Data security has proven to be an important battleground in the power play among countries. On 9 June 2021 local time in Washington, D.C., the White House signed an executive order, revoking a ban issued by former President Donald Trump in 2020 on T App, W App and other mobile applications owned by China-based companies. In terms of the executive order, some media have pointed out that the move does not indicate the U.S. has given up targeting Chinese applications “on security grounds”. The newly signed executive order also requires the U.S. Department of Commerce and other relevant departments review and take appropriate actions against software applications owned or controlled by a “foreign adversary”, who may threaten the U.S. national security and sensitive data, including personally identifiable information, personal health information, genetic information, etc.
On 10 June 2021 Beijing time, the Data Security Law of the People’s Republic of China (the “Data Security Law”) has been passed at the 29th session of the Standing Committee of the 13th the National People’s Congress (“NPC”) after three rounds of deliberations. As a “fundamental law” in the field of data security and an “important law” in the field of national security in China, the Data Security Law positively responds to the key issues of data competition and protection around the world, and provides guidance to enterprises for data compliance and even data assetization management and development.
I.The Data Security Law’s Proactive Response to the Comprehensive Digital Era
(I) “Data security” Becomes an Issue of Global Competition and Cooperation
(1) Coping With the Global Digital Sovereignty Wave
In recent years, there has been a growing trend to move from cyber sovereignty to data sovereignty. Data security has become a new topic for discussion when it comes to international competition and cooperation. A new wave of “digital sovereignty” is emerging around the world over data control and jurisdiction.
When it is realized that data is a matter of national security, the U.S. has been striving to protect it national security since the CLOUD Act’s enactment, including its actions against T App mentioned at the beginning (i.e. the targeted Clean Network program initiated by the U.S.). India, on the other side, has responded with a data localization strategy, and also blocked many locally operated Chinese Internet companies on the ground of “national security”. At the G20 Osaka Summit in 2019, India declined to hold talks as it insisted on data localization, while Indonesia and South Africa decided not to sign the declaration and expressed their objection to cross-border data flows and their agreement with the value of data localization.
In 2020, China called on the international community to handle data security in a comprehensive, objective and evidence-based manner, and maintain an open, secure and stable supply chain of global information communication technology products and services in its Global Initiative on Data Security. The Data Security Law released under this international context is expected to enhance China’s competitiveness in data sovereignty and provide alternative solutions to data governance.
(2) Ensuring Data Security under a Holistic View of National Security
Another dimension of international data competition is to safeguard core national interests by ensuring data security. In the era of comprehensive digitalization, data security has become an important consideration at the national strategic level. In 2020, the European Data Protection Supervisor (“EDPS”) presented the EDPS Strategy 2020-2024. The Strategy focuses on three pillars: foresight, action and solidarity to improve data security and protection. The U.S. released the Federal Data Strategy 2020 Action Plan, which has established the basic principles of protecting data integrity, ensuring data authenticity and data storage security, etc. Germany set up a national cybersecurity agency to initiate cybersecurity innovation projects and study how to combat cyber threats in order to strengthen the country’s “data sovereignty”.
According to Article 4 of the Data Security Law, in ensuring data security, a holistic view of national security shall be upheld. From the holistic view of national security, cyber and data security holds a critical position in the national security strategy system, despite its categorization as non-traditional security other than political, territorial and military threats. This is because the development of multi-source information fusion technology in the digital era has blurred the line between state secrets and non-secrets. Some data affecting national security are not under the unified management of traditional national security departments, and enterprises may control the data that may affect the country’s economic lifeline, social stability and overall welfare. Strengthening enterprise data security governance under the guidance of the holistic view of national security is necessary for maintaining national security and important for developing a healthy digital economy.
(II)“Data security” is Specially Legislated in China
The NPC has published the full-text of the Data Security Law’s final version, which will be effective as of 1 September 2021. During the transition period of nearly three months, enterprises need to identify and understand the the Data Security Law’s requirements, in order to avoid unnecessary compliance risks and even non-compliance costs.
(1)Scope of Application
The Data Security Law’s final version provides for extraterritorial application as its first and second drafts do, leaving space necessary for law enforcement agencies to regulate data security. In summary, the Data Security Law’s applicable scope comes from three perspectives: regulated objects, territorial application, and convergence between jurisdiction and legal system.
Firstly, the Data Security Law focuses on “data processing activities and security regulation”, highlighting its legal characteristics as a law that regulates behaviours. In other words, the Data Security Law breaks away from the traditional legislative thinking of “limiting the regulated subjects” and instead defines and regulates “data processing” and “data security”. All subjects who carry out data processing activities are required to satisfy or comply with data security obligations. This allows the interpretation and application of the rules not to be confined to the delimitation of applicable subjects but to focus on the security and reliability of data processing activities.
