From German Chamber of Commerce in China Presentation “Data Security Law Effective 1 September 2021”
Passed by the National People’s Congress on 10 June, the Data Security Law (DSL) will take effect from 1 September 2021.
With the term “data” broadly defined as electronic or non-electronic records of information, the DSL would impact corporate production, management, and other operations alike.
As the DSL governs two highly consequential topics of data and security, amid extensive data growth and increasing security concerns, the legal system is complex and intertwined.
What is the Essence of the Data Security Law?
Data refers to any record of information in electronic or non-electronic form. Data security refers to the ability to ensure data under effective protection and in lawful use, and remain so through taking necessary measures. Data processing includes activities such as the collection, storage, use, refinery, transfer, provision, or public disclosure. Data classification& hierarchy is to be specified later (Article 3).
Chinese Communist Party’s (CCP) Directive is that data is now a production input, equal to labor, capital, land, and technology.
Data Security Law’s Supervision, Compliance, and Penalties.
The DSL sets up multiple authorities for enterprise to navigate, and various obligations to fulfill. As China aims to safeguard economic interests and national sovereignty, violations of the DSL could lead to serious penalties for both enterprises and representatives.
What to Do Now?
While watching out for government clarification on terms like “important data”, “state core data” and corresponding compliance requirements, it is imperative for businesses to comply with the Law’s requirements by following some recommendations. Some content may not directly affect business operations, however, companies should be aware of.
Before more specific compliance requirements regarding important data and state core data are released, all companies processing data should consider the following initial recommendations to implement requirements laid out in the Data Security Law.
Additional Articles of China’s Data Security Law to consider:
Extraterritoriality: Data activities outside China but harmful to China will be viable (Article 2).
Retaliation Clause: Any country adopting discriminatory restrictive measures against China related to data, China may reciprocate (Article 25).
Whistle Blowing: Any individual or organization can report violations to authorities (Article 12).
Security Review: China conducts national security review on data of national security interests (Article 23).
Export Control: China exercises export controls on related data (Article 24).
Recommendations from The German Chamber of Commerce
- Review your corporate bylaws and other related documents, incorporate data security responsibility by breaking it down into actionable tasks, which then should be assigned to personnel, if possible.
- Review the terms and responsibilities of the IT department and/or job description for the IT personnel, making sure the IT system security is strictly maintained and needed equipment and technologies in place; given offline data is equally important, make sure the security of any offline data, too.
- Set up mechanisms for regular risk monitoring, make contingency plans including reporting procedures and remedial measures, ensure these mechanisms/processes are well documented.
- Establish monthly/quarterly meetings and conduct training for personnel, keep good records of these meetings and training sessions.
- Scrutinize your business operation related to data collection against competent provisions, ensuring data collection pur- poses and scopes are strictly followed.
About the German Chamber of Commerce in China
The German Chamber of Commerce is the official membership organization for German companies in China, and has currently more than 2,300 members. The German Chamber helps its members to succeed in China by providing up to date market information and practical advice. It offers a platform for the German business community and represents its members’ interests towards stakeholders including government bodies and the public.
Website: www.china.ahk.de
Locations: Beijing, Guangzhou, Shanghai
Data Security Law of China Checklist
From Dentons’ Publication “Data Security Law of China Checklist”
On 10 June 2021, the Data Security Law (the “DSL”) was passed in the Standing Committee of the National People’s Congress and will take effect
on 1 Sep 2021.
The DSL serves as a fundamental legislation in the field of data security and compliance. Various obligations are imposed on entities that process any amount of data in and outside China. There is also expected to be a series of implementation rules to clarify the relevant obligations in the future.
How can multinational corporations prepare for compliance at this stage?
We have listed the following the DSL Checklist to help companies grasp the important points and understand what they are suggested to do next to adapt to these rules more smoothly.
You also should be aware of the consequences in case of a violation. The legal liabilities may include warning, correction order, fine, suspension of business, and revocation of business license. This Checklist can serve as a quick-reference guide.
On top of this, you are suggested to pay close attention to relevant updates. And it is highly recommended to ask professional law firms for help so that you can build reliable company policies and systems.
The DSL Compliance Checklist:
Category 1: Scope of Application and Extraterritorial Reach
Application Scope and Extraterritorial Reach (Article 2 of DSL)
Assess whether your organization is processing any data in China.
- Note: “data” under the DSL refers to any record of information in electronic or non-electronic form.
- Note: “data processing” include activities such as the collection, storage, use, refinery, transfer, provision, or public disclosure of the data.
Assess whether your organization is processing any data outside China, which may have an impact on the national security, public interests, or the lawful rights and interests of citizens or organizations in China.
- Note: this clause provides a broad scope of extraterritorial reach and the DSL does not give typical examples of such cases. Generally, processing data collected or generated from business operation in China will be caught by this clause.
Category 2: General Considerations for Data Processing
2.1 Data Governance
Policy Framework (Articles 27, 33 of DSL)
Introduce external facing terms of services, policies, guidelines, and/or directions (“Policies and Guidelines”) or review your existing Policies and Guidelines and make amendments to ensure compliance of relevant requirements under the DSL.
