When compared to the EU or the U.S., China has lacked a comprehensive data protection and data security law that regulates in detail requirements and procedures relating to the collection, processing, control and storage of personal data. In recent years, China has seen developments on data protection both in legislation and in practice. Recently, another significant draft law on data security was issued by the Chinese legislative authority. On June 28 to June 30, 2020, the 20th Session of the 13th Standing Committee of the National People’s Congress of China (the “NPC”) deliberated on the draft of the Data Security Law (the “Draft”), and on July 3, published the Draft on the NPC’s official website for public comment. The public comment period for the Draft will end on August 16, 2020. It is expected that the Draft will be finalized within the year and that the regulatory requirements relating to data security eventually will be reflected in law in China.
The Draft includes seven sections and 55 articles in total, covering data security and industrial development, the data security regulatory system, data security protection obligations and government data security and access. We highlight the framework of the Draft below:
Scope
Section 1 of the Draft provides the applicable scope of the law. Under the Draft, “Data Activities” are defined as the collection, storage, processing, usage, provision, and publicity of data that records information in electronic or non-electronic forms. It is expressly stipulated in Section 1, Article 2 that not only are Data Activities conducted in China subject to the Data Security Law, but also that organizations and individuals outside of China conducting Data Activities that damage the national security or public interest of China or the legal interests of citizens and organizations of China, will be held legally liable under the law as well.
According to Section 7 (Supplementary Articles), Data Activities involving national secrets will be subject to the Law on Keeping Confidentiality of State Secrets and other relevant administrative laws and regulations of China. The Central Military Commission will develop the measures regulating military Data Activities.
Promotion of Data Usage While Maintaining Data Security
Section 2 of the Draft generally illustrates that China insists on maintaining data security that promotes the usage of data through (1) enhancing research of technology for data development and usage; (2) establishing the data security standardization system; (3) improving data security inspection assessment and certification; (4) advancing the data transaction management system; and (5) facilitating education and training on data usage technology and data security in colleges, schools and enterprises.
Data Security Regulatory System
Section 3 of the Draft provides that classified data protection will be applied based on the level of importance of the data and will establish a unified, effective and official data security risk assessing, reporting, sharing, monitoring and warning mechanism. China also will develop a data security emergency response mechanism to mitigate damage and a data security review system. A security review will be a final decision.
Section 3 also stipulates that China will impose export controls on data that falls into categories of controlled items. It further stipulates that China will take countermeasures when faced with other countries’ prohibitions, restrictions or similar measures taken with respect to trading and investment relating to data and/or technologies of data development and usage.
Data Security Protection Obligations
Section 4 of the Draft imposes multiple obligations with respect to conducting Data Activities, including:
- compliance with laws and regulations;
- improvement of a data security management system, establishment of data security education and training and technical and other necessary measures;
- favoring economic and social development and improvement of people’s happiness in line with social morality and ethics;
- enhancing risk inspection, taking remedial measures in case of data security defects or bugs, informing customers and reporting to regulatory authorities in case of security incidents;
- periodic risk assessment and reporting to the regulatory authorities by important data processors (of the categories, amount, collection, storage, processing, usage of the important data, along with security risks and countermeasures);
- legitimate methods to collect data, within necessity;
- requesting data source notification, reviewing identities of parties and keeping records by agents of data transactions;
- obtaining necessary legal permits or registration for specialized online data processors;
- cooperation by organizations and individuals during evidence collection by police and national security authorities in accordance with legal procedures; and
- reporting to competent Chinese regulatory authorities upon request by regulatory authorities abroad.
Government Data Security and Access
Section 5 of the Draft mainly provides the responsibilities and obligations of government authorities with respect to maintaining data security and publicity of government data (excluding those not open to the public), such as:
- e-government construction;
- compliance with laws and regulations;
- establishment and improvement of the data security management system;
- strict approval procedures for and supervision of government data storage and processing services by third parties;
- government data publicity in accordance with fairness, justice and convenience principles; and
- establishment of the Open Directory of Government Data.
Legal Liability
Section 6 of the Draft allows interviews of relevant organizations and individuals by regulatory authorities in the case of relatively large risks in Data Activities, and it requires relevant organizations and individuals to take necessary measures to remedy and mitigate those risks.
Organizations and individuals conducting Data Activities that fail to fulfill the data security protection obligations or take necessary measures will be subject to correction orders, warnings or penalties ranging from 10,000 to 100,000 RMB (including penalties on individuals directly in charge ranging from 5,000 to 50,000 RMB ) and, in the case of refusals to rectify or of serious consequences, such as massive data leaks, penalties ranging from 100,000 to 1 million RMB (including penalties on individuals directly in charge ranging from 10,000 to 100,000 RMB).
Data transaction agents who fail to perform the relevant obligations, such as checking the legal source of the data to be traded and/or the identities of the trading parties, where such failure results in an illegal data transaction, may be subject to a correction order, confiscation of illegal gains, penalties and penalties on the individual directly in charge.
The Draft provides relatively general stipulations on data security without detailed regulations that may be referred to during practical enforcement. It is estimated that once the Draft comes into force, it will constitute a significant part of China’s legal framework on data security.
Search
Recent Posts
- Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act
- HHS Announces Additional Settlements Following Ransomware Attacks Including First Enforcement Under Risk Analysis Initiative
- Employee Monitoring: Increased Use Draws Increased Scrutiny from Consumer Financial Protection Bureau
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code