Secondly, the Data Security Law makes “harming national security, public interests or the lawful rights and interests of citizens or organisations” a trigger for regulating extraterritorial data processing activities. This actual impact or consequence-oriented approach further clarifies the country’s determination to safeguard data security. From the perspective of corporate compliance, overseas entities processing data relating to any Chinese citizens or whose data processing activities may actually have an impact on China are also required to fulfil the data security obligations under the Chinese laws. This provides the standing point to assert jurisdiction over multinational corporations’ services to China whose data processing activities are outside China.
Last but not least, we believe that the Data Security Law also contains the principle of “personal information” security. The application of the Data Security Law and the Personal Information Protection Law is not an either-or issue. It should be understood that, subject to the general principle of data security, personal information processing should still comply with the special rules in the Personal Information Protection Law. From a comparative law perspective, although the General Data Protection Regulation (“GDPR”) and the Regulation on the Free Flow of Non-personal Data are applied on a clear distinction of “personal” and “non-personal” data , Article 53 of the Data Security Law provides that “data processing activities involving personal information shall also be carried out in compliance with the relevant laws and administrative regulations”. Based on textual interpretation, this article obviously leaves room for incorporating the upcoming Personal Information Protection Law. Similarly, the Statistics Law and the Archives Law also have a similar incorporation clause. In addition to the data security duties under the Data Security Law, data processing activities shall also comply with the relevant special rules.
(2) Value System
Since the introduction of the draft Data Security Law, the legislative principle upheld by the authority has been to “place balanced emphasis on security and development”. The value proposition of “promoting the development of the digital economy with data as a key element” is reflected in multiple provisions of the law, including the State implementing a big data strategy and formulating a digital economy development plan; supporting data-related technological research and development and business innovation; promoting the construction of a data-related standard system and the development of data security testing, assessment, certification and other services; fostering a data trading market; and supporting the development of professionals in various ways.
Specifically, there has been a lot of discussion on the value of data protection and digital economy development. From the height of the legislative value system, what the Data Security Law needs to integrate or emphasise is the security value with “data risk control” at its core. This unified concept covers the confidentiality, integrity and availability of data, and the controllability and legitimacy of data processing activities (i.e. the value addition process of data elements). In other words, data protection is a means to an end. Its ultimate goal should be to add value to data elements, accumulate economic wealth and enhance the general public welfare on the premise that data processing risks are reasonably and effectively controlled. In the digital era, therefore, the Data Security Law, based on the accurate recognition of the two basic value systems of data protection and digital economy development, continues to lead the way forward in data security legislation.
The Data Security Law should bring confidence rather than obstacles to legally operated domestic and foreign digital enterprises. It will foreseeably drive the development of the data industry and digital economy. Although certain data compliance costs are inevitable, explicit legal rules will convert these costs into a competition threshold and security benefits, thus effectively preventing the “bad money drives out good” effect and enabling legally compliant data-driven companies to more precisely and effectively capture market opportunities.
(3) Legislative Positioning
In view of the legislative background and value considerations, it is easy to understand that the Data Security Law in the era of digital economy should be positioned at two levels. First, the Data Security Law responds the challenges brought by extraterritorial influence. The legislation, as a common practice in the world, serves the highest value objective of safeguarding national interests and citizens’ legitimate rights and interests. Secondly, the Data Security Law is also the superior and fundamental law in the field of data. Except for certain categories of data processing activities (involving state secrets and military data), enterprises carrying out data processing activities should achieve in-depth data security compliance in accordance with the Data Security Law.
II. Overview of Key Normative Rules under the Data Security Law
(I) The Security Regulatory System with “Important Data” as the Core
(1) Identification of Important Data
As the superior and fundamental law on data security, the Data Security Law sets up a security regulatory system with “important data” as the core. The identification of important data is the top priority of data security, and echoes the principle of classified and graded data governance and protection.
Article 21 of the Data Security Law broadly defines important data and specifies that the national data security coordination mechanism is responsible for the overall coordination, while delegates the identification of important data to regions and departments. According to Article 21, all regions and departments should develop an important data catalogue for their respective region and department as well as for relevant industries and fields, demonstrating the law’s flexibility while remaining universally applicable. Compared with the second draft, the Data Security Law strengthens the national coordination in the formulation of important data catalogues. This effectively avoids fragmented data security rules caused by the differences in management standards of various departments and the resulting unnecessary compliance costs.
Long before the official release of the Data Security Law, sectors and industries had made efforts to identify sector or industry specific important data. For example, the Appendix A of the Information Security Technology – Guidelines for Data Cross-border Transfer Security Assessment (Draft for Comment) issued by the National Information Security Standardization Technical Committee in 2017 provides a general description of 27 key industries’ the important data, such as oil, electricity, and finance.
