China Passes Data Security Law in Bid to Stamp Out Breaches, Misuse

China has passed the Data Security Law, the latest addition to the regulatory framework for the country’s fast-growing digital economy, strengthening the current protection regime, whose shortcomings in preventing data breaches have been repeatedly exposed.

The legislation was approved (link in Chinese) Thursday by the Standing Committee of the National People’s Congress and will come into force by the end of this year. Beijing is speeding up efforts to boost its digital economy under the 14th Five-Year Plan, setting higher GDP contribution targets for digital industries, according to the state-run Xinhua News Agency.

China’s digital economy was worth 39.2 trillion yuan ($6.1 trillion) in 2020, accounting for 38.6% of GDP, 2.4 percentage points higher than a year earlier, according to an April white paper published by the state-backed China Academy of Information and Communications Technology.

The Ministry of Industry and Information Technology, China’s top telecom regulator, last month ordered the removal of 90 mobile applications from various app stores, citing violations of users’ rights, as regulators step up scrutiny of tech companies’ handling of users’ data after a raft of high-profile breaches sparked public outcry.

The new law will play an important role in protecting national security, promoting the development of the digital economy and safeguarding people’s legitimate rights and interests, Xinhua said.

What kind of data does the Data Security Law cover and who can classify data?

According to Article 3 of the law, “data” refers to any record of information stored in electronic or other formats.

Data related to national security, the so-called “lifeblood of the national economy” — which includes sectors that significantly affect societal and national economic development such as high tech and pillar industries — and important matters related to the people’s livelihood and issues of major public interest are defined as “national core data.”

A stricter management system should be implemented for this category of data, according to Article 21.

In addition, the law allows individual regions, industries, and government departments to designate their own catalog of important data for protection and entrusts them to ensure it is secure, the article says.

A classification system will be established for the level of data protection required, which depends on the potential severity of harm inflicted to national security, the public interest, or the lawful rights and interests of citizens or organizations if the data is altered, destroyed, leaked, or illegally obtained or used, according to the law.

However, it doesn’t state which kinds of data are classified as important.

How will it work with the existing Network Security Law and the proposed Personal Information Protection Law?

The law requires companies or individuals engaged in data processing activities via the internet and other networks, to protect data security on the basis of China’s existing network security system, according to Article 27, which is in line with the Network Security Law.

However, it does not specify to what extent the Data Security Law will complement the proposed Personal Information Protection Law, which focuses more on the security of personal information.

Who will conduct the national security review of data processing? How will this be carried out?

According to Article 24, the state will establish a review system to conduct national security reviews of data processing activities that affect or might affect data security. It did not specify which specific government authority will be responsible for this task.

The final security review decisions will be made in accordance with the law, it said.

Wang Xizi, professor of administrative law at Peking University, has previously pointed out that the subject of such a security review and the criteria to decide whether data activities affect national security are both unclear under the draft. These two points remain unclear under the newly published law.

The law didn’t elaborate on the review method, but some have suggested a specific mechanism for businesses, especially for those trans-regional and cross-industry companies.

Xu Ke, executive director of the Internet Rule of Law Research Center at Beijing’s University of International Business and Economics, has also called for the establishment of a dispute resolution mechanism. If local authorities make a wrong or unfair security decision, affected businesses should have the right to administrative review by a higher-level authority, Xu said.

Contact reporter Wang Xintong (xintongwang@caixin.com) and editor Lu Zhenhua (zhenhualu@caixin.com)

Download our app to receive breaking news alerts and read the news on the go.

Get our weekly free Must-Read newsletter.