Broad and vague definition of sensitive information worries lawyers

China has placed national security considerations at the heart of a new data security law

In just a few weeks’ time, a new data security law will come into force in the People’s Republic of China.

The Data Security Law (DSL) was enacted in June this year, and comes into force on September 1. The new law sets out protect data focussed on China’s national security.

The legislation will sit alongside the country’s Personal Information Protection Law (PIPL) which was updated this Spring, and the country’s existing Cyber Security Law, passed in 2017.

This apparent proliferation of data protection legislation is part of a multi-year approach by the Chinese government to strengthen both data protection and national security.

The new Data Security Law will apply even to businesses outside China that either work with Chinese businesses or handle the data of Chinese citizens, so its influence will extend far beyond China’s borders.

Three pillars

The 2017 Cyber Security Law (CSL) forms “the backbone of data protection from a perspective of cybersecurity”, according to Clarice Yue, Michelle Chan, and Sharon Zhang, of international law firm Bird & Bird.

As the lawyers explain in a blog post, however, the CSL is general legislation without a framework for data security governance. That framework will be provided by the new Data Security Law.

Together, the CSL, Data Security Law, and the PIPL form “three pillars of the Chinese data protection legislation system” according to Bird & Bird. The laws will provide a framework for both cybersecurity and data protection governance.

Lawyers with expertise in the region expect the Chinese government to issue regulations for implementing the Data Security Law. But they caution these rules might not be published before September 1.


Catch up with the latest privacy and legislation news and analysis


The new legislation is already causing concern among privacy and information security experts.

According to the Chinese authorities, the law aims to protect national security interests. To do so, it sets out to define special classes of data, including “national core data” and “important data”.

The idea of national core data was only added in the final draft of the legislation, and sets out to define data that relates to national security, the economy, and critical public interests.

As yet it is not clear how narrowly – or widely – this will be defined.

“Like many governments, China’s Data Security Law outlines special classes of data that are ‘core’ to national security,” Matt Stamper, CISO and executive advisor at EVOTEK, and president of ISACA San Diego Chapter, told The Daily Swig.

“National core data represents those classes of data that impact the country’s national economy, security, and sovereignty. The key is how broadly defined this subset of data will be interpreted. An overly expansive view of national core data could stifle data flows and present barriers to foreign entities working within certain sectors of the Chinese economy.”


RELATED Behind the Great Firewall: Chinese cyber-espionage adapts to post-Covid world with stealthier attacks


Fines will depend on whether a breach of law affects either core data or important data, with higher penalties imposed for core data.

Breaking the law for core data could attract a penalty of up to RMB 10 million ($1.54 million), on top of any other applicable penalties.

But legal experts warn that it could be virtually impossible for firms to decide accurately whether information originating in China is core data or important data, as the proposed law defines the terms only in broad (and somewhat vague) terms.

Jurisdiction

The new legislation also does not only cover operations inside the People’s Republic of China.

The DSL sets out to cover “data activities” by organizations, or individuals, outside China, “that harm China’s national security or public interest, or the legal interests of citizens and organizations in China”, according to an analysis by the US-based National Law Review.

This raises the prospect of enforcement against both non-Chinese companies and citizens if they are deemed to breach the new Chinese law.

At the same time, the legislation proposes new rules for organizations responding to requests from foreign law enforcement agencies or courts. These requests will need to be approved by a government department, unless they are covered by an existing treaty.


A new data security law will act as a new framework for Chinese data regulationUpcoming revisions to China's data security laws will affect Western countries doing business in China


As yet, it is not yet clear how China will handle such requests, though organizations operating in China will be obliged to hand over data on request for any “national security or criminal investigation”.

“Based on an incredibly broad definition of what constitutes ‘core’ and ‘important’ data, the state can basically ‘investigate’ private companies in China and inspect their data at will,” Attila Tomaschek, digital privacy expert at ProPrivacy, told The Daily Swig.

New obligations

The new law gives companies new security obligations, including establishing data security systems, risk supervision, technical measures including protection against data breaches, and setting up security education and training program.

This will require companies to improve their security systems, although many of the measures Chinese law mandates are similar to other security and privacy legislation, such as the EU’s GDPR (General Data Protection Regulation).

“What makes this whole situation even more troublesome is that companies only have until September 1 to get their act together and ensure they’re in compliance with the law,” warns ProPrivacy’s Tomaschek.

“It’s not just the short timeframe, either, that is going to be an issue for companies; it’s the rather confusing and contradictory nature of the law itself that will cause major issues with compliance down the road after the law takes effect.”


YOU MAY ALSO LIKE British Airways agrees to pay victims of record-breaking data breach