The recent Provisions for the Management of Automotive Data Security (Draft for Comment) (“Automotive Data Provisions”) issued by the Cyberspace Administration of China specifies the scope of important data in the automotive industry for the first time, including:
- Crowd and traffic data in important and sensitive areas such as military administrative zones, areas in the vicinity of science, technology, and national defence agencies and other State secret-related agencies, and areas in the vicinity of Party and government agencies above the county level;
- Surveying and mapping data, the precision of which is above maps made public by the State;
- Data on the operation of vehicle charging networks;
- Data on road traffic and vehicle types on the road;
- Out-of-vehicle audio and video data including human faces, voices, vehicle license plates;
- Other types of data that might affect national security and public interests as designated by the State cyberspace administrations and departments of the State Council.
According to the scope of important data under the Automotive Data Provisions, the data recorded by sensors such as cameras installed outside the vehicles and GPS positioning data of vehicles may fall into the category of important data. The relevant vehicle traffic data and high-precision mapping data are common data categories involved in the autonomous driving and smart car industries. Such data should be processed with reference to the important data processing principles under the Automotive Data Provisions, such as in-vehicle processing, no outward data transmission unless necessary, and data localization. Relevant enterprises should thus be more diligent and compliant based on important data identification and classification.
The identification of important data involves various factors and there are no one-size-fits-all or fixed rules in the identification of important data. The determination of important data will depend on the important data catalogue developed by each region and department. The competent department in each industry will adjust the definition and scope of important data in its own industry and replace the important data catalogue appropriately according to industry developments.
(2) The Subject Obligated to Protect the Security of Important Data
Inheriting the provisions of the Cybersecurity Law, the Data Security Law takes the important data as an anchor and provides for a number of extended data security protection obligations in connection with important data processing, mainly including:
- Those processing important data shall specify the persons responsible for data security and the data security management bodies (Article 27);
- Those processing important data shall periodically carry out risk assessments of their data processing activities, and send risk assessment reports to the relevant competent authorities. Risk assessment reports shall include the types and amounts of important data processed; the collection, storage, processing and use of data; and the data security risks and the mitigating measures (Article 30);
- The important data processing activities are subject to national security review if they affect or may affect national security (Article 24); and
- For the important data collected and generated by critical information infrastructure (“CII”) operators during their operations within the territory of China, the cross-border data transfer is governed by the Cybersecurity Law, and for that collected and generated by other data processers likewise, relevant measures formulated by the State cyberspace administrations in conjunction with relevant departments of the State Council shall apply (Article 31).
Although the Data Security Law requires regular risk assessments and submitting reports, the subject of the assessment, the recipients of the reports and the frequency of the assessment remain to be clarified in the implementing regulations. Risk assessment generally is considered a interim event regulation. However, to prevent data breaches, each region and industry’s important data catalogue may introduce more detailed data protection requirements. For example, according to the Automotive Data Provisions, operators, before processing important data, should notify the provincial cyberspace administration and relevant departments of the category, volume, scope, place and period of storage, the manner of use, and whether the data will be provided to third parties. In addition, operators are also required to submit annual data security reports to the provincial cyberspace administration and relevant departments.
In addition, according to the Data Security Law, cross-border transfer of important data by CII operators is governed under the Cybersecurity Law. This indicative provision shows that the Data Security Law and the Cybersecurity Law both are basic laws at the same level with the Constitution as the superior law.
Finally, several issues remain to be clarified in the subsequent implementation rules and supporting measures, for example, whether enterprises that may process important data are required to distinguish the responsible person and management bodies for data security under the Data Security Law from the responsible person for cybersecurity under the Cybersecurity Law and the responsible person for personal information protection under the draft Personal Information Protection Law, and whether it is necessary to file with the competent authorities with respect to the responsible person and management bodies.
(II) Consensus on Data Rights Claims under the Mechanism of “Data Trading”
(1) Maintaining the Provisions on Data Trading System of the First Draft
The Data Security Law mirrors its first draft in terms of the provisions on a data trading system. According to the Data Security Law, the development of data as a production element necessitates an improved management system for data trading, the determination of the legality of data trading, and the fostering of a data trading market. Before the introduction of the Data Security Law, the State Council and the relevant ministries and commissions had issued a number of comprehensive or specialised policies to regulate the data market. There lacks, however, the superior legislation and top-level institutional provisions. The Data Security Law, which perfected the provisions on the data trading system, effectively cured for the weakness and improves the operability in the data trading market.
