Navigate China’s Data Security Law: Ensure Compliance and Mitigate Potential Risks June, 2021 c . 5 Co-Authors Jet Deng Partner, Beijing Office Email: [email protected] Ken Dai Partner, Shanghai Office Email: [email protected] h t i g 1 / 104 b u m o Content Overview ................................................................................................... 2 I. Scope of Application .......................................................................... 2 II. Enforcement Authorities ................................................................... 3 III. Highlights for Data Security Compliance ........................................ 3 m o IV. Legal Liabilities .................................................................................. 8 c . 5 V. Conclusion and Looking Forward.................................................. 10 Appendix: Data Security Law of the People’s Republic of China ..... 11 h t i g b u 1 Overview China is to reach a new height in enhancing national security in data area. On June 10, 2021, China adopted the widely concerned Data Security Law (the “DSL”) at the 29th Meeting of the Standing Committee of the 13th National People’s Congress, China’s top legislature. The widely applicable DSL with extraterritorial effect clarifies the State’s regulatory system for data security, requires data security protection obligations to be performed, and further increases the penalties based on the second draft of the DSL. m o Considering that the DSL will come into effect as of September 1, 2021, during the short grace period, entities to which the law applies are suggested to establish the c . 5 relevant compliance systems and perform data security protection obligations as required as soon as possible, in order to be prepared for the upcoming implementation of the new legislation. b u This alert aims to provide a general picture of the DSL, and to discuss the possible h t i g impacts of this law on entities operating in China, as well as the highlights to be paid attention to when conducting data compliance in accordance with this law for kind reference. I. Scope of Application According to Article 2 of the DSL, the law applies to data processing activities and their security regulations carried out within the territory of China. Meanwhile, data processing activities carried out outside of the territory of China that harm the national security, public interests or lawful interests of citizens or organizations of China, will be held liable in accordance with the law. This provision reflects the law’s certain degree of extraterritorial application effect, which is consistent with the practice of countries around the world to extend their jurisdiction over data through legislation. That means, entities processing data outside of China may also be governed by this law. 2 Besides, under the DSL, “data” is broadly defined as any record of information in electronic or non-electronic form, and “data processing” widely includes activities such as collection, storage, use, refinery, transfer, provision and disclosure of data. II. Enforcement Authorities Similar to the regulation of personal information protection in China, data security is also regulated by multiple parties. On this basis, the DSL clarifies that the central national security leadership agency (namely the National Security Commission) is m o responsible for the decision-making and coordination of data security-related works; and other regulatory departments like the Cyberspace Administration of China and the c . 5 Ministry of Public Security, competent authorities of industries like finance and healthcare, and local governments are responsible for the relevant regulation of data security within their respective scope of duties. b u As the DSL does not change the current polycentric supervision on data security, but h t i g maintains such status quo to some extent, the data processing activities of an entity may be subject to multiple law enforcement authorities’ regulations with different perspectives in practice. III. Highlights for Data Security Compliance The DSL creates a series of data security systems, including data categorization and classification, data security review, etc., and establishes a basic framework for data security. At the same time, this law puts forward some data security protection obligations for entities carrying out data processing activities, a