Extraterritorial effect
In addition to activities conducted within China, the DSL will also apply to and regulate any data processing activities outside China if those activities would be detrimental to the national security or public interest of China or the lawful rights and interests of any Chinese citizen or organisation. Hence, if you are dealing with data generated or collected from China, you should pay particular attention to the extraterritorial effect of the DSL.
Foreign investigations and litigation
The DSL stipulates that any provision of data stored in the PRC by a Chinese entity or individual that is made in response to a request by any foreign judicial body or law enforcement authority will be subject to the prior approval of the competent authority. Violations could attract hefty fines of up to RMB 5 million for each company and RMB 500,000 for the person responsible.
Companies incorporated in China should also exercise caution in relying on any privacy shields available under the laws of other jurisdictions in order to transfer data from China overseas for the purposes of participating in an offshore investigation or litigation.
Classified data and multi-tier management system
DSL provides for a hierarchical data classification management and protection system that takes into account the importance of specific types of data to China’s national economy, national security, public interest and society, as well as the degree of harm that would result from a security incident.
More important critical data will be subject to stricter management and protection requirements. In particular, it is worth noting that:
(i) A processor of critical data must conduct regular risk assessments and submit its assessment reports to the competent authority. Such reports must include the type and volume of data processed, descriptions of its data processing activities, data security risks faced and its response measures.
(ii) Data processing activities that affect or could affect China’s national security will be subject to a national security review by the state, whose decision is final. Further details of the implementation procedures are expected to be formulated and issued by the Chinese government in due course.
(iii) Certain data relating to China’s national security, national interest, or performance of international obligations may be deemed as controlled items and thus subject to export control.
Additionally, the DSL calls for regional and departmental authorities to formulate their own catalogues of critical data within specific regions or industries. Recently, the Cyberspace Administration Office issued the draft Automobile Data Safety Management Rules, which sets out the scope of critical data in the automobile industry.
Localisation requirement
The DSL re-emphasised the localisation requirements under the PRC Cybersecurity Law for critical information infrastructure (CII) operators, and critical data collected and generated by them within China. If a CII operator (such as companies in the FinTech, infrastructure and public healthcare industries) fails to comply with the localisation requirements and provides critical data abroad, the authority can order the CII operator to suspend or cease its business or even revoke its operational certificate or business licence. The CII operator could also face a fine of up to RMB 10 million, with its management facing a fine of up to RMB 1 million.
In relation to non-CII operators, the DSL provides that the Cyberspace Administration Office will formulate and issue separate cross-border transfer rules applicable to any critical data collected and generated by such non-CII operators.
Reciprocal sanctioned measures
The DSL lays out the foundation for the Chinese government to tackle any discriminatory prohibitions, restrictions or other sanctioned measures adopted by an authority in another jurisdiction pertaining to any China-related investment or trading activity involving the processing, developing or exploiting of data.
Data trading market
The DSL calls for the establishment and development of a data trading market by the state to improve and regulate the management of data trading in China. Companies engaging in data trading intermediary services are required by the DSL to collect the source of data, examine the identity of all parties involved in the trading activity and transaction, and maintain proper records of all transactions.
Takeaway
In short, the enactment of the new DSL will create more challenges for companies that have a global business presence and are subject to data security requirements in multiple jurisdictions.
If you would like to discuss the impact of the DSL on your business, please contact the authors of this alert.
Client Alert 2021-168