On June 10, 2021, the Standing Committee of the National People's Congress of China passed the Data Security Law ("DSL"). The DSL (see unofficial English translation here ), which takes effect on September 1, 2021, marks China's first comprehensive data regulation regime and is one

On June 10, 2021, the Standing Committee of the National People's Congress of China passed the Data Security Law ("DSL"). The DSL (see unofficial English translation here ), which takes effect on September 1, 2021, marks China's first comprehensive data regulation regime and is one of three key frameworks supporting the nation's data and cybersecurity governance. DSL will work in conjunction with China’s 2017 Cybersecurity Law (“CSL”), which requires companies to improve the security of their data networks, and the Personal Information Protection Law (“PIPL”) passed on August 20, 2021 ) as of November 1, 2021 (stay tuned to Orrick.com for future updates on this). These three new data laws represent an increasingly comprehensive legal framework for privacy and data security in the second-largest U.S. economy. With the widespread extraterritorial reach of DSL, international companies collecting data and doing business in China now have a new set of data rules to play into. We summarize the main highlights and key points of the following DSL:

1. Scope of application and extraterritorial jurisdiction

DSL governs not only data processing (including data collection, storage, use, processing, transmission, provision and disclosure) and management activities within China, but also activities outside China that may endanger China's national security or public interests or damage any The legitimate interests of Chinese citizens or organizations. It is unclear how this broad regulatory discretion will be enforced, and the extraterritorial effects of the law may depend on treaties and reciprocal agreements between China and other countries.

DSL authorizes several Chinese government departments to oversee data security matters:

• The central state leadership agency is responsible for issuing and supervising national data security strategies and major policies. Establish a national data security work coordination mechanism with the department responsible for data security supervision and management.

• Local governments and regulatory authorities are also responsible for data security in their respective regions and industries, and have the power to formulate specific catalogs of important data.

2. Data classification

The DSL empowers the Chinese central government to establish a hierarchical data classification system based on the importance of the data to the Chinese economy, national security, Chinese citizens' livelihoods, and public and private interests. The system would lead to stricter regulation of data deemed more important to China's national interests. So far, the DSL has focused on two categories of data that are subject to a higher level of regulation and protection: "Vital Data" and "National Core Data". We discuss in turn below:

important data

The concept of "critical data" was introduced in the CSL, requiring that critical information infrastructure operators ("CIIOs") transmit critical data across borders requiring enhanced protection, localization requirements and prior security assessments. CIIOs are typically entities operating in the fields of communications, information technology, finance, transportation, and energy. While the CSL only requires CIIOs to comply with enhanced oversight of critical data, the DSL extends this requirement to all businesses that handle critical data. Under the DSL, processors of important data must:

(i) identify data security responsibilities and management agencies, and assign data security protection responsibilities; and

(ii) conduct regular risk assessments of data processing activities and submit risk assessment reports to the competent authorities.

While the CSL and DSL do not define "significant data," the DSL states that a consortium of national-level agencies will develop a catalog of "significant data" and requires local governments and regulators to develop a more detailed catalog to determine the scope of "significant data" according to respective regions and sectors. Therefore, international companies must comply with broader country requirements as well as region- and industry-specific directories of important data.

National core data

The DSL also introduces the concept of "national core data", which is a type of data that is more strictly regulated due to its relevance to national security, national economy, people's livelihood and important public interests. While there may be further rules and regulations detailing the scope of national core data and its protection guidelines, violations of the national core data management system may be subject to fines of up to 10 million yuan (approximately US$1.56 million), revocation of business licenses, Suspension of business or possible criminal penalties. The law also imposes penalties on entities that fail to cooperate with data requests from Chinese authorities on law enforcement or national security matters. Given the vague scope of this category,

3. General data security obligations of data processors

The DSL sets out a number of obligations that data processors must perform, including:

• Establish a data security management system, take necessary technical measures to ensure data security, and conduct data security training;

• Collection and use of data by lawful and appropriate means, including any restrictions imposed by laws and regulations on the purpose and scope of data collection and use; and

• Monitor potential risks, and promptly notify users and take remedial measures once security incidents or defects are discovered.

As with frameworks such as the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”), more sensitive data requires additional obligations to ensure that data is protected. According to the DSL, entities handling "significant data" must appoint a data security officer, establish a data security management unit, conduct periodic assessments to monitor potential risks, and report the results of the assessments to the applicable government agency.

4. Cross-border data transfers

For cross-border transfers of "important data", the DSL establishes separate frameworks for CIIOs (as described above) and non-CIIOs. CIIOs must comply with the rules under the CSL, which require local storage of vital data collected in China. If the CIIO must transfer data out of China for necessary business purposes, a security assessment will be required in accordance with the procedures of the Cyberspace Administration of China (CAC). Regulators such as the Cyberspace Administration of China have yet to formulate rules for non-CIIO cross-border transfers.

For litigation and international legal proceedings, the DSL stipulates that no organization or individual in China may transfer data stored in China to any foreign judicial or law enforcement agency without the approval of Chinese authorities. The specific authorities and details of the approval process are not specified in the DSL, but entities violating this requirement will face fines of up to 1 million RMB (approximately $156,000), with additional fines for responsible individuals. Entities whose breaches result in "serious consequences" could face fines of up to 10 million yuan (about $1.56 million), as well as possible suspension of business and revocation of their business licenses.

5. Penalties for Violations

Entities that violate their obligations under the Data Security Act will face severe penalties. In addition to the penalties described above, Chinese authorities may impose fines of up to RMB 500,000 (approximately US$77,000) on offending entities, additional fines on those responsible, and enforce remedial measures. If an entity fails to take remedial action after being warned, or if a security incident results in serious consequences (such as a large-scale data breach or breach), the entity may face a fine of up to RMB 2 million (approximately $310,000), and possibly Suspension of business processes and revocation of business licenses.

Additionally, the DSL authorizes the Chinese central government to respond in kind to any foreign government that allegedly discriminates against Chinese interests in data technology-related investments and trade.

6. Next steps

Many of the DSL's requirements appear to be similar to other data security laws, especially those of the GDPR. However, the DSL establishes a broader framework than the GDPR. DSL manages not only the personal data of Chinese citizens, but also data of importance to China's national security and economy, and its data transfer restrictions are much stricter than GDPR. While many key implementation details remain unclear and subject to future regulatory rulemaking, companies doing business in China should review their data processing activities for non-compliance risks.

We recommend that international companies doing business in China assess whether and how the DSL applies to their data processing activities, and what further data security measures should be implemented. The DSL is in effect, so it's time for companies to comply with the law's broad obligations. Companies should take the following steps to assess risk:

• Consider whether any data you process may be considered "National Core Data" or "Material Data" under the DSL;

• Identify responsible persons and create internal procedures and governance committees for data security and compliance;

• conduct regular risk assessments of data processing activities and submit reports of such risk assessments to the competent authorities;

• Take steps to minimize data processing security risks and establish contingency plans to respond to security incidents; and

• Conduct a data-mapping exercise to determine if you are exporting data collected in China outside of China, and to identify any data processing that could impact China's national security and be subject to greater regulatory scrutiny.

Stay tuned Orrick will continue to monitor regulatory developments and upcoming rules related to DSL, as well as the implementation of the upcoming PIPL, which will come into effect on November 1, 2021.