On 10 June 2021, the National People’s Congress, China’s top legislative authority, passed the People’s Republic of China (PRC) Data Security Law (DSL), which will come into force on 1 September 2021.
It is the first comprehensive data security legislation in China. The DSL aims to regulate a wide range of issues in relation to the collection, storage, processing, use, provision, transaction and publication of any kind of data, and becomes a key supplement to the PRC Cybersecurity Law which has been effective since 1 June 2017. The DSL is expected to have a deep impact on data processing activities and business operations in China. In this update, we highlight some of the significant features of the DSL for companies that operate or do business in China.
In addition to activities conducted within China, the DSL will also apply to and regulate any data processing activities outside China if those activities would be detrimental to the national security or public interest of China or the lawful rights and interests of any Chinese citizen or organisation. Hence, if you are dealing with data generated or collected from China, you should pay particular attention to the extraterritorial effect of the DSL.
Foreign investigations and litigation
The DSL stipulates that any provision of data stored in the PRC by a Chinese entity or individual that is made in response to a request by any foreign judicial body or law enforcement authority will be subject to the prior approval of the competent authority. Violations could attract hefty fines of up to RMB 5 million for each company and RMB 500,000 for the person responsible.
Companies incorporated in China should also exercise caution in relying on any privacy shields available under the laws of other jurisdictions in order to transfer data from China overseas for the purposes of participating in an offshore investigation or litigation.