Earlier this June, China passed the Data Security Law (“DSL”), which will go into effect on September 1, 2021. Unlike many international data security laws, the DSL is not restricted to personal information and instead regulates data broadly to include any record of information in electronic or other forms. However, consistent with many international privacy and data security laws passed post-GDPR, the DSL will have extraterritorial reach.
Specifically, the DSL applies not only to processing personal data within China but also to any personal data processing activities that occur outside of China that threaten Chinese national security, public interest, or the lawful interests of its citizens or organizations. If this describes something your organization engages in, here are the top operational requirements covered by the DSL:
- Establish a data security management system across the organization. This should include providing data security training, implementing appropriate measures to safeguard data, and designating a data security officer if the organization processes important data.
- Actively monitor data security risks. When a risk is discovered, such as data security defects or leaks, the organization must take immediate remedial actions. When a data security incident occurs, the organization must immediately take responsive measures, notify users, and report to regulatory departments where required by law.
- Periodically conduct risk assessments and submit a risk assessment report to departments responsible for data security duties in accordance with regulations. The risk assessment report shall include the categories and quantities of important data processed, how data processing activities are carried out, as well as the data security risks and safeguarding measures the organization has taken.
- Cross-border transfers of important data must comply with either the Cybersecurity Law (“CSL”) if the organization is a “critical information infrastructure” under the CSL, or the rules to be formulated by the state cyberspace administration and relevant departments of the State Council. The implementing rules for organizations that are not critical information infrastructures are pending. Failure to comply with the cross-border transfer restrictions may result in fines between $15,500-$155,000.
- Data must be collected in a manner that is lawful and justified. Stealing or obtaining data illegally is prohibited. If the scope or purpose of data collection or use is restricted by law or regulation, it shall not be collected or used beyond such purpose.
- Data intermediaries must require data providers to explain the data source. Data intermediaries must also examine and verify the identity of both parties and retain transaction records. Data intermediaries may be fined up to 10 times the amount of any illegal gains or between $15,500-$155,000 if there are no monetary gains for noncompliance.
- Get a license to engage in certain data processing activities if required by law to do so.
- Cooperate with data access requests from the public security agency and national security agency.
Other than as described for specific noncompliance activities above, in general, fines for noncompliance range from about $7,750-$77,500, which may be increased to up to $310,000 for organizations who refuse to make corrections after earlier warnings of noncompliance or whose noncompliance results in a data breach or other serious consequence.
While the DSL provides for some specific operational requirements, such as the ones set forth above, the bulk of the DSL merely provides a general framework for government agencies to set out further detailed implementing rules. We will continue to monitor for updates on the implementing rules when they become available.
In addition, unlike many international privacy and data security laws passed post-GDPR, the DSL is not an omnibus privacy and data security law that wholesale replaces China’s existing privacy and data security laws. In addition to the DSL, China’s Cybersecurity Law (CSL) and/or Personal Information Protection Law (PIPL) may apply to an organization’s Chinese data processing activities, particularly as the organization may be required to comply with data localization requirements. If processing Chinese data is critical to an organization’s operations, it is important to work with professionals with expertise in Chinese data security and privacy law to navigate its complex legal landscape.