Global menu

Our global pages

Close

China publishes Draft Data Security Law 中国发布了《数据安全法(草案)》

  • China
  • Privacy, data protection and cybersecurity
  • Technology

14-08-2020

The Standing Committee of the National People’s Congress of China published the Draft Data Security Law (“Draft DSL”) for public comment on 3 July 2020. If you process data of residents or organisations in the People’s Republic of China (“PRC”), there are a number of recent developments in the Draft DSL which will likely impact your business operations in the PRC.

The Data Security Law will be the first piece of legislation that lays out fundamental principles specific to data security in the PRC. Once enacted and implemented, the Data Security Law will work alongside the PRC's existing Cybersecurity Law (“CSL”) (which is specific to network security) to set out a robust legislative framework to protect data (in both electronic and physical forms) and regulate network infrastructure and services.

Importantly, the Draft DSL provides that:

  • it applies to both PRC and overseas entities (i.e. it has extra-territorial effect). Irrespective of whether the organisation is a PRC incorporated entity, WFOE or foreign company collecting data from PRC data subjects, the Draft DSL will apply to such data activities which may harm the PRC's national security, public interests, or the legal rights of PRC citizens and organisations.
  • if an organisation processes “important data”, it is required to appoint a data security officer. Further, organisations also need to establish a data management body, regularly carry out risk assessments in relation to their data processing activities and submit assessment reports to the relevant supervisory authorities.
  • if an organisation operates an online data processing service business, it is required to obtain a relevant business licence. Details of such licence will be announced by the Ministry of Industry and Information Technology.
  • organisations need to obtain official approval before providing overseas regulatory authorities with requested data from or stored in the PRC. In fact, upon receiving a request from an overseas regulatory authority for such data, the organisation is required to report this request to the relevant supervisory authority in the PRC.
  • the relevant authority may request an “in-person consultation” for the purpose of exercising its supervisory obligations. Organisations should also take remedial measures to eliminate data security vulnerabilities as requested by the relevant authority.
  • catalogues on important data protection will be created by local authorities. Such catalogues will provide further guidance on the scope of important data. Currently, there is no definition of important data under the CSL or Draft DSL.
  • a new data grading and classification system will be established. Such system will grade and classify data according to the impact on national security, the public interest, and the lawful rights and interests of Chinese citizens or organisations if the data is falsified, destroyed, leaked, illegally retrieved or illegally used.

Under the Draft DSL, non-compliance will be subject to a range of sanctions, including (but not limited to) correction orders, warnings, revocation of business operation licences, confiscation of profits arising from illegal data activities, a fine of up to RMB1 million (if no profits are made from illegal data activities), or a fine equal to an amount of ten times the profits arising from illegal data activities (if any). Furthermore, implicated individuals may also be subject to a fine of up to RMB100,000.

The public comment period for the Draft DSL ends on 16 August 2020.

The Draft DSL can be found here (in Chinese).

For more detailed advice about what the Draft DSL could possibly mean for you, please contact us.


中国全国人大常委会于2020年7月3日发布了《数据安全法(草案)》(“数据安全法草案”),以征询公众意见。如果您处理中华人民共和国 (“中国”)居民或组织的数据,数据安全法草案内提及的多项新规定很有可能会影响您在中国的业务运营。

数据安全法将会是中国第一部定下针对数据安全的基本原则的法律。一旦正式颁布及实施,数据安全法将与中国现行的《网络安全法》(“网络安全法”)(针对网络安全)一同构成数据保护(包括电子和实体数据)及网络基础设施和服务的强健法律框架。

数据安全法草案的重点提案如下:

  • 其适用于在中国和海外的实体(即具有域外法律效力)。无论该组织是在中国注册成立的实体、外商独资企业或是从中国数据主体收集数据的外国公司,数据安全法草案都将适用于可能损害中国国家安全、公共利益或中国公民、组织合法权益的数据活动。
  • 处理“重要数据”的组织应当任命数据安全负责人。此外,该等组织亦须设立数据管理机构,定期对其数据活动进行风险评估,并向有关主管部门提交风险评估报告。
  • 经营在线数据处理服务的组织应当取得经营业务许可或备案。电信主管部门将会另行发布有关详情。
  • 组织如被境外执法机构要求提供来自中国或存储于中国境内的数据,应当获得有关主管机关批准后方可提供。组织一旦收到境外执法机构之索取数据要求,应当向中国有关主管机关报告。
  • 有关主管机关为履行数据安全监管职责,可以对有关组织和个人进行约谈。您亦应按照有关主管机关要求采取补救措施,消除数据安全隐患。
  • 各地区部门将制定重要数据保护目录。该等目录将对重要数据的范围提供进一步指引。网络安全法或数据安全法草案目前并未对重要数据作出明确定义。
  • 中国将实行全新数据分级分类保护制度。该制度将根据数据一旦遭到篡改、破坏、泄露、非法获取或非法利用会对国家安全、公共利益或中国公民、组织之合法权益造成的危害程度进行分级分类。

根据数据安全法草案,如有违规,将可能会受到一系列制裁。该等制裁包括(但不限于)被有关主管部门责令改正、给予警告、吊销相关业务许可证或营业执照、没收违法所得,以及被处最高人民币一百万元(如未有从非法数据活动中获利)或违法所得(如有)十倍金额之罚款。相关负责人员亦有可能被处最高人民币十万元罚款。

数据安全法草案之公众征询期将于2020年8月16日结束。

请按阅览数据安全法草案全文(仅有中文版本)。

如欲了解更多关于数据安全法草案可能会为您带来的影响,请与我们联系。