Switzerland Update: China’s Data Security Law enters into force on September 1, 2021

The essential role of data in economic development, social governance and people’s daily life has become more and more prominent in China and, in the meantime, data security has become a big concern for national security as well as for economic and social development. As a legislative response, China has passed the Data Security Law (“the Law”), which sets the general legal framework for data security in China. The Law will enter into force on 1 September 2021. 

Broad scope of application

Despite the Law not applying to data activities involving state secrets or military data, it still has a broad scope of coverage: the whole life circle (including collection, storage, use, processing, transmission, provision, disclosure etc.) of information concerning all aspects of life and business, and it is not limited to the electronic form. The law applies to data processing within China, as well as extraterritorially when domestic interests of China are harmed. Therefore, both companies and individuals, Chinese or foreign, especially those with ties in and to China, are at least to some extent subject to the Law. 

Regulatory system：multiple actors

First, a leading authority at the state level is responsible for decision-making, developing strategies and policies, and overall coordination; a national data security work coordination mechanism shall be established. Second, local competent authorities in various sectors are responsible for data collected and generated in their work as well as relevant data security. Last but not least, the relevant industrial organizations shall formulate codes of conduct and standards for data security. Therefore, depending on the specific industry or region involved, it may be advisable for companies and individuals to follow up on the applicable regulatory rules at multiple levels. For example, Shenzhen has passed the local Data Regulation, which will enter into force on 1 January 2022. Overall, joint participation among the above mentioned actors as well as companies, individuals, research institutes etc. to protect data security is being actively promoted by the Law. 

Data security and development – mutual support

Data security and protection does not mean segmentation or stagnation. Data security should ensure data development and use as well as industrial development, while the latter should simultaneously promote the former. Relevant supporting measures in the Law include the implementation of a big data strategy, construction of data infrastructure, development of the digital economy, improvement of intelligent public services especially for the elderly and the handicapped, support on technological promotion and commercial innovation of relevance, establishment of relevant standards, promotion of data transactions, support of education and training on data technologies and data security etc. 

Data security systems: various aspects covered and supporting rules to be put in place 

As the primary legislation in the area of data security, the Law establishes a series of systems for data security:

Classified and hierarchical data protection system

The classification and hierarchy is established according to the importance of data to economic and social development, as well as severity of damage if the data are tampered with, destroyed, leaked, or illegally obtained or used. For important data, catalogs are (to be) produced at national as well as local and sectoral levels. For core data, more stringent management mechanism shall apply. Companies and individuals should keep a close eye on these catalogs and associated supporting rules or measures for important data and core data. 

Mechanisms for data security risk assessment and control & emergency response

A mechanism involving risk assessment, reporting, information sharing, supervision and warning shall be established in China. It is to be centralized, efficient and authoritative, and relevant work will be coordinated at the state level. Details as well as measures for implementation of the mechanism, not specified in the Law, should be closely followed. Measures are to be adopted to cover data security incidents, contingency plans and corresponding emergency response. 

Data security review system

For data processing activities that affect or may affect national security, security reviews will be conducted. The security review decisions, made according to law, are final. Therefore, for such decisions, neither further administrative review nor a court complaint could be filed. Also, supporting measures for implementation of the system are to be carefully observed. 

Countermeasure mechanism

For data-related trade or investment, China may take countermeasures against other countries or regions that take prohibitive, restrictive or other similar measures of a discriminatory nature against China. 

Data security protection obligations: framework provided and implementation guidance on compliance to be put in place

Companies are advised to maintain and to improve corporate measures on data security protection, taking into account the obligations stated in the Law; in the meantime, it is essential to be attentive to implementation rules, guidance or measures which most probably will be provided by the relevant competent authorities. 

Data security protection

Companies must have a data security management system in place, organize and conduct data security education and training, and identify responsible persons and management bodies for important data.

Risk supervision and emergency response 

Companies are required to strengthen risk supervision, take remedial measures immediately when there is a risk, deal with data security incidents immediately by taking responding measures, inform users and report to competent authorities. For important data, risk assessment must be conducted regularly and risk assessment reports submitted to the competent authorities.

Cooperation with authorities to provide data for national security and criminal investigation purposes 

When public security authorities and national security authorities, with strict approval procedures, need to access to data in order to safeguard national security or to conduct criminal investigations, the relevant companies and individuals must cooperate. 

Various obligations 

Everyone must only obtain data by legal and proper means. Additionally, data transaction intermediary service providers must require the data providers to explain their data source, verify the identities of both parties involved, and keep records of verification and transactions.

Data export administration: additional rules to come 

The Law regulates data export, and promotes a secure and free flow of data across borders. It is noteworthy that companies must check the data at hand: Are they controlled items? Are they important or core data? To find answers, requires reference to additional laws and regulations, since the Law itself is not specific on this point. 

Data export control mechanism and security management  

China applies export control on data identified as controlled items. Important data collected and generated by operators of key information infrastructure during their operations in China must be stored in China, and for any necessary export due to business needs, security assessment must generally be carried out beforehand. Cross-border transfers of important data collected and generated by other operators during their operations in China will be subject to administrative measures to be set by the relevant Chinese authorities. 

Provision of data to foreign judicial and law enforcement authorities 

Chinese authorities handle the requests from foreign authorities for providing data according to Chinese laws and international treaties or relevant agreements, as well as the principle of equality and mutual benefit. 
Without approval from competent authorities, no one in China is permitted to provide foreign judicial or law enforcement authorities with any data stored in China. 

Legal liabilities

Companies and individuals bear the following possible legal liabilities for violation of the Law, depending on the specific cases: Receive warnings from and be interviewed by competent authorities; take corrective measures; company can be fined up to RMB 10 million and the directly responsible person can be fined up to RMB 1 million; relevant business is suspended, business is halted for internal corrective measures, and relevant business permits or licenses are revoked; illegal income is confiscated and a fine of up to 10 times of the amount of the illegal income is imposed; criminal and civil liabilities, public security administration penalties, as well as other liabilities under various laws and regulations.

Government data security and disclosure

The law regulates security and disclosure of government data with legal liabilities for non-compliance. Chinese authorities shall keep confidential all data on personal information, business secrets, confidential business information etc. that becomes known to them in the course of performing their duties, and China develops catalogs for government data disclosure.

Outlook

In general, the Law sets up the framework for data security in China. Taking into account its broad scope of application, wide range of data security systems and possible harsh legal liabilities for violation, companies and individuals must take steps to ensure compliance. Additionally, it is essential to follow closely all the further legislative activities and instructions of the various national and local authorities. Moreover, the interaction between the Data Security Law and other Chinese legislation, including Cybersecurity Law, Export Control Law, Law on Anti-foreign Sanctions, and Personal Information Protection Law, should be carefully observed.

By Lukas Züst & Qinqin Yao, Vischer, Switzerland, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact switzerland@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.