13 July 2021
On 10 June 2021, the Data Security Law (DSL), which will become effective as of 1 September 2021, was adopted in China. The enactment of the DSL marks the introduction of China’s first fundamental law in the field of data security, which, together with the Cybersecurity Law and the upcoming Personal Information Protection Law, will lay a legal foundation for safeguarding national data security, promoting data utilisation and mitigating the risks of data processing activities.
“Data” is broadly defined under the DSL to include any record of information in electronic or any other form. This alert will highlight the restrictions on data export under the DSL and its implications for multinationals’ operating in China. For clarity, such DSL restrictions do not apply to data stored in HK which has judicial independence under the One Country Two System concept. That said, data processing activities carried out outside the territory of PRC that jeopardises China’s national security, the public interest or the lawful rights and interests of Chinese citizen or organisations shall be subject to the DSL and legal liability shall be pursued against the offenders. Consequently, the DSL can have extraterritorial application and could also apply to activities undertaken in Hong Kong.
|
A penalty of up to RMB5 million may be imposed on unauthorised data export to overseas judicial or law enforcement agencies
Article 36 of the DSL prohibits any entity or person within the People’s Republic of China (PRC) from providing any data stored in the PRC to any foreign judicial or law enforcement agency without the approval of the competent PRC regulator. Compared with the similar restrictions contained in the Securities Law (2019 Revision) (which prevents the provision of documents and information relating to securities business activities to overseas regulation absent the approval of PRC security regulator), and the International Criminal Judicial Assistance Law (2018) (which bars the provision of evidentiary materials to overseas organisations for use in criminal proceedings), the DSL has extended these restrictions to any kind of data to be produced by PRC parties (including the PRC subsidiaries of multinationals) in overseas civil and administrative proceedings. Multinationals in China may face a challenge in complying with conflicting rules in different jurisdictions particularly when a multinational corporation is ordered by a foreign (e.g. the US) civil court or enforcement agency to produce documents from China, while the restrictions on Chinese parties may affect the ability of the multinational to comply with the foreign legal requirements and/or defend itself during the foreign legal proceedings.
A fine ranging between RMB100,000 and RMB5 million may be imposed on a violating party, and a fine ranging between RMB10,000 and RMB500,000 may be imposed on the directly responsible person in charge and other directly responsible personnel of the violating entity. In serious circumstances, the violating party’s operations may be ordered to suspended and its business license and/or operating permits may be revoked.
On the other hand, subject to going through strict approval procedures,the Chinese public security authority and/or national security authority may request that individuals and companies in China retrieve data when it is necessary for the maintenance of national security or to investigate a crime. Anyone who refuses to cooperate shall be ordered to rectify, given a warning, and may have a fine imposed from RMB50,000 to RMB500,000. Furthermore, a fine from RMB10,000 to RMB100,000 may be further imposed on the directly responsible person in charge and other directly responsible personnel of the violating entity.
|
|
A penalty of up to RMB10 million may be imposed on improper outbound cross-border transfers of important data
Important data likely refers to data closely related to national security, economic development and the public interest. However, official important data identification guidelines have not yet been issued. The DSL provides for a catalogue of important data to be compiled. The Cybersecurity Law effective as of 1 January 2018 requires data localisation and security assessment on outbound transfers of important data by critical information infrastructure operators (CIIOs). It however is silent on whether non-CIIOs shall comply with similar obligations in respect of important data. Article 31 of the DSL echoes the Cybersecurity Law that security management of outbound transfer of important data by CIIOs shall be governed by the Cybersecurity Law, and furthermore, fills in gaps in the Cybersecurity Law by indicating that the outbound transfer of important data by non-CIIOs shall be governed by another set of rules on security management to be formulated by the national cyberspace authority. It appears that PRC companies need to be prepared to go through some sort of security assessment to export important data when it is necessary in the future.
A fine ranging between RMB100,000 to RMB 10 million may be imposed on a violating party, and a fine ranging from RMB 10,000 to RMB 1million may be imposed on the directly responsible person in charge and other directly responsible personnel,. For a serious violation, the violating party’s operations may be ordered suspended and its business license and/or operation permits may be revoked. |
It is advisable for multinationals to (i) review the necessity of data export and its involvement with important data (e.g. volume, scope, types, sensitivity etc.), (ii) make risk assessment in respect of data localisation and routine cross-border data flow, and (iii) build strategy corresponding to the potential overseas investigations.
Deacons shall pay close attention to the release of subsequent legislations on implementation of DSL and provide updates timely. For tailored measures and practical advices to manage risks in data compliance, please contact us.
For further information, please contact:
Joyce Mu, Legal Counsel, Deacons
joyce.mu@deacons.com.cn