China's data security law
China’s National People’s Congress (NPC) finalized a new Data Security Law (DSL) which will come into effect on September 1, 2021.
Together with the Cybersecurity Law and the forthcoming Personal Information Protection Law (PIPL), the DSL will provide a framework of obligations for parties that process data – to include the collection, storage, use, processing, transmission, provision, and disclosure of data – even if that party does not have an office in China. Under the DSL, parties that process data can be subject to a wide range of obligations, including conducting internal data security management, monitoring, and risk assessment of data processing activities, and complying with approval processes and requirements from Chinese authorities. The DSL calls for the promulgation of administrative measures providing detailed guidance on some of these obligations.
Obligations will vary depending on each company’s circumstances. Interested parties should consult with local experts to assess actions required for compliance with the DSL.