In addition to the above-mentioned principles, the Data Security Law places additional security protection requirements on market players engaged in data trading intermediary services. For example, from risk control perspective, such intermediaries should require the data provider to explain the source of data, verify the identity of the parties to a transaction, and keep audit and transaction records. But it remains to be clarified in the relevant supporting regulations on audit’s specific method and whether the compliance risk faced by the data provider will be passed to the intermediaries. The Data Security Law also imposes heavier penalties to strengthen ex-ante supervision and raise security awareness. The intermediary that fails to fulfil the above requirements may be subject to confiscation of illegal gains and a fine up to ten times the illegal gains, and may be ordered to cease relevant business, suspend business for rectification, and may have its business permit or business license revoked.
In addition, Article 34 of the Data Security Law provides that where laws and administrative regulations provide that the provision of services relating to data processing is subject to administrative license, the service provider shall obtain such license in accordance with the law, which offers a legal basis for restricting the access to the data trading market. In practice, regulation may be tightened over market access.
The basis of establishing data trading management system is to clarify the ownership rights or title to data. It is necessary to clarify the basic legal issues such as the data rights of personal information, public data, national data and data elements market entities; otherwise, institutional obstacles may hinder data flow and trading. Domestically, the current legislation provides for only principles for data property rights without specific rules, leading to potential conflict of interests among data subjects. Therefore, supporting rules with more detailed provisions on data property rights are imperative for a sound data trading market.
In addition, the anti-monopoly regime in the data market needs perfection. In 2020, the definition of monopoly in the internet industry and corresponding punishment was for the first time incorporated into the law in the Draft Revision of the Anti-Monopoly Law (Draft for Comment). In early 2021, the Anti-Monopoly Guidelines for the Platform Economy (the “Anti-monopoly Guidelines”) refined the anti-monopoly rules for internet platforms, and provided an important institutional basis for anti-monopoly supervision in the data market. The current anti-monopoly legislation, however, can hardly cover the monopolistic behaviours particular to the data market. For example, the current Anti-monopoly Law and the Anti-monopoly Guidelines mainly take the operator’s revenue as the benchmark to regulate operator concentration. Yet for data companies, despite a low revenue, they can have a great impact on the market.
(2) Data PropertyRules: A Reference to the Calabresi & Melamed Framework
Since data was included in the miscellaneous provisions under the General Rules of the Civil Law in 2017, determination of the object of data rights and data empowerment have been widely discussed. Theorists in China put forward various views such as data as human rights, intellectual property rights, and new property rights. Local governments also made efforts to create related rights and interests. In the Shenzhen Special Economic Zone Data Regulations (Draft for Comment) (the “Data Regulations”) released by the Justice Bureau of Shenzhen Municipality in 2020, data rights were defined as the rights of right holders to independently decide, control, process, benefit from, and claim compensation for specific data in accordance with the law. The Data Regulations also set out the rights to personal information, public data, and the data elements market entities based on the content of data. Theorists and practitioners generally believe that it is still too early to create “data rights” in the Data Regulations due to the lack of unified public perception of data ownership, unclear boundaries of data rights, intertwined and overlapping rights objects, and overly absolute division. In view of this, after taking into full consideration social consensus and judicial practice, the new Data Regulations released in 2021 further refined the general concept of data rights as the protection of natural persons’ personality interests to their personal inforamtion and enterprises’ property interests to their data products and services resulting from the fruits of extensive intellectual labour.
From the comparative law perspective, the U.S. and the EU, despite their different models of data protection and utilization, both distinguish between multiple levels of data rights and interests and thus apply different protection standards to balance protection and utilization. For example, the U.S. divides data into personal information and anonymized derivative data, and applies a privacy-centred protection standard to personal information, while a combination of market autonomy and competition law to derivative data to ensure the development and utilization of derivative data.
Therefore, in consideration of the classified and graded protection requirements and the defining of data ownership in foreign countries, it is advisable to divide the data rights into different categories, based on the whole life cycle of data and taking into account the development of digital economy and application scenarios, and apply different protection rules in order to realise data rights . For example, data may be divided into original data and derivative data based on processing method, and personal information, business data, and public data based on data subject.
(III) Data Security System Featuring “Separate Administration” and “Top-Down Regulation”
(1) Graded and Classified Data Protection Rules
Following the graded and classified protection for cybersecurity adopted by the Cybersecurity Law, as the premise and foundation of data security administration, the graded and classified data protection rules established by the Data Security Law will directly determine the protection obligations that enterprises should undertake for managing the whole life cycle of different grades and categories of data.
In terms of scope, the Data Security Law only specifies the important and national core data (“data related to national security, national economy, people’s fundamental livelihood and major public interests”) are subject to the safety requirements of “emphasised protection” and “stricter management.” For data other than important data and national core data, however, following the Data Security Law’s principle, it is still necessary to grade, classify and distinguish protection measures based on the importance of relevant data in economic and social development and the extent of harm caused by potential data accidents.
