The Standing Committee of the 13th National People’s Congress passed the Data Security Law of the People’s Republic of China (also known as the “DSL”) on June 10, 2021, and it became operative on September 1, 2021. The DSL, among other things, controls how data is handled, guarantees data security, and defends the legitimate rights and interests of individuals and organizations. Here are key provisions and obligations introduced for operators.
(Article 2 – Territorial scope)
The DSL makes it clear that it will be used to regulate data handling operations and their security within the People’s Republic of China (the “PRC”).
The DSL will also raise questions about data handling activities carried out outside of the PRC that endanger public safety, national security, or the legitimate rights and interests of individuals and organizations. In these cases, legal action will be taken to hold those responsible accountable.
Article 3 of the DSL contains the definitions that are listed below.
Data: Any record of information, whether it be written down or stored electronically.
Data handling is the process of gathering, storing, using, processing, transmitting, providing, disclosing, etc. data.
Data security is the ability to maintain a sustained level of security while taking the required steps to ensure that data is successfully safeguarded and may be utilized legally.
(Article 8 – Data handling activities)
According to the DSL, data handling operations must be carried out in accordance with legal requirements, social norms, business and professional ethics, and obligations to preserve data security. They also must respect social values and ethics.
The DSL further stipulates that data handling activities cannot jeopardize public interest, individual or organizational legal rights, or national security.
(Article 10 – Industry organisations)
In accordance with their organisation charters, the DSL requires relevant industry organisations to formulate data security standards of conduct and group standards, strengthen industry self-discipline, guide members to strengthen data security protection, raise data security protection levels, and promote the healthy development of the industry.
(Article 32 – Lawful processing)
The DSL states that organisations and/or individuals collecting data must adopt lawful and appropriate methods and must not steal or obtain data through other illegal means.
Further to this, where the purpose and scope of collect and use are regulated by laws and administrative, the DSL requires data to be collected and used within the purpose and scope provided for in those laws and administrative regulations.
Obligations for operators
(Article 27 – Data security management systems)
The DSL stipulates that data handling activities must be in accordance with laws and regulations.
In addition, the DSL provides that data security management systems for the entire lifecycle must be established and completed, that education on data security must be organised as well as carried out, and that corresponding technical measures and other necessary measures to safeguard data security must be employed.
Furthermore, the use of the internet or other information networks that carry out data handling activities must be done based on the multi-level protection system for cybersecurity and carry out the data security protection obligations outlined above.
(Article 27 – Responsible persons)
Under the DSL, those that process important data are required to designate persons responsible for data security and data security management bodies to implement responsibilities for data security protection.
(Article 29 – Data security incidents)
The DSL clarifies that the carrying out of data handling activities must strengthen risk monitoring, and when risks are discovered including data security flaws and vulnerabilities, remedial measures must be adopted immediately; and when data security incidents occur, methods for addressing them immediately adopted.
In addition, the DSL mandates that users be promptly notified, and reports made to the relevant regulatory departments.
(Article 30 – Risk assessment)
The DSL requires that those handling important data carry out periodically risk assessments of their data handling activities as provided and submit risk assessment reports to the relevant regulatory departments.
The risk assessment reports must include:
the types and amounts of important data being handled;
the circumstances of the data handling activities; and
the data risks faced and methods for addressing them.
(Article 31 – Export control)
The DSL states that the provisions of the Cybersecurity Law 2016 apply to the security management of data being transfer outside of the PRC that was collected or produced by critical information infrastructure operators inside the PRC.
Further to the above, the DSL provides that security management measures for the export of important data from the PRC that was collected or produced by other data handlers within the PRC will be drafted by the Cybersecurity Administration of China (‘CAC’) in conjunction with the relevant departments of the State Council.
(Articles 33 and 34 – Vendor management)
Under the DSL, institutions engaged in data transaction intermediary services must do the following:
require the party providing the data to explain the source of the data;
examine and verify the identities of both parties to the transactions; and
retain verification and transaction records.
In addition, where laws and administrative regulations require that permits must be acquired for the provision of services related to data handling, service provides must obtain such permits in accordance with law.
(Article 12 – Complaints)
The DSL provides that all individuals and organisations have the right to make complaints or reports to the relevant departments regarding violations of the provisions of the DSL.
The relevant regulatory departments will preserve the confidentiality of complainants’ or informants’ information and protect their lawful rights and interests.
(Articles 44 to 48 – Monetary penalties)
Where organisations or individuals conducting data handling activities do not perform the data security protection obligations provided Articles 27, 29, and 30 of the DSL stipulates that the relevant department can issue correction orders and warnings, as well as impose a fine between RMB 50,000 (approx. €6,500) and RMB 500,000 (approx. €65,300). Directly responsible personnel may also be fined between RMB 10,000 (approx. €1,300) and RMB 100,000 (approx. €13,000).
In addition, the DSL establishes that those who refuse to make corrections or cause serious consequences, such as a large-scale data leak, are to be fined between RMB 500,000 (approx. €65,300) and RMB 2 million (approx. €261,000), while directly responsible personnel are to be fined between RMB 50,000 (approx. €6,500) and RMB 200,000 (approx. €26,100).
With regards to important data, where such data is sent abroad in violation of the provisions of Article 31 of the DSL, the relevant departments may impose a correction order and warning, as well as a fine between RMB 100,000 (approx. €13,000) and RMB 1 million (approx. €130,000).
If circumstances are serious, such organisation or individual may be ordered to suspend relevant operations and shall be fined between RMB 1 million (approx. €130,000) and RMB 10 million (approx. €1.3 million).
Under the DSL, institutions engaged in data transaction intermediary services that fail to perform obligations provided by Article 33 may be subject to a correction order or an order to confiscate unlawful gains, the suspension of relevant operations, or the suspension or revocation of relevant business permits or licences.
In addition, a fine of up to ten times the amount of the unlawful gains or, where there are no unlawful gains or the unlawful gains are less than RMB 100,000 (approx. €13,000), a fine of up to RMB 1 million (approx. €130,000) is to be imposed. Directly responsible personnel are to be fined between RMB 10,000 (approx. €1,300) and RMB 100,000 (approx. €13,000).
Providing data to foreign justices and law enforcement
Where Article 36 of DSL is violated, the DSL stipulates that the relevant departments in charge are to order corrections and may impose a fine between RMB 100,000 and RMB 1 million (approx. €130,000) and a fine between RMB 10,000 (approx. €1,300) and RMB 100,000 (approx. €13,000) on directly responsible personnel.
In cases where serious consequences result, the DSL imposes a fine between RMB 1 million (approx. €130,000) and RMB 5 million (approx. €653,400), and the suspension of relevant operations, or the suspension or revocation of relevant business permits or licences may be ordered, and directly responsible personnel are to be fined between RMB 50,000 (approx. €6,500) and RMB 500,000 (approx. €65,300).
(Article 52 – Civil and criminal liability)
The DSL establishes that in the case where the violations of its provision cause harm to others, such organisation or individual bears civil liability in accordance with law.
In addition, where a violation of the DSL constitutes a violation of public security administration, the DSL clarifies that public security administrative sanctions will be given in accordance with law.
Similarly, where a crime is constituted, criminal responsibility will be pursued in accordance with law.