China’s fast growing digital economy is behind a series of new regulations aimed to protect personal information and prevent businesses from using unauthorized data.
The Data Security Law contains provisions that cover the usage, collection, and protection of data, and stablishes fines and even suspension for violations, expanding the scope of the existing Cybersecurity Law.
Effective since September 1, 2021, the Data Security Law stablishes how data is used, collected, developed, and protected in China. It emphasizes on top-down coordination of data security implementation among local governments and differentiated fines based on severity of violations.
The person directly in charge of implementing compliance at the company will be exposed to penalty risks. Currently, the law does not provide details on obtaining the approval of the relevant competent authority, or which authorities will have the right to approve cross-border data sharing.
Although the law doesn’t provide any detailed guidance, business should be aware of some key issues that could affect their daily operations, such as the transfer of cross-border data, which may be inevitable for foreign companies based in China that deal with investors abroad.
The Data Security Law establishes that the cross-border transfer of important data collected and generated by critical information infrastructure operators within China shall be governed by the Cybersecurity Law, under which data collected and generated by critical information infrastructure operators are bound to be stored within the territory of China. Whenever such data needs to be transferred overseas, a security assessment must be performed.
Important data refers to those defined in Article 21 of the Data Security Law and will be provided in the data classification and hierarchical protection catalogue developed by respective regions and departments and for relevant industries and field.
Critical information infrastructures refer to infrastructure in important industries and sectors, such as public communications, information service, energy, transport, water conservancy, finance, public service, and e-government, and other critical information infrastructure that – once damaged, disabled, or data disclosed – may severely threaten the national security and economy, people’s livelihood, and public interests.
For the cross-border transfer of important data collected and produced during operation by general data processors within the territory of China, the law states that security review measures shall be formulated by the state cyberspace administration in concert with the relevant departments under the State Council. For the moment, there are no specific rules on general data processor for transferring important data abroad.
Data processors which illegally transfer important data to overseas will be ordered by the relevant authority to make rectifications and given a warning and may be concurrently fined not less than RMB 100,000 (US$15,460) but not more than RMB 1 million (US$154,600).
In serious situations, they will be fined not less than RMB 1 million (US$154,600) but not more than RMB 10 million (US$1.55 million), and may be ordered to suspend the relevant business, stop the business for rectification, and their business permit or license will be revoked. The person directly in charge and other directly liable persons will be fined between RMB 100,000(US$15,460) and RMB 1 million (US$154,600).
Foreign companies operating in China should consider a cybersecurity audit to evaluate their practices. Also, businesses should realize if they fall into the scope of critical information infrastructures operators before transferring their data to overseas parties.
Because the demand for market-oriented data trading keeps growing, many data trading platforms have been created, such as Tianyancha, Qichacha, Tianyuan Data, Jingdong Cloud, Guiyang Big Data Exchange, and Shanghai Data Exchange Center, among others.
These data trading platforms act as an intermediary service provider, offering a trading platform for data suppliers and data demanders, just like Amazon and Alibaba, except the product here is data.
Until recently, there were no laws or regulations to monitor the data trading process. The lack of standards used to impact negatively the interests of the parties involved.
For the first time in China, the Data Security Law establishes a few formal requirements on the data trading process and serves as a starting point in fostering a healthy data trading market.
Some of these requirements are the verification of the origins of the data -it cannot be stolen or acquired by illegal means-, the verification of the identity of both parties involved in the transaction and the storage of the transaction records.
Failure to comply with these regulations will be subject to multiple penalties. The illegal gains will be confiscated and a fine ranging from one to 10 times of the gains will be imposed. If there are no illegal gains or the gains are less than RMB 100,000 (US$15,460), the data intermediary service provider failing to fulfill the obligations will be fined not less than RMB 100,000 (US$15,460) but not more than RMB 1 million (US$154,600).
Also, it could be required to stop relevant businesses, stop the whole operation for rectification, or its relevant business permit or license could be revoked. At the same time, the person directly in charge and other liable persons will be fined between RMB 10,000 (US$1,546) and RMB 100,000 (US$15,460).
The Data Security Law does not clarify the details on how the intermediary service providers will be examined and whether the incompliance responsibility of the data provider will be passed to the intermediary service provider.
Additionally, the law touches on certain human aspects to ensure that everyone can have access to the convenience of the digital economy, including the elderly and the disabled.
In some cases, sellers or service providers refuse to accept cash while the elderly do not know how to use Alipay or WeChat Pay. Also, since the outbreak of COVID-19, in some cities people were denied access to public transportation or services because they failed to obtain the digital health code, implemented as a prevention measure.
The Data Security Law states that any organization or individual should take full consideration of the needs of the elderly and the disabled when designing and developing the application for public services.
Though the use of data has brought many conveniences to people’s lives, it has also exposed user’s personal information, and made it vulnerable and easy to infringe upon.
For this reason, the law stipulates that any organizations or individuals that carry out data processing activities and the research and development of new data technologies shall be conducive to promoting economic and social development, enhancing the well-being of the people, and complying with social morality and ethics.
In the past, Chinese authorities had focused more on legal and compliance issues regarding data processing activities, but the current law does it from a moral perspective as well.
The Data Security law works together with the Cybersecurity Law implemented on June 1, 2017, and the Personal Information Protection Law (PIPL), which will be effective from November 1, 2021.
While the common goal of these three laws is to build a comprehensive legal framework to regulate the information and data security regime in China, their priorities are different.
The Cybersecurity Law was a milestone legislation in mainland China and offers basic norms on certain issues that are of long-term importance. This document creates a structured legislation based on previously existent cybersecurity rules and regulations.
The Cybersecurity Law also provides definitions on legal liability. For different types of illegal conduct, it sets a variety of punishments, such as fines, suspension for rectification, revocation of permits and business licenses, and others.
The Cybersecurity Law includes not only internet security, but also information security, communication security, computer security, automation, and control system security.
Significantly, the businesses affected by the Cybersecurity Law are not limited to those in the information technology (IT) industry.
Enterprises may be categorized into “network operators” and “Critical Information Infrastructure (CII) Operators” based on their type and their business scope. Companies should identify their category and learn the corresponding obligations.
Cybersecurity Law defines network operators as network owners, managers, and network service providers. In fact, nowadays, most enterprises employing networks are in line with the definition of network operators, and therefore subject to responsibilities and obligations.