China's Data Security Law
Developments in China’s regulation of data should not be ignored by U.S. businesses that engage with data from China. A recent draft Data Security Law will likely have a profound impact on the treatment of data in China if it is enacted as drafted, especially for foreign companies that process large amounts of data in China.
With its increasing focus on the protection of important data and personal information in recent years, China has sought to protect personal information by issuing a series of measures, many of which have been subject to updates.
In addition, China began to develop a parallel system to protect “important data,” by issuing a draft Data Security Law in June 2020. These broad and seemingly overlapping policies have left key terms and processes undefined, in a way that can increase uncertainty and business costs to U.S. companies.
Scope: The draft Law covers any recording of information through electronic or non-electronic means and “data activities,” including the collection, storage, processing, use, provision, trading, and public disclosure of data. The draft seeks to ensure data is “effectively protected and lawfully utilized.”
Responsible Authorities: National and local industry regulators and security authorities are responsible for supervising data security. The Cyberspace Administration of China (CAC) is the overall coordinator supervising compliance.
“Important Data”: The draft proposes a regime for protecting “important data” based on multiple levels of classification. The draft calls for industry and local authorities to create catalogues defining “important data” in their respective area of authority and to take measures to protect that data. It also calls for a centralized mechanism for conducting assessments of data activities.
Measures: Data processors are instructed to conduct periodic data assessments related to data security risks and corresponding protective measures. Data security officers and management departments are expected to be in place to fulfill these responsibilities.
Potential Impact on U.S. Business Communities
- Companies will be expected to comply with the various data protection obligations in the law if they process “important data.”
- Companies could be subject to various reviews if their data activity is considered to be related to national security.
- Exports of certain data could be controlled.
The draft Law lacks specificity on several key concepts, including:
- How the term “important data” is to be defined;
- How data will be assigned to different levels of data classification, and how treatment of different levels of data will vary;
- How responsibilities of regulatory authorities identified in the draft Law will be delineated.
The draft Law also suggests regulators should have extraterritorial powers to impose liability on parties outside of China without specifying how such powers would be implemented.
It also offers no clear distinction between the obligations the draft Law outlines with data-related obligations found in other measures, such as China’s Cybersecurity Law. Continued revisions of these related measures and the Draft Data Security Law should be expected to run in parallel.
U.S. firms that process Chinese data should keep a close eye on this evolving area of Chinese policy and consider what the impact may be on their China operations. China may provide further opportunities for interested stakeholders to submit feedback on the draft Data Security Law and other related measures.
For more information, Contact: firstname.lastname@example.org