In terms of standard setting, on the one hand, the Data Security Law defines the State as the rule-maker of the graded and classified data protection rules, providing the basis for the State’s “top-down” regulation. On the other hand, before the official promulgation of the Data Security Law, industries had already made attempts to formulate relevant data classification and grading standards, including, but not limited to, the Financial Data Security – Guidelines for Data Security Classification, the Guidelines for the Classification and Grading of Data in the Industry of Securities and Futures, the Guidelines for the Classification and Grading of Industrial Data (Trial), Telecommunications and Internet services – User Personal Information Protection – Definitions and Categories, and the Telecommunications and Internet services – User Personal Information Protection – Grading Guidelines. Among them, the industrial standard, the Financial Data Security – Guidelines for Data Security Classification issued by the People’s Bank of China, specifies the elements, rules and grading process of classifying and grading financial data, and provides typical data grading rules of financial institutions for reference. The industrial standard, the Financial Data Security – Security Specification of Data Life Cycle also issued by the People’s Bank of China, provides detailed requirements for the collection, transmission, use, deletion and destruction of different grades financial data based the financial data’s safety grades. However, whether the data classification and grading formed under the rule of “separate administration” is scientifically sound, reasonable and verifiable remains to be further discussed.
(2) Construction of Data Security Standard System
The Data Security Law strengthens the construction of the data security standard system through unified legislation; the data security code of conduct and group standards formulated by industries under relevant laws also form an important part of the security standard system. Pursuant to Article 17 of the Data Security Law, the standardisation administrative department of the State Council and relevant departments of the State Council lead the formulation of data security-related standards. The State encourages enterprises, social organizations, educational and scientific research institutions to participate in standard formulation. With the rapid development of data related technology, legislation often lags behind the industrial development. This Article aims to encourage market players to actively participate in the discussion of industrial standards, actively share their practical experience obtained during the data security compliance construction, and promote the technology development and compliance construction based on industries’ best practices.
The Ministry of Industry and Information Technology (“MIIT”) has now kick-started the construction of the data security standard system. The Guidelines for the Construction of Data Security Standard System in the Industry of Telecommunications and Internet issued by MIIT in December 2020 provides the fundamental requirements for data security standards in the telecommunications and Internet industries, and sets forth the short-term goals of data security system construction: (a) by 2021, to develop more than 20 data security-related industrial standards, establish a preliminary data security standard system in the telecommunications and Internet industries, effectively implement data security administration requirements, satisfy the basic needs of data security protection in the industries, and promote the standard application in key fields; and (b) by 2023, to develop more than 50 data security-related industrial standards, improve the data security standard system in the telecommunications and Internet industries, significantly increase the technical level, application and internationalisation, and strongly support the improvement of industrial data security protection capability.
(IV) Necessary Countermeasures Based on “Export Control” and “Reciprocal Measures”
(1) Export Control of Data Defined as Controlled Items
To align with Article 2 of the Export Control Law that “controlled items include technical data related to the items”, Article 25 of the Data Security Law provides that the State shall exercise export control over data defined as controlled items that are related to safeguarding national security and interests and fulfilling international obligations. Although “safeguarding national security and interests and fulfilling international obligations” can be taken as the legal basis for prohibiting the export of relevant data, there is still an issue of aligning with the Export Control Law in terms of specific application. Pursuant to the Export Control Law, China has formulated a list of export-controlled items, which include those on the control list issued by the State export control administration and those subject to temporary control which are not on the control list. Therefore, whether the relevant data are controlled items must be determined according to the list catalogue and standards established by the Export Control Law. It should be noted that in 2020, the Ministry of Commerce and the Ministry of Science and Technology revised the Catalogue of Technologies Prohibited or Restricted from Export by China, which defines a number of information processing technologies including artificial intelligence interface technology and voice synthesis technology as technologies restricted from export, and restricts the export of technologies in economic activities. It remains to be seen whether the State export control administration will directly include relevant technologies and data into the scope of export control in the future.
(2) Reciprocal Measures for Discriminatory Treatment in Investment and Trade
In order to better deal with foreign legislation and law enforcement, under the “principle of reciprocity”, Article 26 of the Data Security Law provides that for any country or region that adopts discriminatory prohibitions, limitations or other such measures toward China with respect to investment or trade related to data, data development and use, or technology, China may, according to the actual circumstances, take reciprocal measures against such country or region. This provision further provides strong legal support for China’s countermeasures against foreign countries’ discriminatory restrictions and prohibitions, and fully demonstrates China’s legislative intent of advocating data sovereignty in the cyber space.
