Data Security Law of the People's Republic of China
Posted by Marc Füßlein, Last modified by Matthias Haarmann on 19 January 2023 12:27
In September 2021, the Data Security Law of the People's Republic of China (中华人民共和国数据安全法) came into force. In German, the law is often abbreviated as DSL (from the English: Data Security Law). Based on the Cybersecurity Law of the People's Republic of China, it defines legal requirements for handling data in general and places a special focus on national security. With regard to personal data, it is complemented by China's Personal Information Protection Law.
Important definitions of terms
Data is also divided into three categories:
International data transfer
A large part of the data security law deals with the requirements of data transfers beyond the Chinese national borders. As soon as a company meets certain criteria, data may only be transferred abroad if a corresponding security check has been carried out in advance. With the publication of the "Measures for Outbound Data Transfer Security Assessment" (据出境安全评估办法) in July 2022, these criteria were defined more precisely. A company must therefore undergo a security check for international data transfers, provided that
In addition, the Chinese Cybersecurity Bureau reserves the right to order a security audit for any company's international data transfer at any time, at its own discretion.
If a company is already transferring data abroad and meets one of these criteria, the security check must be completed by September 2022. However, due to the lack of catalogs for defining important data, it is still unclear which companies meet the first criterion at all and, more importantly, who is not affected by it.
There are also special regulations for the transfer of data recorded in China to foreign judicial and law enforcement authorities. The Data Security Law prohibits the direct transfer of data to such authorities, regardless of the category in which the associated data falls, across the board. Instead, prior approval must be obtained from the relevant authorities in China. However, it is also not currently defined which authorities are responsible for such a permit.
Subsequent processing of data
Companies that obtain data from other companies and process it for their own purposes are also subject to the provisions of the Data Security Law. In particular, such companies must have their data suppliers explain the data's source. At the same time, the identity of the data supplier must be checked and verified, and all transactions with a data supplier must be documented and traceable.
All Chinese companies are required to implement and continuously improve data security systems. As soon as a security issue is identified in one's own systems, countermeasures must be taken immediately. In case of a data breach, both the affected users and the Chinese authorities must be informed immediately.
Companies that work with at least important data must also appoint a data security officer or set up a team responsible for this. In addition, regular risk assessments must be carried out, and the results must be made available to the responsible authorities. These risk assessments must include, among other things, the category and amount of data being worked with, the type of data processing, whether security issues were discovered and what countermeasures were taken.
Companies that do not comply with the provisions of the Data Security Law face fines of up to 10 million RMB (almost 1.4 million euros) and the withdrawal of the Chinese company license. The extend of the fine depends on what category of data the company is working with.