China’s Data Security Law (DSL) was officially ratified by China’s national legislature on June 10, 2021, over a year after its introduction, two versions, and three reviews. China’s Data Security Law (DSL), billed as the world’s most stringent data protection law, went into effect on September 1, 2021. With the introduction of the DSL, China has established a sophisticated, comprehensive data protection regime that focuses on the processing and protection of all forms of data while also laying strong foundations for China’s national security development and welfare. The most cutting-edge aspect of this legislation is the hierarchical classification of data based on its importance to Chinese national security, and categorization and protection will be carried out based on that importance. Of course, the DSL’s broad extraterritorial scope requires international organizations that collect any kind of data in or with China to follow the newly established rules. DSL is structured in such a way that it can work in tandem with China’s Cybersecurity Law 2017 and the Personal Information Protection Law 2021, to develop world-class cybersecurity and data protection regulations that will be pushed to become gold standards in their respective fields. DSL describes how companies must manage and handle their data, with the only focus on the processing operations of companies that collect and process data and have their main establishment within China’s territorial limitations, whether foreign or domestic. The DSL is projected to have a substantial influence on firms’ current data processing activities, as well as their business operations in China, because the new laws are stricter, with punitive penalties that include criminal culpability as well as heavy fines. This DSL, like every other legislation in China, is plain, hard-hitting, and has some heavy punishments for anyone who breaks it.
China is the world’s second-largest economy, and it is moving toward a future infused with AI and a fully digital experience. When a government has such a lofty goal, it must ensure that suitable safeguards and regulations are in place, but China has failed to protect its citizens from cyber-attacks due to a lack of cybersecurity rules and data privacy laws. Incidents like the CSDN, in which China’s largest software programmers’ website was hacked, exposed the personal information of over 6 million users. Another incident occurred when Tianya, China’s largest online forum, was hacked, exposing the account information of more than 40 million users. Several famous websites, including 7k7k Games, 360buy, Duowan, and Dangdang, were all hacked, exposing millions of customers’ personal information and even exposing databases containing personal information. China’s reliance on technology is fast rising, and when a nation as large as China relies on technology, it is the government’s job to provide data security and secure residents’ information. China has developed DSL after taking all of these factors into account. One of the criticisms leveled at DSL is that it was rushed, as the entire law was only given two months to implement. However, DSL prioritizes China’s core interests of national security, public interest, and national economy, and any data processing, collection, storage, usage, disclosure, or publication relating to these subjects will be subject to DSL’s strict surveillance. DSL was released to the public for reviews and comments in July 2020 and April 2021, before its passage in July 2021.
There were minimal changes, but there were a few enhancements in terms of the penalty for violation, which was increased. The DSL has been in effect since September 2021, and enterprises in China have been working hard to ensure compliance with the regulation.
The DSL focuses completely or primarily on assuring safe and proper processing activities by enterprises operating in China, and the following are some of the DSL’s important highlights.
DSL has a broad scope, but its primary goal is to safeguard citizens’ rights and interests, maintain a high degree of data security, design data usage regulations, and secure national security and sovereignty. DSL will operate as a security monitor for all data processing activities carried out by firms within China’s borders. The scope of the DSL also grants the state the right to exercise extraterritoriality only if it is discovered that any data relating to China has been processed outside of China and poses a threat to its national security. The concept of data, according to DSL, includes any type of cyber information created electronically, in hard copies, or other formats. Data processing, on the other hand, is a broad term that encompasses all actions such as data collection, usage, storage, transmission, publishing, and disclosure, according to the DSL. Even though the DSL has defined Data, Data Processing, and National Core Data, it has left the enormous work of defining Important Data to the native regulators in each sector.
CLASSIFICATION OF DATA
With DSL, the world’s first data classification system was introduced. The data will be classified based on the level of threat or damage it poses to China’s national security, economy, and public interest in the event of a data breach. If the data is near to or comes within the scope of these three categories, data management, processing activities, and data protection must be carried out with extreme caution, as the requirements will be stricter and the consequences will be harsher in the event of any breach. The “National Core Data” and “Important Data” categories of data are where these tight requirements can be found the most.
National Core Data
National core data is any data that is directly or indirectly related to national security, national economy, or the public interest, and it is subject to stronger laws.
This notion was first proposed in Cybersecurity Law and has since been incorporated into DSL. Companies must take the necessary steps to hire a reasonable person and set up a data protection department to conduct periodic risk assessments and report the results to the competent authorities.
The cross-border transmission of data affects every country, not just China. The cross-border transfers method and management were made stricter and classified into multiple standards with the deployment of DSL. The data acquired within China by Critical Information Infrastructure Operators – CIIOs – is governed by the CSL 2017 and must be stored within China’s territorial limitations in the event of a cross-border transfer of significant data. When the time comes for cross-border transfer, the Cyberspace Administration of China – CAC and the State Council-appointed relevant departments must complete a prior security assessment. DSL further forbids the transfer of any data held in China with law enforcement or judicial officials outside of China without the Chinese government’s prior authorization. If data is transferred without permission, it can result in the suspension of business licenses or the imposition of severe penalties. Because they must comply with the EU GDPR, this DSL law has produced a schism among enterprises based in China that provide services to data subjects in the European Union. However, before transmitting any data outside of China, DSL requires such enterprises to acquire prior consent from the relevant Chinese government.
Suspension of company licenses, criminal penalties, fines up to 10 RMB million, and if any individual is found guilty of any form of a data breach, he or she will be punished up to 10 RMB million in addition to criminal charges. If any specific responsibilities are not met, a warning may be issued together with an order to fix the breach within a certain time frame, or a fine of between RMB 50,000 and RMB 75,000 may be applied.
In the not-too-distant future, the true impact of DSL will be revealed. Because the law was only passed a few months ago, it is too early to predict how it would affect businesses. However, one thing is certain: DSL will almost certainly have a greater impact on domestic IT giants than on international enterprises, and with the rigorous cross-border transfer laws, this will take more time and potentially harm businesses in the long term. DSL is a new addition to the world’s list of data protection laws, and it is indeed complex in character and punitive in terms of requirements toward its native enterprises, all in the name of protecting national security and promoting openness.