Much anticipated, mainland China’s second cybersecurity pillar was finalised on 10 June in the form of the new Data Security Law (“DSL”).

What does it mean for those operating in the world’s second biggest economy?

National security continues to trend

The National People's Congress (“NPC”) – mainland China’s top legislative body – typically must go through 3 readings of a new law before releasing the final form. That can take many years. The seminal Foreign Investment Law took over 4 years, for example, before being launched at the start of 2020.

In contrast, the DSL is more of a hare than a tortoise of a law, taking less than 12 months from first to final reading. This indicates the importance of data security for China’s top leaders at a time when cybersecurity is becoming more crucial across the world: from EU with its Data Governance Act passed last year to the US’s Federal Data Strategy 2020 Action Plan. Indeed, data relating to national security - or newly coined “national core data” - is equated to the “lifeblood of the national economy” to be secured under a new “National Data Security Work Coordination Mechanism” (presumably with more details to follow). 

Digital China further boosted

Through the finalised DSL, the PRC authorities also promote the development of China’s data industry and wider digital economy. The whole of Chapter II of the new law focusses on national policies that support the development of the nation’s data industry, encouraging research, establishing national standards and professional institutions, and training up-and-coming talent. The final draft further requires improvements to public services by making full use of data and encouraging cross-sector cooperation in dealing with data security governance. The latter should be of interest to overseas standards bodies and other associations, although engagement with international organisations is arguably narrowed in scope from the second draft. 

Constants prevail

Some common themes continued across the drafting of the three versions of the DSL. Glancing at the final version shows less changes from its predecessor compared to the second, although the second draft also inherited the framework and major content from the first draft. 

What key points for businesses stand out in the final form DSL?

Cross-border transfers. The conditions to be satisfied and processes to be followed by all organisations wishing to export “important data” remain outstanding, both as applicable to organisations that may eventually be designated as operators of “critical information infrastructure” (“CII”, which is still undefined) under the Cybersecurity Law or non-CII operators. Future implementing rules will be crucial to bottom out this key issue for international enterprises’ IT, legal and compliance teams.

Extraterritoriality. Assertion of extraterritorial obligations remain in the DSL despite industry’s call for this to be pared back to match the scope of the Cybersecurity Law. China’s reaction to laws launched in other markets also carries heavy fines for violation of these requirements, in line with a continuing enforcement trend in China and globally. Specifically, organisations that provide data to overseas law enforcement agencies without prior regulator permission can face penalties of up to RMB 5 million (approx. USD 782,000) and suspension of their businesses. This is a five-fold increase in potential financial sanctions compared to the second draft of the law.

Higher penalties. On the same topic, the Personal Information Protection Law (“PIPL”) grabbed headlines on release of its first draft with its sanctions of up to RMB 50 million (approx. USD 7.82 million) or 5% of annual revenues for serious violations. Penalties under the DSL do not reach quite that high but authorities have increased fines in a number of areas, such as failing to undertake risk assessments on important data processing – now carrying a fine of RMB 2 million (approx. USD 313,000) despite the fact that “important data” is still not defined such that companies will struggle to make these assessments until further guidance is issued. Even more concerning for businesses, violations relating to national core data or unlawful provision of important data abroad may result in fines of up to RMB 10 million (approx. USD 1.56 million) but the definitions of these data types will be open to interpretation without further guidance from the authorities.

Privacy hidden from sight

Maybe just as notable for businesses as what is new in the final form of the DSL is what is not in there – or more precisely, alongside it. Although the second drafts of the DSL and the PIPL were released simultaneously in late April, it is hard not to notice that the PIPL – which focuses more on data protection and safeguarding individuals’ privacy rights – has been decoupled from the DSL in the latest round of the legislative process. The revised draft of the PIPL remains on the NPC Standing Committee’s 2021 working agenda, so it can be expected soon, but no definitive timetable seems to have been publicly set. 

Given the relative length and complexity of the PIPL, together with the much higher volume of public comments submitted after its second reading (the NPC published statistics suggesting 69.9% of the comments submitted during the PIPL and DSL’s parallel one-month consultation periods were attributable to the PIPL), it is unsurprising that lawmakers want to deliberate longer on this cornerstone legislation. While industry will welcome this, not having more certainty on its key provisions and timing for their release is why cybersecurity legislation remains the number one concern for many business operators in the mainland market.

What do I have to do next?

While the headline of the article below is maybe somewhat sensationalist, businesses operating in or with mainland China will need to assess what information types they do (and, given the vagaries of the law, may) have and, where necessary, adapt as quickly as they can.

CIOs, CTOs, GCs and DPOs may want to book a joint summer holiday, as organisations have only been given a little over two and a half months before the DSL goes live on 1 September!