Introduce internal data security governance model and relevant operation guidelines or review existing internal Policies and Guidelines and make adjustments to ensure compliance of relevant requirements.
Implement policies on technical measures such as data encryption, data back-up and access control to ensure security.
If your organization is engaging in providing intermediary services for data transaction, such as a data broker, establish a policy to check the identity of the data provider and the data recipient.
Incident Response (Article 29 of DSL)
Establish a response policy for data security incidents.
Establish a mechanism to deal with notification to users and authorities about data security incidents.
Trainings and Education (Article 27 of DSL)
Provide education and training programs on data security to employees with a role in data processing, security, or compliance.
2.2 Data Security Measures and Obligations
Data Operation (Articles 32, 34, 29 of DSL)
Check if your data is from legal and proper sources, for example, by:
- clarifying the scope, purpose, method, and security measures of data collected in each business scenario if the data is directly collected by yourself;
- ensuring that there are measures to verify or commitments as to the lawfulness of data sources if the data is collected and provided by others and keep relevant records.
Ensure to obtain an administrative license when processing the data that requires the license according to laws or administration regulations.
Conduct risk monitoring and adopt remedial measures immediately when your organization identifies risks such as data security defects or breaches.
Multi-Level Protection Scheme (MLPS) of Cybersecurity (Article 27 of DSL)
Check if an MLPS assessment is properly conducted.
Perform data security obligations imposed by the DSL based on requirements of the corresponding security level (1 to 5) under the MLPS.
Classification and Categorization of Data (Article 21 of DSL)
Monitor updates issued by sectoral authorities and local authorities on catalogues of Important Data and National Core Data and ensure that they are implemented in your classification and categorization of data.
- Note: Important Data refers to “data that is closely related to national security, economic development and societal and public interests”.
- Note: National Core Data refers to “data related to national security, the lifeblood of the national economy, people’s wellbeing, and public interests, which is subject to a stricter management system”.
Provide E-gov Vendor Services to State Agencies (Article 40 of DSL)
Obtain relevant approval and fulfill corresponding data security protection obligations in accordance with the laws and regulations and contractual agreements. Do not retain, use, disclose or provide government affairs data to others without authorization.
2.3 Export Control over Data
Export Control (Article 25 of DSL)
Monitor the updates related to China’s Export Control Law, check the control list to determine whether it is applicable to any of your data and, if applicable,
- keep updated of regulations and enforcement activities by the enforcement bodies including the ministry of commerce, the ministry of industry and information technology and the central military commission;
- isolate the data of controlled items from other data and implementing differentiated access control for the data of controlled items between Chinese employees and non-Chinese employees.
Check license application procedures for controlled items.
2.4 Data Security Review
Data Security Review (Article 24 of DSL)
Establish an internal review procedure prior to the launch of new projects involving Important/National Core Data and new data processing activities that may have an impact on national security of China.
Monitor the updates related to the Cybersecurity Review Measures and its enforcement activities.
- Note: the Cybersecurity Review Measures issued in June 2020 is under the speedy process of amendments since the Didi was under this kind of investigation early July. In its revised draft for public comment, the procedures and key considerations of the national security review under the DSL are provided.
2.5 Access to Data by Authority
Data Assess by Chinese Authorities (Article 35 of DSL)
Cooperate with the Chinese public security agency and national security agency when they need to access data for legitimate reasons and procedures such as safeguarding national security or investigating crimes.
Confirm whether the authority can provide the official approval of data assess.
Restrictions on Data Transfer to Foreign Authorities (Article 36 of DSL)
Report to the competent authorities of China and seek approval when the foreign judicial or law enforcement agencies make requests to access data.
Category 3 Additional Considerations for Processing Important Data
Personnel (Article 27 of DSL)
Designate specific personnel and department to manage data security matters and set out clear functions, roles, responsibilities, and reporting lines for such personnel, if your organization is processing any Important Data.
Risk Assessment (Article 30 of DSL)
Carry out risk assessments on processing activities related to Important / National Core Data on a regular basis.
Communicate proactively with competent authorities on risk assessment and submit reports upon requests or according to regulations.
Cross-border Data Transfer (Article 31 of DSL)
Assess whether your organization may be considered as a critical information infrastructure operator (“CIIO”).
Localize all the Important Data collected and generated from business operation in China by your organization if it is a CIIO, and where it is necessary to export data, a security assessment procedure implemented by the authority shall be passed.
As a best practice, also localize all the Important Data collected and generated from business operation in China even though your organization is not a CIIO.
About Dentons
Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. Founded in March 2013 by the merger of SNR Denton, Fraser Milner Casgrain and Salans and following its merger with Chinese law firm Dacheng (大成) in November 2015, Dentons became the largest law firm in the world by number of lawyers and has the most offices of any law firm in the world, covering every continent.
As of 2020, Dentons operates in 77 countries, has 190 offices. The firm has no headquarters, although the firm’s senior leadership are primarily based in Beijing, London and Washington D.C.
Please visit dentons.com for Legal Notices.