It is worth noting that in addition to the reciprocal countermeasures under the Data Security Law, pursuant to the Anti-Foreign Sanctions Law, China can also take measures to block foreign sanctions as well as countermeasures against individuals and organizations that are listed on the sanctions list.
(V) Constructing a Government Data System with the Goal of “Safe Disclosure”
As a key element of production, data, including personal information and business data, attracts wide attention and is of great value. The same is true to government data in the post-pandemic era. The disclosure of government data not only promotes government entities’ the scientific decision-making and the efficiency of public administration, but also increases the supply of data in the data element market and facilitates the transaction of data resources.
Based on that, the Data Security Law further provides government data disclosure’s principle while require government data comes from legit sources and covered by secure administration and e-government system. Specifically, the Data Security Law establishes the disclosure of government data as a principle, with non-disclosure as an exception. It requires the State to establish a national catalogue of government data subject to disclosure; construct a unified, standardised, interconnected, safe and controllable platform for government data disclosure; and promote the development and utilisation of government data, to eliminate the “data silo”, also knowns as “data island” commonly seen in practice. At the same time, however, the conditions for the disclosure and utilisation of government data still needs further clarification by subsequent supporting measures.
III. Key Compliance Points of the Data Security Law
In order to regulate data processing activities and further promote the development of the data market, the Data Security Law sets out a multi-level and comprehensive data security obligations, both negative and positive, for enterprises involved in data processing activities. Based to our brief analysis, enterprises need to comply with the following basic legal requirements under the Data Security Law in order to substantially reduce data security compliance risks. This section will focus on the general legal and compliance requirements imposed on enterprises by the Data Security Law.
(I) Complying with the Statutory Negative Obligations
Enterprises should conduct data processing activities within the legally specified data security bottom-lines. In a brief summary, during the transition period and after the Data Security Law come into effect, enterprises need to ensure strict compliance in the following aspects, or may cause troubles for ordinary course of business activities.
(1) Ensuring Legit Data Sources
Data processing compliance is the basic requirement set forth in the Data Security Law. Article 27 of the Data Security Law clearly states that “data processing activities shall be carried out in accordance with the laws and regulations”. Furthermore, Paragraph 1 of Article 32 of the Data Security Law provides that any organization or individual shall collect data by lawful and proper means and shall not acquire data by theft or other illegal means. It can be understood that, in addition to compliance with the applicable laws and regulations, Article 32 sets a binding condition that the source of data processing activities and the means of acquiring data needs to be “lawful and proper”.
On the one hand, the term “lawful” is interpreted as that data should be lawfully collected and sourced, if a particular law or regulation so provides. The “inform-consent” principle for personal information collection is a typical example of this requirement. On the other hand, the term “proper” implies that data must be collected in an appropriate and non-excessive manner or processed to a degree predictable or acceptable to a reasonable person. Such predictability and acceptability are not intended to limit innovations but to protect the collected and processed data sources’ security based on the predictable consequences and potential impacts. In the recent cases involving data crawling without multiple consents, the crawler users were punished for violation of the competition laws or even convicted. These court decisions remind us of the necessity to ensure the lawfulness of data sources.
Generally, ensuring the data sources’ lawfulness is the first and key step for enterprises to build their data assets. It also relates closely to the stability and value of an enterprise’s data assets. We suggest that enterprises classify and internally review data sources, and take necessary technical, organisational management or protocol measures to segregate data and eliminate risks at the initial stage, so that a solid foundation can be laid for the subsequent data processing, data governance, asset management.
(2) Performing Prior Administrative License Obligations
Article 34 of the Data Security Law provides that where laws and administrative regulations provide that the provision of services relating to data processing is subject to administrative license, the service provider shall obtain such license in accordance with the law. This means that if the laws and administrative regulations of the corresponding industry or different economic sectors requires ex-ante permissions, the service provider should strictly follow the provisions and carry out data processing services and business activities after obtaining the corresponding qualification or license.
It is almost customary for entities to obtain a qualification or license in the TMT sector. In several strictly regulated sectors, such as finance, healthcare and smart vehicles, data service are offered in increasingly varied models and forms, and the data processing services involved by entities are gradually deepening. In this context, controlling risks in the data processing activities, especially personal information, are becoming increasingly difficult. Thus, it is possible that data processing services in the traditional sectors will become regulated and subject to licensing. For example, it may become required to obtain a license or cooperate with a licensed entity by agreement in order to provide relevant data services in the personal credit-reporting field. (For a detailed analysis of data service compliance in the personal credit field, see our previous article “Important Signals in the Era of Digital Credit – Interpretation of the Draft New Regulations on Credit Services”)
In light of the above, we recommend data service providers in the tightly regulated sectors closely follow the relevant legislative developments, understand the mandatory licensing requirements and potential approval requirements before processing data and providing data services, and fully assess the data compliance risks of the relevant services, to proactively avoid business solutions that may contravenes legal requirements.
