In a summer that saw China enact a national security law for Hong Kong, and mount a response to several secondary outbreaks of COVID-19, it is understandable that China watchers largely overlooked the otherwise uneventful decision last July by the National People’s Congress’ Standing Committee to table the Draft Data Security Law for review and commentary. Generally, once a draft law is opened for review, it is only a matter of time before it is passed into law. Indeed, the general expectation is that a data security law will be enacted by the Congress and come into force by the end of the year. It should first be noted that this is a draft law; the final version may be different from the current form. Nevertheless, the likelihood is that there will not be much difference between the final law and the draft law.
While discussions of the data security law might lack the media attention of the summer’s other issues, it nevertheless is a topic of fundamental importance to a modern information society. The Standing Committee’s decision is likely to eventually prove itself every bit as important and fundamental to China, and the world, as the national security law. With the ever-growing importance of information nowadays, few if any activities can be conducted effectively without data. Consequently, as the value of data increases, it has become fundamental for any business using data to ensure it is secure.
In the past, the duty of protecting one’s data was left to the two parties directly involved. On the one hand, data processors — including those companies that collect and/or analyze information — were considered capable of implementing data security protection. On the other hand, the public was also deemed capable enough to understand the importance of data security, and individually take the necessary steps to stop or mitigate negative effects. The problem, however, is that both data processors and users have proven unable or unwilling to voluntarily protect their customers or themselves. The Draft Data Security Law overcomes the gap in data protection by instituting a top-down, government promulgated mandate on data processors to protect their client’s data.
The enactment of a data security law has one essential implication for international businesses operating in China – if it is collecting data, it will likely come under the law’s jurisdiction. Before the tabling of the law personal identifiable data, including as a person’s birth date, address, telephone number, and credit card purchase history was not strictly regulated. Indeed, organizations and individuals with access could make a substantial profit in trafficking in such information.
This is in stark contrast to data that the Chinese government has deemed important to its national and military interests. While the Chinese government has taken significant steps to ensure the security of military and national security efforts, prior to last July it had shown less interest in protecting the consumer and personal data of Chinese citizens. Consumer and personal data security, at that time, was largely obtained or implemented by (1) a patchwork of federal, provincial, and local regulations that were inconsistently applied, and/or (2) the data security policies, provisions, and good intentions of individual organizations. In such an environment of dueling policies, or no policies at all, it is not surprising to find a number of domestic and international ventures in China are operating in a manner where data security is not a priority.
The Draft Data Security will finally upgrade the protection of consumer and personal data to the comparable level of importance afforded to military and national data. That is, ostensibly, once the law is passed, citizens will have legal recourse when their consumer or personal data is stolen, misused, or otherwise corrupted. To accomplish this, the law will impose control and order on the consumer and personal data market to an extent never been experienced. As such, the enactment of the Draft Data Security Law, as with the 2017 Cybersecurity Law and the 2019 Encryption Law before it, means that most companies doing business in China need to acquire an understanding of its requirements or risk being found in violation of the law. More relevantly, the law will likely mean that the Chinese government will use the law to seek retribution in the name of the victim, and China’s interests.
One of the most obvious concerns of an international organization doing business in China is whether the law will apply to them. Under Article 25 of the law, any organization or individual “conducting data activities” will be required to take all necessary steps to ensure data security is achieved. Data activities are defined in the draft law as “data collection, storage, processing, use, provision, transaction, publication, and other activities” (Article 3). Data security moreover is defined as the “ability to adopt necessary measures to ensure data is effectively protected and lawfully used and remains continually secure in the state” (Article 3). The broad language of the law suggests if a business is obtaining and/or using consumer data in China, or of Chinese citizens and/or organizations, then the Chinese government will believe the law applies.
However, while the jurisdiction of domestic laws is normally assumed to only extend to a country’s borders, the language of the Draft Data Security Law suggests that it has an extra-territorial scope. Indeed, Article 2 states that jurisdiction extends to “organizations and individuals outside of” China who engage in data activities that harm China’s national security or the public interest of the Chinese people. While it is not clear how China can or will punish extra-territorial violations of the law, it does have a range of political and economic options to choose from — including fines, sanctions, and condemnation leveled against any organization/individual violating the law.
All data is not the same under the draft law. That is, the severity or strictness of any data protection required under the law will depend on how important or essential the data is deemed to be (Article 19). However, the law does not set out how data should be classified. Instead, it requires each province and/or government department to set up data importance classifications, as well as the appropriate level of protective measures are required for each classification (Article 19). Naturally, this means an international business operating in several jurisdictions in China will need to understand and comply with the different data security regulations, as well as the data security requirements of all relevant government departments. If these multiple levels of government oversight are not enough, the law further provides that the central government will retain ultimate authoritative supervision over all data security regulations.
One requirement international organizations should understand as likely to occur, regardless of where they are located (and whom they are connected with), is the government’s demand to access information when necessary, such as in a criminal investigation. Under Article 32, as long as the police or other law enforcement agency adhere to relevant law and procedures vis-à-vis a request to access data, data holders will be obliged to cooperate. Conversely, under Article 33, if an international organization, such as a foreign police authority, seeks access to data located in China, data holders must first get government approval before releasing any data to the foreign party.
With the Draft Data Security Law, the Chinese government is making clear its intention to finally, and comprehensively, enter into and manage the nation’s burgeoning market in data. This provides a means to protect both the public as well as the state’s data interests. It also suggests that the government deems the data market developed enough to be a benefit to the nation in and of itself.
Interestingly, the law also includes provisions that encourage the development of a market for data. No doubt, this is in response to the fact that China has one of the largest and most developed markets for data, thanks to such commonly used apps as WeChat and Alipay. Indeed, under the law, data trading, otherwise known as the selling and buying of data, is not only deemed legal but is encouraged. That is to say, as long as an enterprise follows the requirements of the law, such as explaining the source of the data, it can legally market the consumer and personal data it has obtained.
These are just some of the preliminary issues the draft law creates. It would be wise for international organizations doing business in China to stay up to date on this law as it makes its way through the legislative process.
Marcel Green is an attorney and legal researcher specializing in American and Chinese criminal law.