China publishes Draft Data Security Law


China's National People’s Congress Standing Committee published the Draft Data Security Law on 2 July 2020 to solicit public opinion. Once finalised and passed, this new law will be the first designated data security law in China.

Under this Draft Law, “data” refers to any records of information in either electronic or non-electronic forms. “Data activities” refer to actions including collection, storage, processing, use, supply, trade and the publishing of data.

If these definitions are strictly interpreted, the processing of personal data will also fall within the Draft’s regulatory scope, although one clause, which states that “data activities involving personal data shall follow applicable laws and administrative regulations”, could suggest otherwise.

The Draft's requirements apply to data activities carried out within the territory of China, but also to data activities carried out by organisations and individuals outside of China if such activities threaten to harm China’s protected interests, such as national security, public interest, or the legal interests of citizens or organisations.

Two important administrative systems are expected to be established under the Draft:

  • Classified data protection: where data will be classified into different levels according to the data's economic and social importance, and the degree of damage to China's protected interests in the event that data is tampered with, destroyed, leaked, or illegally obtained or used. Different security requirements apply to data falling into different levels. Government authorities will also formulate catalogues of “important data” within their jurisdictions, and implement enhanced security measures to protect these important data.
  • Data security review: where data activities that may affect national security will be subject to security reviews organised by government authorities. The administrative decisions issued in such reviews will be final and not subject to appeal. The Draft, however, does not provide any specific standards on the exact data activities that will be viewed as having an impact on national security.

When carrying out data activities, organisations and individuals must follow all mandatory requirements provided at the statutory level and all relevant national standards. They must also establish data-security management systems, organise security trainings, take appropriate technical measures and monitor data incidents. Where important data are involved, periodical risk assessments must be conducted and reported to the authorities.

Organisations providing data-trade intermediary services must request that the party providing the data specify the sources and identify the parties providing and receiving the data. Organisations operating online data-processing services must obtain any required administrative licences or complete recordals with authorities. The Ministry of Industry and Information Technology and other relevant authorities will shortly formulate the scope of these services and the applicable licensing requirements.

The Draft also states that China will participate in the formulation of international data-security standards, and facilitate the secure and free cross-border flow of data. Previously published draft regulations, however, appear to indicate that “free” flow should not be interpreted as existing outside “any administrative supervision”.

The Draft also states that if a foreign country imposes any discriminatory or restrictive measures on China’s data or data technology-related investments or trade, China may impose similar measures on this country.

Please click here for the full text (Chinese only) of the Draft.

For more information on this Draft Law, contact your regular CMS advisor or local CMS experts.