Updated: Jul 30, 2021
On June 10, 2021, the China's National People's Congress Standing Committee approved the Data Security Law, which will enter into force from September 1, 2021 and completes the approved discipline in 2017 with the Cybersecurity Law.
The new Data security law aims on the one hand to provide a solid legal basis for the Chinese digital economy, which regulates the data market and the protection of consumer privacy, and on the other hand to respond to geopolitical needs on digital sovereignty and national security protection.
It applies to all data processing activities within the Chinese territory. If such processing activities are likely to harm national security, public interests or the legitimate rights and interests of Chinese citizens or entities, an extraterritorial extension of the rules beyond Chinese borders is also envisaged. Furthermore, the Data Security Law allows China to adopt specific countermeasures against any foreign state that restricts, prohibits or discriminates against China in relation to the processing of data or the development of new technologies for the use of data (Article 26).
The Data Security law provides for a centralized state system for regulating the processing and exchange of data. Individuals and companies subject to this system must therefore comply with a series of data security risk protection, reporting and assessment obligations and be subject to legal limits in the cross-border transfer of data, under penalty of the application of important sanctions both towards natural and legal persons materially responsible for the violations (fines, revocation of licenses and permits, temporary limitations of economic activities). The details of the data governance rules are postponed to subsequent laws and regulations not yet approved.
The aforementioned security and compliance obligations vary according to a data classification system to be implemented with subsequent provisions.
Article 36 of the Data Security Law establishes the application of penalties of up to RMB 10 million (approximately € 1.31 million) for companies operating in China that transfer "core data" abroad without a prior approval of the Chinese government. "core data" means any information relating to the national and economic security of China, the well-being of citizens and a relevant public interest (Article 21 of the Law).
Instead, penalties of up to RMB 5 million (approximately € 655,000) may be applied for any overseas transfers of "fundamental data" without Chinese government approval. Article 45 of the Law provides for penalties of up to RMB 1 million (approximately € 131,000) for natural persons responsible for operations in violation of the protection of "fundamental data" (including unauthorized data transfers abroad). Fundamental data is not defined by the Data Security Law, which refers to a future national data security work coordination mechanism for data classification. All these sanctions are applied even if the requests for data in question are received by companies and private subjects from foreign judicial or police authorities. Data requests from foreign judicial or police authorities will be handled by the Chinese authorities according to the principles of equality and reciprocity in accordance with applicable laws and international treaties.
In conclusion, the Data Security Law makes data transfers outside of China more complicated and places all operators subject to both the Chinese Data Security Law and the US Cloud Act in a delicate situation.
The Cloud Act (Clarifying Lawful Overseas Use of Data) was approved in 2018 by the USA under the Trump Administration and obliges all US operators and foreign companies with a branch in the United States to communicate the data processed and stored abroad to the requesting American judicial or police authorities and intelligence agencies in the course of an investigation, litigation or prosecution.
Thus, by protecting its national security through the Data Security Law, China adds a new piece to the complicated geopolitical chessboard in the new information society.
Avv. Lifang Dong and Avv. Chiara Civitelli
This article is not a legal advice, but it has an informative function only. For personalized legal advice, contact us by e-mail firstname.lastname@example.org or by phone +39 06 916505710. © Dong & Partners International Law Firm, All rights reserved