China Passes New Data Privacy and Security Laws
China of late has been keen on legislating new laws and regulations pertaining to data privacy and security. Two laws on Critical Information Infrastructure and Important Data are directed at handling data national security and/or public interest. The introduced laws give data subjects new rights and protections and includes stringent penalties.
Data Security Law
The Data Security Law (DSL) was passed by The National People’s Congress Standing Committee of the People’s Republic of China on 10 June 2021.
DSL mainly zeroes in on the protection and security of critical data and is related to national security and the public interest. It governs the creation, use, storage, transfer and exploitation of data within China.
An important feature of DSL is the data classification system. Different types of data are classified according to level of importance and then a protection standard is published for each type of classification. The law also enumerates specific general security obligations for data processors at large.
The law controversially requires data localisation of data collected by foreign and domestic entities on Chinese citizens. The law prohibits the export of data by technology companies without first the completion of a “cybersecurity review”.
Article 36: The competent authorities of the PRC are to handle foreign justice or law enforcement institution requests for the provision of data, according to relevant laws and treaties or agreements concluded or participated in by the PRC, or in accordance with the principle of equality and reciprocity. Domestic organizations and individuals must not provide data stored within the mainland territory of the PRC to the justice or law enforcement institutions of foreign countries without the approval of the competent authorities of the PRC
At present, DSL is expected have more impact on companies that are in possession of data relating to national security and the public interest. This includes those that deal with a large volume of personal data, critical infrastructure and critical industries, like financial, medical and key technologies. Companies looking to transfer important data outside of China must perform an internal security review before applying for a security assessment and approval from the Cyberspace Administration of China (CAC).
Each company should evaluate the type of data it processes and consult with legal counsel to know what level of legal compliance is needed. The DSL took effect on 1 September 2021.
Security Protection Regulations on Critical Information Infrastructure
The Security Protection Regulations on Critical Information Infrastructure (the CII Regulation) was released by the State Council of the People’s Republic of China on 17 August 2021.
It applies to Critical Information Infrastructure (CII) which refers to the network and IT system that are critical to national security and public interest but may also impact companies are suppliers or service providers of these networks and systems.
CII Operators are subject to much stricter rules in terms of data security and cross-border data transfer. There are no specific rules or any public guidelines that deem network or IT systems as CII.
The appropriate government authority is tasked to assess and decide on a case-by-case basis and a business determined as a CII operator will be informed of such a decision.
Companies should conduct a self-evaluation that is based on two aspects: (1) type of business and the type of data the business processes to determine the potential risk of being deemed a CII operator, and (2) if any of its customers may be deemed a CII operator.
The CII Regulations also took effect last 1 September 2021.
The Personal Information Protection Law (PIPL)
The PIPL give Chinese data subjects new rights with the aim of preventing the misuse of personal data. Business data will be categorized by different levels of importance and there are new restrictions on cross-border transfers. Similar to the EU’s General Data Protection Regulation (GDPR), the PIPL gives Chinese consumers the right to access, correct and delete their personal data gathered by businesses.
The PIPL went into effect in November 2021.
- China has recently passed new laws on Critical Information Infrastructure and Important Data which are laws that are directed at handling data national security and/or public interest.
- DSL mainly zeroes in on the protection and security of critical data that are related to national security and the public interest.
- The most important feature of DSL is called the data classification system where different types of data are classified according to its level of importance and then a protection standard is published for each type of classification.
- Security Protection Regulations on Critical Information Infrastructure is an implementing rule of the Cybersecurity Law (CSL) and it applies only to Critical Information Infrastructure (CII).
Jaclyn-Mae Floro, BCompSc
Contact W3IP Law on 1300 776 614 or 0451 951 528 for more information about any of our services or get in touch at firstname.lastname@example.org.
Disclaimer. The material in this post represents general information only and should not be taken to be legal advice.