China Publishes Draft Data Security Law

Written by: Brett Lawrence, Esq. and Brock Wolf

After deliberating a draft Data Security Law from June 28 to June 30, 2020, China’s Standing Committee of the National People’s Congress (“NPC”) published the draft law on July 2, 2020. The draft law calls for China to develop a “standard, interconnected and interactive, secure and controllable” open platform for government data. Such a platform will promote data-sharing with the government, reducing the costs of obtaining and distributing data. The law also imposes penalties on organizations and individuals, both domestic and foreign, that violate the law.

The NPC will likely pass the law later this year. The draft has been published to the NPC website for public comment. The comment period is open until August 16, 2020.

Scope of the Law

Notably, the law imposes legal liability on entities within China, as well as entities outside of China, that “engage in data activities that harm the national security, the public interest, or the lawful interest” of Chinese citizens or organizations. “Data activities” is defined as the collection, storage, processing, use, provision, transaction, and publication of data. The law does not govern data activities that involve state secrets and military information, leaving that to existing Chinese laws and regulations.

Framework

The draft provides that regional governments and central government departments will establish different classifications of data based on importance to economic and social development and national security. Different protection measures will be taken based on these data classifications.

China will develop a data security emergency response mechanism to mitigate damage and alert the public in the event of a data security incident. China will also implement a data security review system.

The draft law also provides that, if any country acts in a discriminatory manner against China with respect to investment or trade relating to data, China may adopt corresponding measures directed at that country.

Obligations of Entities Conducting “Data Activities”

Entities that conduct data activities will be subject to many obligations. Under the draft law, entities conducting data activities must:

• Establish and complete a data security management system;
• Conduct data security education and training;
• Adopt corresponding technical measures to ensure data security;
• Establish data security personnel and management bodies;
• Strengthen their risk monitoring capabilities and adopt remedial measures promptly following any data security incidents; and
• Notify the regulator and users following a data security incident.

Data brokers have their own set of responsibilities under the law, including: requesting that a data provider explain the source of their data; examining and verifying identities; and retaining examination, verification, and transaction records.

Entities providing online data processing or similar services will be required to obtain business licenses as mandated by forthcoming telecommunications regulations.

Legal Liability

The draft law imposes a variety of penalties for noncompliance with minimum and maximum penalties, listed below:

• 10,000 RMB ($1,428)–100,000 RMB ($14,286) if an entity fails to meet data security protection obligations or does not implement required measures;
• 5,000 RMB ($714)–50,000 RMB ($7,143) to individuals who immediately manage personnel in a violating organization;
• 100,000 RMB ($14,286)–1,000,000 RMB ($142,861) if an entity refuses to rectify noncompliance or its conduct results in a large data leak; and
• 10,000 RMB ($1,428)–100,000 RMB ($14,286) to individuals immediately managing personnel in a violating organization.

In addition to fines, entities that fail to satisfy requirements of the law may be subject to correction orders or warnings.

Conclusion

Once the draft law goes into effect, it will likely become the centerpiece of China’s data security framework. Businesses that transact in China should be aware of whether their data practices are permissible under this law, and should monitor for when additional regulations are developed.