National People's Congress of China Publishes Draft of New Data Security Law

Overview of the Draft DSL

The draft DSL is composed of 51 articles across 7 chapters. Major legal compliance requirements can be found in Chapter 3 through Chapter 5, while legal prosecution and punishment are prescribed in Chapter 6. The summary of those compliance requirements includes:

• Data security administrative regulation (Chapter 3)
• Data security obligations (Chapter 4)
• Data services permission (Chapter 4)
• Data security regulation for administrative agency (Chapter 5)

The draft also defines various punishments, such as administrative fines, revocation of permits and business licenses, and administrative custody, as well as criminal prosecution where applicable, in accordance with relevant laws and administrative regulations. Multiple laws and regulatory rules can also be referenced for legal enforcement, including Public Security Administration Punishment Law, Criminal Law and National Security Law of China.

Compliance Requirements of the Draft DSL

The draft DSL prescribes multiple compliance requirements and obligations for companies to control and process data. The law considers data as assets that have strategic significance and implications for geopolitical competition. It is intended to establish new international rules under the control of China, from which the Chinese government expects to gain advantages from economic and security perspectives. Meanwhile, the law is developed to increase the controls on information transmission for avoiding negative impacts to China.

To see the major compliance requirements in the DSL, refer to the pdf.

Compliance Implications

Sensitive Data Protection in Critical Industries

The draft DSL empowers legal enforcement agencies to inspect and review data security. Meanwhile, companies are required to cooperate with security agencies for investigations on suspected violations. Moreover, under Article 31, online data processing services will be controlled by industry regulatory agencies. These legal requirements might expose sensitive data to scrutiny or inspection, or even external access. Such exposure might lead to legal dispute, reputation damage and intellectual property loss. Such exposure of sensitive information in certain industries could raise concern to the multinational companies in those industries. Some examples are:

• Innovative Information Technology: cloud computing, big data, IoT, artificial intelligence, etc.
• High-Tech Equipment and Intelligent Manufacturing: aerospace, marine engineering, integrated circuit, etc.
• Biological Industry: biomedicine, biotechnology, genetic data, stem cell research, etc.
• New Energy: new power generation, energy-saving technology, etc.
• Environment Protection: pollution prevention and solution, resource recycling, waste disposal, etc.
• Material Industry: high-strength low-alloy steel, superalloy, high-temperature plastic materials, etc.
• Digital Innovation: virtual reality, augmented reality, digital interaction and design, etc.
• New-Energy Automobile: new-energy battery, connected drive, energy storage, energy conversion, etc.

Compliance Risk on Data Access Request

The draft DSL claims legal obligations and administrative controls over all personnel in related companies (or local subsidiaries of multinational companies), including third-party service providers. This means that law enforcement forces or industry regulatory agencies can directly request data from anyone in the companies. Declining the request for data may put the requested person at risk of administrative and criminal punishment. However, complying with the data request may require the person to make decisions for disclosing personal and confidential information. Subsequently, this may put the companies (or other subsidiaries or the headquarters of the multinational companies) at risk for legal sanctions from another sovereign state, business or civil litigation, or reputation damage, as well as significant revenue loss.

Compliance Risk on Third-Party Services

The draft DSL requires extra licenses for online data processing service providers – on top of the current Secondary Telecommunication Services (B21) and Electronic Data Interchange (EDI) licenses.

This requires further effort from companies and service providers. Companies will need to review the license of existing service providers. If the service providers do not have the extra license, companies might need to change to a new service provider, which may lead to unexpected investment and effort.

Technical Feasibility and Consistency

The draft DSL has granted authority to multiple ministries and commissions, as well as industry regulatory agencies. This will require legal entities to comply with legal requirements at different levels: central government, provinces, cities and industries. These requirements may be not consistent with each other since each administrative bodies might have their own interest to reflect. Furthermore, as most enterprises have their own security policies and architecture designs, the DSL requirements may not be consistent with the policies and designs of the companies.

Next Steps

In response to the increased data important to economic development and geopolitical competition, China’s Data Security Law, if passed, will mean enterprises will likely face more security compliance obligations, placing further demands on already over-burdened IT divisions. Companies should be continue to monitor developments related to the law and should keep the management team informed as they begin to proactively devise their approach for complying with the new standards, should they become law.