China’s Draft Data Security Law

China’s National People’s congress standing Committee has launched or introduced the Data Security Law of the People’s Republic of China (Draft Law) on 3rd July 2020 to request public comment until 16th August 2020. The draft law will proceed at two additional draft rounds before launch. After the finalization of this law, it will be the first designated law in China that will regulate the procedures related to the storage of data involving national security, business secrets, processing, collection, personal data, and control.

Introduction

The draft law consists of 51 articles divided into seven chapters as general provisions, data security and development, legal liabilities, data security system, data security protection obligations, security and release of government data, and miscellaneous. In the introduction of the draft law it is mentioned that ‘without data security, there is no national security.’ The law is going to be applicable to all the data activities within China. The data is a record of information in non-electronic or electronic form. Whereas data activities mean that in the action of any information, data includes the collection, processing, supply, use, storage, trade, and publishing of that data that is known as data activities. Every act of draft law will be observed by the law of the people’s republic of china on guardian state secrets presidential decree no. 28 and also some other administrative law and regulations. The draft law or data security law is established for public comment.

Framework of the Draft Law

  • The effective, emergency response mechanism for data security will be implemented and developed.
  • There will be the establishment of a warning mechanism for the effective and official data security risk assessing, reporting, monitoring, and sharing of data.
  • There will be a classification of data based on the level of the importance of the data for data protection.
  • To examine and monitor all the data activities that can result in risks of national security a data security review system will be implemented.
  •  The data which comes under the categories of controlled items for them there will be an export control system and will be applied to data.
  •  Whenever data will be faced with similar measures, restrictions, prohibitions in respect of trade and investment of data and technology for the development of data with other countries then countermeasures will be done.

Data Security Obligation Carrying Out Data Activities

When the data entries have involvement in data activities it is required to establish data security management systems, taking appropriate technical measures, monitoring data incidents or actions, organizing security training. Whenever there is the involvement of important data the periodical risk assessment must be conducted and then reported to the authority.

Implication of the Draft Law

The law has only provided the guidelines, principles, clear definitions of security terms but the law will help in to establish the legal and regulatory framework for data protection and security in China and once the law came into force then it will have a far-reaching impact on many sectors and significant to many sectors in China for the purpose of protection and the security.

Important/notable Provisions in this Drafts Law

Article 2 states that if the entities outside the china engage in data activities that harm the national security, lawful interests of citizens, or public interest in china then also the legal liability will run.

Article 19 introduced the regulating data system based on different grades, importance according to the degree of economic and social development. it also provides responsibility as to determining the reach of data security responsibility and requirements.

Article 22 states that to review the impact of data security on national security establish a data security review.

Article 23 states to fulfill the international obligations for the protection of national security the government has introduced a data export system.

Article 24 introduced a way to retaliate for measures by foreign governments that are targeting China with limitations, prohibitions, etc. around data investment and technology.

Article 33 states when an individual or an organization transfers any domestic data to overseas law enforced agency required prior approval from the government of the republic of china.

Government Access

Article 32 where public security departments or the national security departments need to consult data in order to lawfully safeguard national security they shall according to relevant state regulations, undergo strict approval procedures and proceed according to law; relevant organizations and individuals shall grant cooperation.

Article 35 to implement the states statutory duties the state bodies need to collect the data, they shall do so within the scope of the statutory duties they implement, and according to the procedures and conditions provided in-laws and regulations.

National Security and Review System

The main objective of the draft law is national security and protection of nations data and in the drafts law, the national security has taken place overall 11 times throughout article 2, 4, 6, 7, 8, 22(twice), 23, 32(twice), and in 47. Article 22 states that to review the impact of data security on national security establish a data security review. The data security review will review any activities that influence national security data. And the decision of the review will be final at last. Article 23 in the draft law states to fulfill the international obligations for the protection of national security introduced a data export system. The effect of the systems should be a tight connection between data security and national security. Article 49 of the draft law states for data activities involving state secrets, laws, and regulations such as the law of the people’s republic of china or guarding state secrets are applicable. These data activities involving personal information shall abide by relevant laws and administrative regulations.

