Data Security Law of the People's Republic of China

In September 2021, the Data Security Law of the People's Republic of China (中华人民共和国数据安全法) came into force. In German, the law is often abbreviated as DSL (from the English: Data Security Law). Based on the Cybersecurity Law of the People's Republic of China, it defines legal requirements for handling data in general and places a special focus on national security. With regard to personal data, it is complemented by China's Personal Information Protection Law.

Important definitions of terms

• For the purposes of the Data Security Law, data is any record of information, in both electronic and other forms.
• The processing of data includes, among other things, its collection, storage, use, evaluation, transmission, provision and disclosure.
• Data security refers to the effective protection of data, the use of data exclusively for legal purposes and includes taking all necessary security measures.

Data is also divided into three categories:

• National core data falls into the highest category and includes all data related to national security and the Chinese economy, important aspects of Chinese citizens' livelihoods, and data that is at the forefront of public interest.
• Important data is one level below, but has not been specified yet. The data security law gives the Chinese authorities the task of publishing comprehensive catalogs of important data in their respective areas of responsibility. While this gives authorities in China great freedom in defining important data, no such catalogs have been published to date. Until this happens or there is case law, it is uncertain which data falls into this category.
• The lowest level is simply all the other data. Due to the lack of specification of important data, it is not clear what data is actually left for this category.

International data transfer

A large part of the data security law deals with the requirements of data transfers beyond the Chinese national borders. As soon as a company meets certain criteria, data may only be transferred abroad if a corresponding security check has been carried out in advance. With the publication of the "Measures for Outbound Data Transfer Security Assessment" (据出境安全评估办法) in July 2022, these criteria were defined more precisely. A company must therefore undergo a security check for international data transfers, provided that

• important data, as defined by the Data Security Law, are transferred abroad,
• the company operates critical information infrastructure as defined in the Cybersecurity Law,
• or the company is working with personal data of more than one million people and this is to be made available abroad.

In addition, the Chinese Cybersecurity Bureau reserves the right to order a security audit for any company's international data transfer at any time, at its own discretion.

If a company is already transferring data abroad and meets one of these criteria, the security check must be completed by September 2022. However, due to the lack of catalogs for defining important data, it is still unclear which companies meet the first criterion at all and, more importantly, who is not affected by it.

There are also special regulations for the transfer of data recorded in China to foreign judicial and law enforcement authorities. The Data Security Law prohibits the direct transfer of data to such authorities, regardless of the category in which the associated data falls, across the board. Instead, prior approval must be obtained from the relevant authorities in China. However, it is also not currently defined which authorities are responsible for such a permit.

Subsequent processing of data

Companies that obtain data from other companies and process it for their own purposes are also subject to the provisions of the Data Security Law. In particular, such companies must have their data suppliers explain the data's source. At the same time, the identity of the data supplier must be checked and verified, and all transactions with a data supplier must be documented and traceable.

Safety precautions

All Chinese companies are required to implement and continuously improve data security systems. As soon as a security issue is identified in one's own systems, countermeasures must be taken immediately. In case of a data breach, both the affected users and the Chinese authorities must be informed immediately.

Companies that work with at least important data must also appoint a data security officer or set up a team responsible for this. In addition, regular risk assessments must be carried out, and the results must be made available to the responsible authorities. These risk assessments must include, among other things, the category and amount of data being worked with, the type of data processing, whether security issues were discovered and what countermeasures were taken.

Fines

Companies that do not comply with the provisions of the Data Security Law face fines of up to 10 million RMB (almost 1.4 million euros) and the withdrawal of the Chinese company license. The extend of the fine depends on what category of data the company is working with.

Unsure how China's Data Security Law affects you?

With several years of experience in hosting a wide variety of websites, web shops and web applications, including booking platforms or online expos, in China, weber.cloud China will be happy to help you with your questions. Our experts will be happy to advise you on operating your website in China and all related topics. If you have more in-depth legal questions, we can also put you in touch with our English-speaking partner lawyers in China.

Sounds exciting? Simply get in touch with us.

The contents of this article have been compiled with the greatest possible care and to the best of our knowledge. However, weber.digital GmbH does not assume any liability for the topicality, correctness, completeness or quality of the information provided. Any liability for damages arising directly or indirectly from the use of our knowledgebase is excluded, unless caused by intent or gross negligence.

Our knowledgebase contains external links to other websites over whose content we have no influence. For this reason, weber.digital GmbH cannot accept any liability for these contents. The respective provider of the linked website is responsible for the content and correctness of the information provided. At the time of linking, no legal violations were recognizable. If such an infringement becomes known, the link will be removed immediately.