At this point, we all know about the ongoing situation with recently IPOed companies and other similar businesses. While the timing is interesting, we believe that viewing it through the limited optics of IPO considerations is wrongheaded and draws far too straight a line between IPO and enforcement of such regulations in China. It is better to acknowledge that these regulations have been in the works for months, if not years, and professionals in the area have been warning that things like this would happen sooner rather than later. So, none of these enforcement actions should come as a surprise to anybody who has closely followed the evolution of China’s cybersecurity and data framework over the past couple years.
On that note, 10 June 2021 saw the 29th Session of the Standing Committee of the Thirteenth National People’s Congress formally adopted the Data Security Law of the People’s Republic of China (“DSL“). The DSL is an integral part of the emerging data security framework in China, and will come into force on 1 September 2021. The new law provides further incremental guidance on how China will address data security and related issues going forward. Below are some of what we believe to be the highlights.
I. Definition and Clarification of “Data Processing”
The DSL defines “Data processing” as including the “collection, storage, use, processing, transmission, provision and public disclosure of data, etc.”, covering the entire process of data processing, which is also in line with the definition of “processing of personal information” in the Civil Code.
II. Further Clarity Regarding Data Security Management
Article 6 of the DSL clarifies that the national cyberspace authority shall conduct overall coordination of cyber data security and related supervision work, while industrial sectors such as telecom, transportation, finance, natural resources, health, education, science and technology, and other departments shall focus on and supervise data security in their respective fields. Additionally, the PSB and other national security authorities shall supervise data security within their respective purviews. The overarching coordination mechanism is meant to ensure that coherence and continuity, while also accounting for differences between different regions, departments and industries.
III. Data Protection
The DSL lays out a somewhat more clear system for data protection according to different levels of importance, differentiated in a number of nuanced ways, including a further categorized and hierarchical set of requirements based on the things mentioned above, but also breaking data out into larger categories such as important data and national core data. This reflects the national security and data sovereignty focus that we have mentioned in previous articles.
Ⅳ. Clarifying the Data Security Review System
Article 24 of the DSL stipulates clarifies the scope of the data security review to include “data processing activities that affect or may affect national security”. At the same time, the DSL specifies that “a security review decision made in accordance with the law shall be final”, which means that the decision on security review takes effect as soon as it is made, excluding the possibility of appeal.
V. “Blocking” Language
Article 36 of the Law stipulates that whenever any entity handles requests from foreign judicial or law enforcement authorities, the provision of data shall be subject to the approval of the competent authorities. This is a significant provision, and it remains to be seen how this will play out in practice.
We have been talking about this for a while, but at this point it is clear that we are entering a new era of data regulation in China. There is more to come, and much depends on forthcoming implementing regulations, but we believe that China’s cybersecurity framework, in which the DSL plays an integral role, is now clearer in terms of the considerations required by virtually all businesses in China, and the actions required. Please do not hesitate to reach out if you have any questions.