(3) Carefully Handling Conflict of Jurisdictions and Requests for Evidence Production
Article 36 of the Data Security Law introduces a legal requirement of “approval by the competent authority” for data security with respect to conflict of jurisdictions and cross-border evidence production arising from possible extraterritorial application of law.
Essentially, the Article 36 responds defensively to the “long-arm jurisdiction” of foreign countries. The “organization or individual within the territory of the China” referred to in the Article 36 is obviously broader than “data processor”. In our belief, however, “organization or individual within the territory of China” does not mean “organization established under the Chinese laws or individual with Chinese nationality”, but should be systematically consistent with the objects regulated by the Data Security Law. In other words, organizations and individuals who conduct data processing activities and store data in China are subject to the Article 36. Although the competent authorities have not released corresponding approval procedure or written rules, we believe, however, that the corresponding supporting measures will be introduced immediately after the effectiveness of the Data Security Law in order to achieve the legislative objective of maintaining data security in China as soon as possible.
Enterprises should be prepared for cross-border data compliance, and the practical dilemma and legal risks arising from the conflict of jurisdictions caused by completely opposite data compliance requirements in foreign countries. In fact, affected by the relevant provisions of the U.S. Holding Foreign Companies Accountable Act (“HFCA”) of 2020, the conflict of jurisdictions risk has materialized in the securities operations for companies going public overseas. The instability of regulatory policies led to a small wave of Chinese stocks being delisted in the U.S. market and turning to the Hong Kong market. Before a better solution is available, however, in the face of the risk of regulatory conflict, we recommend that enterprises performing data processing services in or to China strictly follow the relevant requirements of the Data Security Law in responding to cross-border data requests from abroad. Enterprises should consult and maintain communication with the competent authorities when necessary; otherwise, they may face a fine of up to RMB 5 million and be ordered to suspend the relevant services, suspend business for rectification, or revoke the relevant business permit or business license.
(II) Building a Comprehensive Data Processing Security and Management System
Aside from the above negative obligations, enterprises can also proactively fulfil daily and emergency data security protection and governance obligations during the transition period. To be specific, enterprises might want to build an internal data processing compliance system to make data security and compliance a cutting edge in business management and product or service offerings, thus forming a unique data competitive advantage.
(1) Regular, Whole-Process Data Security Protection Obligations
Since the daily business operations involve a significant data collection and processing activities, building an internal regular data security protection system throughout the whole life cycle of data is undoubtedly the most cost-effective and efficient solution. Based on our experience in data security compliance, we propose the following key compliance points for such a system:
|Key compliance points
|Establishing an operable data classification and grading procedures or guidelines
|Data governance is premised upon data classification and grading. The structured data governance framework relies on a pre-existing data classification and grading procedures based on security and risk model considerations. As mentioned above, the data classification and grading procedures have been in place in the financial, communications and Internet industries. We recommend that enterprises develop an operable internal data classification and grading plan by seeking professional legal opinions and referring to the regulatory requirements of important data in the industry.
|Creating an internal risk assessment model for data processing and implementing the requirements for security impact assessment
|As a reference for internal and external data protection impact assessment (“DPIA”), the internal risk assessment model should consider data processing risks throughout the data life cycle based on the aforementioned framework of data classification and grading standards, and strictly implement legal requirements for data processing records to control additional risks and adverse factors that may result from the value-added data processing. In addition, in accordance with Article 30 of the Data Security Law, processors of important data should submit the risk assessment report to the competent authorities.
|Adopting industrial technical and organizational practices related to data security and fulfilling classified security protection obligation
|The Data Security Law specifies that enterprises shall adopt technical or other necessary measures to comply with the data security obligations. We understand that enterprises involved in data processing may consider procuring and forming corresponding technical and organisational security solutions to reduce costs. Because data processing services providers receive and process a large amount of data, they should, build upon the multilevel protection scheme, strictly implement the relevant national technical, organizational and administrative standards to improve their data security management capability and level.
|Carrying out periodic or aperiodic data security education, drills or trainings
|We recommend that enterprises involved in data processing activities strengthen the data security awareness and capabilities of their employees through periodic or aperiodic internal data security trainings, data security incident simulation drills, and diverse data security education.
