New Data Security Law Adopted

Read more in our current article “Status quo of data regulation in China – What you should do now”.

On 11 June 2021, the Standing Committee of the National People's Congress adopted the draft of the Data Security Law (DSG). The law will come into force in September. In particular, the law aims to restrict the unregulated disclosure and dissemination of data closely related to key national information and people's livelihoods.

The law regulates and amplifies China's regulations relating to network and information security and the security of personal data. The law applies to data processing and data security monitoring within China. Nevertheless, the law also has extraterritorial applicability in the case of data processing that could harm China's national security or public interests. In such a case, legal sanctions may be imposed.

Among other things, the law stipulates that the provisions of the Cyber Security Law (CSL) shall apply to the security management when exporting data collected or produced by operators of critical information infrastructures within the territory of China. In addition, the law provides for the introduction of a centralized and unified procedure with respect to security assessment ("Security Assessment").

The law further substantiates the already existing provisions in the CSL regarding the location of storage of data collected in China ("Data Localization"). International companies with branches in China are required to store their data collected in China, which is also subject to supervision by the competent authorities.

The law provides for sanctions for violations ranging from fines to, in severe cases, revocation of the business license. Sanctions from other laws infringed by the same violation (e.g. CSL), may be added.

A key point is that the law provides for a uniform procedure for the so-called security assessment. This review, which is already stipulated in the CSL, has so far caused considerable uncertainty, as specific requirements for companies have not been adequately specified.

In addition, the draft of another law, the "Law on the Protection of Personal Data", is currently under discussion. The development of the legal environment in this area is, after all, very extraordinary. We will monitor and analyze the development of the legal framework and the regulatory interaction of the different laws and identify the relevant conclusions and recommendations for action for companies in China.