China’s top lawmaking body has passed a sweeping data law that further enhances the government’s authority and promises hefty punishments for any transgressions as Beijing continues to rein in Big Tech and impose its sovereignty over data produced in the country.
Under China’s new Data Security Law, passed on Thursday, companies that transfer the state’s “core data” overseas without proper approval from Beijing will face a penalty of up to 10 million yuan (US$1.56 million) and could be forced to shut down, a penalty that didn’t exist in an earlier draft version of the law that was submitted for review in April.
Fines for companies that hand over “important data” to a foreign judiciary or law enforcement agency without prior approval were raised to 5 million yuan, from the 1 million yuan in the draft version of the law.
“Data is a country’s basic strategic resource. Without data security there is no national security,” the Cyberspace Administration of China wrote in a release published on Thursday.
“With the Chinese mainland and Hong Kong SAR accounting for about a quarter of global cross-border data flows, this law is clearly seeking to elevate data security to the top of mainland China’s legislative agenda,” said Alex Roberts, TMT counsel at Linklaters law firm.
By treating data as a national security issue, domestically stored data is now shielded from the long arm of US jurisdiction.
In 2018, former US president Donald Trump signed into law the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which enables US law enforcement agencies to demand access to online information no matter what country the data is stored in, which could be in conflict with China’s Data Security Law.
However, the new data security law will make it more difficult for companies, especially those with cross-border operations, to navigate an increasingly complicated regulatory environment and gives them little time to prepare as it is set to come into effect on September 1.
“The bottom line is that all businesses will need to adapt quickly as best as they can. Organisations have only been given a little over two and a half months before the law goes live,” said Roberts.
The new law gives a broad definition of what counts as “core data” as any data that concerns national and economic security, people’s welfare, and important public interest. No definition was given for “important data”, but the new law did call for the establishment of a data classification system, which will then address the issue in practice.
“The description of the types of core data [in the law] is very consistent with the existing positioning of major state-owned enterprises,” said Xia Hailong, lawyer at Shanghai Shenlun. “So it can be roughly understood that core data is from the industries in which SOEs operate.”
The Data Security Law also asks companies to improve their data protection practices. Companies who fail to protect their data and cause large scale data leaks will face a fine of up to 2 million yuan.
“[The new law] imposes wide-ranging obligations on any person or entity handling Chinese data, imposes penalties for failure to safeguard that data, and essentially will make it more difficult to transfer data outside of China,” said Paul Haswell, partner at Pinsent Masons law firm. “I expect to see heavy repercussions for any organisation deemed not to be handling Chinese data in accordance with the law, and this will include overseas companies.”
Beijing is hoping to have the digital sector play a bigger part in the country’s economy, and is trying to establish a data governance regime that strikes a balance between strong government control, a healthy market for data and protection of consumer privacy. Last April, the government classified data as a factor of production, along with capital, labour and land, aiming to help data better circulate in the digital economy.
The Data Security Law also seeks to set a framework for the creation of a viable data market, lawyers say. The law, for instance, calls for the establishment of a data trading management system. Data services, including data brokerages, will now see faster development, said Shenlun law firm’s Xia.
But legal experts say that the law so far only sets a broad framework for the governance of data, and that corresponding regulations are still needed. Companies also need to wait and see how it is applied in practice.
“The law calls on top government agencies to formulate national data security strategies, policies and coordinate a comprehensive data governance system across regions and industry departments,” said Roberts. “However, organisations will need to wait for implementation rules to understand what this means in practice.”