Three major changes in draft Data Security Law

The National People’s Congress Standing Committee conducted the initial review of the second review draft of the Data Security Law in June 2020. The draft makes three major changes to the law:

(1) it standardises the relevant terms;

(2) it improves the extraterritorial jurisdiction and protects national security; and

(3) it enhances the regulatory level and intensity.

Standardising relevant terms

The subject of protection and regulation is amended from “citizens” to “individuals”, which expands the scope of protection and regulation. This means that non-citizens of China are also covered by the provisions of this law if they are involved with the issues governed by it.

The object of protection and regulation is amended from “data activities” to “data processing activities” – which is both more accurate and in line with internationally accepted expressions. Europe’s General Data Protection Regulation (GDPR), for example, mainly uses the term “data processing”.

Improving extraterritorial jurisdiction

Article 2 of the draft amends “data activities carried out by organisations and individuals outside the People’s Republic of China” to “data processing activities carried out outside the People’s Republic of China”, adjusting the nature of data activities from “personal jurisdiction” to “territorial jurisdiction”. The provisions of this Law shall apply to the relevant acts outside of the PRC.

Article 24 of the draft amends “safeguarding national security” to “safeguarding national security and interests”, takes “national interests” as the object of protection, and expands the protection of export control.

The draft adds article 30, to clarify the special protection of “critical information infrastructure”, which reads: “The provisions of the Cybersecurity Law shall govern the cross-border transfer management of important data collected and generated in the PRC by critical information infrastructure operators; the cross-border transfer management measures of other data processors collecting and generating important information in the PRC will be formulated by the National Cyberspace departments and the State Council.”

Article 35 of the draft amends who can retrieve the data outside the country from “overseas law enforcement agencies” to “judicial or law enforcement agencies outside the PRC”, clarifying the judicial agencies to follow the requirements of this law.

Second, “the relevant organisations and individuals shall report to the relevant competent authorities and may provide the data only after obtaining approval” is amended to “the information shall not be provided unless approved by the competent authorities of the PRC”, which on the one hand exempts the subject from the obligation to report, and on the other hand strengthens the wording of the mandatory requirement of approval.

Third, the provision, “Where international treaties and agreements concluded or participated in by the PRC have provisions for foreign law enforcement agencies accessing domestic data, such provisions shall be followed”, is amended to, “Where international treaties and agreements concluded or participated in by the PRC have provisions, such provisions may be followed”, and clearly defines the criteria of whether to implement or not.

Increasing regulatory efforts

The draft also adds a new article 10, which reads “the relevant industry organisations shall, following their bylaws, develop a code of conduct for data security, strengthen industry self-regulation, guide members to strengthen data security protection, improve the level of data security protection, and promote the healthy development of the industry”, which makes self-regulation a legal requirement.

One foreseeable outcome is that the development of the industry will be more compliant, and more and more industry standards and norms will appear.

The draft also broadens the responsibility for “digital economy planning” from the “provincial people’s government” to the “people’s government at or above the county level”, which means that in future, county-level people’s governments should include digital economy planning in their economic development plans.

Article 19 of the draft stipulates that “data will be protected according to various classes and types”, while the draft clearly states in the first sentence of article 20 that “the state is to establish a data protection system based on classification and type”. The importance of the two is very different, which also makes it clear that the protection based on classification and type of data will be one of the basic systems of data security law, rather than just a means of protection.

Article 31 of the draft stipulates that for “special operators to provide online data processing and other services”, they need to obtain a “licence or record”, while article 33 clarifies that “where laws and administrative regulations stipulate that administrative licences shall be obtained to provide data processing-related services, the service provider shall obtain such an administrative licence”. In future, then, data processing services will be included in the scope of prior supervision and administrative licensing. This also reflects the state’s strong regulatory attitude toward data processing activities.

Article 40 provides that “the provisions of this chapter shall apply to the organisations with public affairs management functions to carry out data activities for the performance of public affairs management functions,” while article 42 is amended to read, “the provisions of this chapter shall apply to organisations with the management of public affairs functions authorised by laws and regulations to carry out data processing activities to fulfil their statutory duties”. These amendments clarify that organisations that manage public affairs must be authorised by laws and regulations, while also making clear that their data processing activities must be for the “performance of statutory duties”.

Finally, the chapter on legal liability reinforces the administrative penalties determined by the first review draft.

Shan Tao is a senior partner at ETR Law Firm