Extraterritorial Effects

The Draft Law establishes extraterritorial jurisdiction over foreign entities that engage in data activities inside and outside of China that harm national security or the public interest (Article 2), and empowers the state to adopt countermeasures against countries that impose restrictive or discriminatory trade and investment safeguards against China (Article 24). Directly relevant to multinational corporations operating in China, when foreign law enforcement agencies request access to data stored in China, Article 33 requires that the individual or entity concerned must first report to and receive approval from the relevant Chinese government authorities.

Penalties

Legal liability is established in Articles 41 through 48 of the Draft Law, and the penalties range from specific to general. Article 48 allows for the imposition of administrative, civil, and/or even criminal penalties depending on the type and severity of the data security breach. Individuals and entities involved in data activities that violate Articles 25, 27, 28, and 29 of the Draft Law can be fined up to 1 million RMB for failing to correct their behaviour (Article 42). For data transactions that violate Article 30 of the Draft Law and result in illegal income, the responsible data transaction intermediary can be fined up to 10 times the amount of the illegal income (Article 43). Online data processing businesses that operate without the proper licenses specified in Article 31 of the Draft Law can be fined up to 10 times the amount of their illegal income or a fine, not more than 1 million RMB (Article 44). State organs, state employees responsible for data security, and those who endanger national security or the public interest would be punished according to relevant laws and regulations (Articles 45, 46, and 47).

Conclusion

The draft law is an important piece of legislation. The draft law consists of 51 articles divided into seven chapters as general provisions, data security and development, legal liabilities, data security system, data security protection obligations, security, and release of government data and miscellaneous. In the introduction of the draft law it is mentioned that ‘without data security, there is no national security.’ The law is going to be applicable to all the data activities within China. The data is a record of information in non-electronic or electronic form. Whereas data activities mean that in the action of any information, data includes the collection, processing, supply, use, storage, trade, and publishing of that data that is known as data activities. Every act of draft law will be observed by the law of the people’s republic of china on guardian state secrets presidential decree no. 28 and also some other administrative law and regulations. The draft law or data security law is established for public comment.

References

1)    https://www.lexology.com/library/detail.aspx?g=9edf023e-a252-4517-ab3a-32762db6b918

2)    https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-chinas-data-security-law-draft/

3)    https://www.wilmerhale.com/en/insights/client-alerts/20200710-china-publishes-draft-data-security-law

4)    www.davispolk.com › files › 2…PDF China’s Draft Data Security Law Published for Public Consultation

FAQ [Frequently Asked Question]

  1. When was the Data Security Law of the People’s Republic of China (Draft Law) was introduced in China and why?

Answer: China’s National People’s congress standing Committee has introduced the Data Security Law of the People’s Republic of China (Draft Law) on 3rd July 2020 to request public comment until 16th August 2020.

2. How many articles are there in the draft law and in how many chapters the draft law is divided state with chapter names.

Answer: The draft law consists of 51 articles divided into seven chapters as general provisions, data security and development, legal liabilities, data security system, data security protection obligations, security and release of government data and miscellaneous.

3. The draft law is applicable in which country? And what is mentioned in the introduction of that law?

Answer: In the introduction of the draft law it is mentioned that ‘without data security, there is no national security.’ The law is going to be applicable to all the data activities within China.

4. which committee is going to observe all the activities or act performed by draft law?

Answer: Every act of draft law will be observed by the law of the people’s republic of china on guardian state secrets presidential decree no. 28 and also some other administrative law and regulations.

5. In which article of draft law, the data export system has been introduced and why?

Answer: In the draft law, under article 23 it is mentioned that to fulfill the international obligations for the protection of national security the government has introduced a data export system.

6. Why and under which article of the draft law, the individual or organization in china requires prior approval from the government of the republic of china? 

Answer: under article 33 of the draft law, when an individual or an organization transfers any domestic data to overseas law enforced agency required prior approval from the government of the republic of china.

Leave a Reply

Your email address will not be published. Required fields are marked *