(2) Emergency Response Specifications for Data Security Incidents
Article 29 of the Data Security Law provides that risk monitoring shall be strengthened when carrying out data processing activities, and remedial measures shall be taken immediately upon discovery of any data security defect or breach; and mitigating measures shall be taken immediately upon occurrence of a data security incident, and users shall be timely notified in accordance with the relevant provisions and reports shall be made to the relevant competent authority. The Article 29 actually converges with the Cybersecurity Law, the National Contingency Plan for Cyber Security Incidents issued by the Cyberspace Administration of China and the corresponding laws, regulations and specifications. On the one hand, enterprises should develop their internal data security incident response strategies and contingency plans based on the existing management specifications for network security incidents (including hazardous programme incident, cyberattack, information destruction incident, information content security incident, equipment and facility failure, and catastrophic incident). On the other hand, the Data Security Law now emphasizes not only network system security but also data and data processing security, which reflects the synchronisation of economic development and law making. In the future, data governance might also entail algorithmic security. We recommend that enterprises build as soon as possible emergency management systems of diverse dimensions and levels distinguishing network information systems and content, data processing and security, and algorithmic ethics and compliance.
Here comes the Data Security Law. The law has gone through more than a year of drafting, preliminary review, public consultation, and second and third reviews. It has become one of the fastest-developing departmental legislation in the 2020 legislative plan, which will take effect in the fourth quarter of 2021. It has to be admitted that, limited by the length and system structure, the Data Security Law still leaves some issues for further discussion and improvement, awaiting further accumulation, enrichment, and summarisation of practical experience. As a “fundamental law” governing data-related issues in China, however, we should treat it with respect, protection, and continuous efforts in improving data security and compliance.
Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries, https://www.whitehouse.gov/briefing-room/statements-releases/2021/06/09/fact-sheet-executive-order-protecting-americans-sensitive-data-from-foreign-adversaries/, last accessed on 14 June 2021.
 See Wang Shiye, Unbanning TikTok and other Chinese apps is Biden’s way of setting things right? https://finance.sina.com.cn/china/2021-06-12/doc-ikqciyzi9299849.shtml, last accessed on 15 June 2021.
Data Security Law: ensuring data security to drive the digital economy, http://www.npc.gov.cn/npc/c30834/202106/b7b68bf8aca84f50a5bdef7f01acb6fe.shtml, last accessed on 14 June 2021.
 He Aoxuan, Data Globalization and the Confrontational Trend of Data Sovereignty and China’s Response – An Analysis Based on Data Security, Journal of Beijing University of Aeronautics and Astronautics (Social Sciences Edition), Issue 3, May 2021, pp. 19-20.
The Global Initiative on Data Security, the Ministry of Foreign Affairs, https://www.fmprc.gov.cn/web/wjbzhd/t1812949.shtml, last accessed on 14 June 2021.
 Wang Weijie and Zhou Qianhe, The Latest Developments, Characteristics and Enlightenment of Foreign Data Security Protection, China Information World, Page 013, 17 May 2021.
 Zhu Xuezhong and Dai Zhizai, The Value and System Positioning of the Data Security Law under the Holistic View of National Security, E-government, Issue 8, 2020, pp82-92.
 Ibid, footnote 3.
 Liu Junchen (Deputy Director of the Legislative Affairs Commission of the NPC Standing Committee): Explanation on the Data Security Law (Draft) Dated 28 June 2020 at the 20th Session of the 13th NPC Standing Committee, http://www.npc.gov.cn/npc/c30834/202106/2ecfc806d9f1419ebb03921ae72f217a.shtml, last accessed on 14 June 2021.
 Liu Jinrui, Data Security Paradigm Innovation and Its Legislation, Global Law Review, Issue 1, 2021, pp. 10-11.
 Jiao Jiao, China Academy of Information and Communications Technology, Highlights of the Data Security Law: Legislative History and Key Provisions.
 Zhai Zhiyong, The Systemic Status of Data Security Law, Journal of Soochow University – Philosophy and Social Sciences, Issue 1, 2021, pp. 76-77.
 Zeng Zheng, Wang Lei, Fundamental System for Data Element Market: Problems and Establishment, Macroeconomics, Issue 3, 2021, pp. 88.
 Ibid., footnote 10.
 Ibid., footnote 12, pp. 86-87.
 Cui Shujie: Defining of Data Rights and Establishment of Data Protection Rules under C&M Framework, Journal of Guangdong University of Finance and Economics (Law and Economics), Issue 6, 2020, pp.79-80.
 See Shenzhen Special Economic Zone Data Regulations (Draft for Comment).
 Ibid., footnote 17, pp. 81.
 Ibid., pp.82.
 Ibid., footnote 10.
 See the Anti-foreign Sanctions Law
 Liu Quan, Legislative Path to Government Data Disclosure, Journal of Jinan (Philosophy and Social Science), January 2021, pp. 92-93.
 See: (2021) Yu 1403 Xing Chu No. 78; (2020) Zhe 0106 Xing Chu No. 437