I cannot deny it. I was excited to read the draft Data Security Law after it was released by Beijing's top legislators earlier this month.
As the article below explains, the draft law contains some really interesting hints at the direction of travel in the mainland China market. For example, the law mandates innovation in data use cases to boost mainland China’s already sizeable digital economy; the draft requires government departments to open up some of their data to businesses and the public; and it alludes to the growing importance of data trading in data centre hotspots like Guiyang (did you see the pictures of a Tencent’s data centre literally built into a hillside, as inspired this earlier article?). All inspiring positives for business in mainland China.
What our international clients and the wider business community in mainland China really wanted to see, though, was clarity on cross-border data transfers. For some enterprises here, uncertainty on data export rules is delaying the rollout of new IT systems and cyber tools which would improve business efficiency and ultimately customer experience. Yet, the draft law skips over cross-border data transfers. It orientates the reader towards the forthcoming Export Control Law and, in doing so, effectively kicks the can down the road until that law or other rules are finalised.
On the one hand, I was relieved that the potential enactment of the onerous data transfer restrictions which had been suggested in previous draft measures was not on the page before me; but, on the other hand, more waiting is required – and with a certain amount of apprehension.
Why? Well, there is an explicit provision in the draft Data Security Law on imposing potential retaliatory measures against any country or region that formulates certain discriminatory measures against mainland China. These measures could be in relation to investment and trade relating to data, the development of data, or the use of technologies. Although not the first time this sort of provision has been included in legislation in this jurisdiction, we are currently operating in a tech world that is arguably struggling to develop its global potential because of geopolitical concerns. If future data export rules are published in tit-for-tat legislative warfare, the allusion to a bunker-like data centre will be an unfortunately poignant one...
So, for me, relief quickly changed to disappointment. While the current draft law has many points to praise in relation to the clear determination of the authorities in Beijing to create a business environment underpinned by advanced technology, there are provisions and terms that remain arguably vague and will need expansion in future drafts or the implementation rules that follow.
There is a pick-me-up, however. While disappointing from a privacy law perspective that the draft Data Security Law itself is light in the area of explicitly regulating personal information, there is a closing reference to data activities involving personal information being dealt with in other rules - presumably the eagerly-awaited Personal Information Protection Law that, when releasing this draft of the Data Security Law, the PRC authorities were clear to assert would be published in draft form (at least) later this year. Data privacy junkies take note.
It seems that my emotional rollercoaster is set to begin again soon!
(More analysis from us on the draft Data Security Law is available here)