Open in app

Sign in

Write

Sign in

China new Data Security Law: now what?

N Bahmanyar
4 min readJun 24, 2021

--

Ok, so new Data Security Law (“DSL”) is out and effective on September 1st.
We finally have a reference law in China for non-personal data during its entire lifecycle (collection, storage, use, processing, transmission, provision, disclosure).
Now what?

The good

> the overall mindset of the regulator drafting this text is on national safety and public order. Let’s remember such angle is either absent or not as explicit in the EU or the US for example, and thus is key to appreciate any text on cybersecurity in PRC legal framework.

> data/network security remains a priority, the first step is a standard grading: MLPS 2.0 . No news here, DSL simply confirms previous legal obligations scattered across measures, guidelines and standards. So what grade did your company get following its MLPS2.0 audit performed by official body?

The bad

> foreign companies may run into a cross-border conflict of compliance. When a foreign law enforcement agency requests data from them, they should obtain approval from an (unspecified) authority in PRC prior transfer. What happens if PRC authority refuses/abstain from giving approval? Foreign company might face the impossible choice of breaching foreign law or breaching PRC law. Hopefully guidance from foreign authorities will clarify the process. How is your relationship with the data supervisory authority in your headquarters’ country?

> retaliation of PRC in case of foreign restrictions on tech, which could sound out of place from a western analytical perspective, but totally adequate to protect national safety — key driver of the DSL, as we know.

The unknown

> the DSL has an extra-territorial reach: data handling (controlling and/or processing as understood from GDPR perspective) activities performed outside PRC territory and harming PRC national safety or public order will be sanctioned. What form will enforcement take — especially if the handler has no corporate presence in PRC? We’ll keep a sharp eye on future application of this provision.

> new type of data “core state data” has been created but not clearly defined. Current description is “data related to national security, the lifeline of the national economy, important aspects of people’s livelihoods, and major public interests”, obviously needing more granular criteria. Violations of obligations on this “core state data” are heavily sanctioned, giving the impression of such data being “more critical” than the “critical data” usually handled by critical information infrastructure operator. We’ll be looking forward to get guidance from CAC or standard from TC260.

> clearing conflict of administrations: who’s the top administration for data security in China? It should be the Cyberspace Administration of China (CAC), but the DSL mentions the “Central National Security Leadership Agency” — which is a generic way of saying “the highest authority on data topics”. Cybersecurity has always been a field for several administration to compete (Ministry of Industry and Information Technology, Ministry of Public Security, Ministry of Commerce, and a myriad of industry-specific regulators, to name but a few) — and conflict on their interpretation of the law. We’ll be looking for conflicts, namely with actual cases triggering conflict between administrations.

So are we done with new regulation on cybersecurity?

No, we’re just getting to the interesting part.

Chinese regulatory production is an iterative process:

a. set a direction with a general law without much of technical substance.

b. complete the general law with sub-law pieces of regulation: measures, guidelines, standards, etc. Those texts are usually either following:

  • a theme: (specific industry, autonomous driving, land mapping),
  • a social threat (gaming addiction, online gambling, children’s use of online services), or
  • a tech (VPN, encryption, cross-border data transfer, cloud computing, a form of software (SaaS, mobile apps)).

c. iterate step b. as often as the topic evolves: new theme, new threat or new tech.

The result: thousands of texts covering a much broader scope than what we could see elsewhere (EU GDPR although a beautifully comprehensive text only covers personal info). Several might overlap, few might conflict.

The DSL stands as a strong and comprehensive iteration step b already echoing existing sub-law texts. It provides organisations handling non-personal data with clear angles to prepare and integrate into their compliance program (“the good and bad”) and a margin of interpretation with additional measures, guidance and cases to anticipate (“the unknown”).

Resources

Data Security Law in Chinese
http://www.xinhuanet.com/politics/2021-06/11/c_1127552204.htm
Data Security Law in English (unofficial translation)
https://www.chinalawtranslate.com/en/datasecuritylaw/
Meta info on the Data Security Law
https://npcobserver.com/legislation/data-security-law/

(featured image is “Comp lab cables 20171121 131906” by Kbh3rd, for network security regulation can sometimes look very much like cable management).

Data Privacy
China
Cybersecurity
Law

--

--

N Bahmanyar
N Bahmanyar

Written by N Bahmanyar

4 Followers
3 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams