk assessment report must include items such as the category and quantity of important data processed, specifics on data processing activities, the potential risks of data security and corresponding risk management measures (Article 30).

• Cross-border transfer of “important data": The Cybersecurity Law regulates the cross-border transfer of important data by critical information infrastructure operators (CIIOs). Similarly, the DSL provides that cross-border transfer of important data collected and generated by CIIOs must follow the Cybersecurity Law, and a security assessment must be conducted before the cross-border transfer (Article 31).

The DSL also stipulates that non-CIIO data processors should also follow the security management measures on cross-border transfer of important data, and such measures will be announced in the future by the CAC as well as relevant other ministries of the State Council (Article 31). The Cybersecurity Law only regulates the cross-border transfer of important data by CIIOs. This clause of the DSL regulates the cross-border transfer of important data generated by non-CIIOs.

Entities violating the above obligation in cross-border transfer of important data (this applies to both CIIOs and non-CIIO data processors) may be subject to a fine ranging from RMB 100,000 to RMB 10 million, depending on the severity of the violation. Such entities may also be subject to suspension of certain business, suspension of the company’s entire business for overhaul, revocation of permits for specific types of business, or revocation of the company’s entire business license. The direct responsible person-in-charge and other directly responsible persons may be subject to a fine ranging from RMB 10,000 to RMB 1 million (Article 46).

d.  Stringent regulations on a new category of data: “national core data"

Article 21 of the DSL introduces a new category of data defined as “national core data", which refers to data that matters to national security, the lifeline of the national economy, important aspects of people’s livelihood, or substantial public interest (Article 21, paragraph 2). Compared with other categories of data, national core data will fall under a more stringent management system; this can be seen by looking at the severity of relevant penalties. For violation of the national core data management system, the entity may face a fine ranging from RMB 2 million to RMB 10 million, and an order of suspension of certain business, suspension of the company’s entire business for overhaul, revocation of the permit for specific types of business, or revocation of the company’s entire business license. Moreover, the offender may face criminal liability if the offense is serious enough (Article 45, paragraph 2).

Although it is unclear how the scope of national core data will be determined, and the DSL does not specify management obligations relating to national core data, the regulators will likely formulate implementation rules in the near future. It should also be noted that the system to protect national core data will face higher scrutiny compared with that of important data, and companies should therefore establish their own national core data catalogues (if applicable) and important data catalogues, respectively.

e.  Controls on providing data to foreign judicial or law enforcement agencies without government approval

Under the DSL, without the approval of the relevant authority of China, entities and individuals in China are prohibited from providing data stored in China to any foreign judicial or law enforcement authority (Article 36). Offenders may be subject to a fine of ranging from RMB 100,000 to RMB 5 million depending on the severity of the consequences. Also, an entity may be ordered to suspend or temporarily shut down its business, or have its licenses or permits revoked (Article 48, paragraph 2). It should be noted that the previous two drafts of the DSL did not include provisions for such severe punishment. This demonstrates China’s current high degree of caution in relation to providing data to foreign authorities without approval. Under the DSL, and faced with conflicting legal requirements, multinational companies and their subsidiaries may face dilemmas in navigating and complying with requirements imposed by China and foreign jurisdictions.

f.  Obligation for entities who provide data trading services

The DSL sets out obligation and corresponding liabilities for agencies that provide data trading services. When providing such services, data trading agencies must require data providers to explain the sources of the data, examine and verify the identity of transaction parties on both ends, and must retain transaction records (Article 33).

For violations of these obligations, regulators may order corrections, confiscate any illegal gains, and impose a fine between one- and 10-times the amount of the illegal gains. (Where there is no illegal gain, or the illegal gain is less than RMB100,000, the fine imposed may range from RMB 100,000 to RMB 1 million.) In addition, the violator may be ordered to suspend relevant business and take corrective actions, or face revocation of relevant business permits or business licenses (Article 47).

g.  The DSL and Export Control

In 2020, the Chinese government amended the PRC Export Control Law (《中华人民共和国出口管制法》), as well as the Catalogue of Technology Prohibited or Restricted from Export by China (the Catalogue) (《中国禁止出口限制出口技术目录》). Under the Catalogue, data related to certain technologies, such as AI, 5G, aviation and space, may be subject to export control. Article 25 of the DSL echoes such provisions in the Export Control Law. Multinational companies with technology research and development activities in China must pay particular attention to such legal restrictions, as the technologies and data developed by Chinese subsidiaries of multinational companies, even with financial and technical supports from overseas parent companies, may still be subject to export control.

h.  Countermeasures and Retaliations

Another area of concern to multinational companies may be the countermeasures and retaliatory steps that Article 26 of the DSL authorizes the Chinese government to take when a foreign government restricts Chinese companies or citizens on development, investment and trade in data or data-related technologies. Such tug of war may put multinational companies into a difficult situation when there is a trade conflict between China and a foreign country.

i.  Antitrust and Unfair Trade Practices

Similar to the US and European Union, the Chinese government has, in recent months, campaigned against major Internet companies that have allegedly violated anti-trust and unfair trade practice laws. Article 51 of the DSL specifically prohibits unfair trade practices such as stealing data, using discrimination or exclusion tactics, or other anti-competitive means. Some multinational companies’ subsidiaries in China have been investigated and penalized in this campaign. Multinational companies operating in this sector may need to carry out a self-assessment of their policies and practices.

j. Cooperation with Government Investigations

Article 35 of the DSL requires all companies and individuals to cooperate with investigations conducted by the police and national security authorities. The law also requires investigators to strictly follow procedures and obtain relevant approvals when collecting data for such investigations.

When multinational companies are requested to provide data to investigators in these circumstances, they are obliged to cooperate. They also have the right to request evidence of the investigators’ identities and legal authority.

* This article was first published on China Law & Practice, www.chinalawandpractice.com.

​