The New Data Protection Act (PIPL) in China explained by our Chinese partner office

Horizons, our Chinese Consulegis partner office, has been advising clients with Chinese commercial interests to evaluate data handling and management in preparation for the Data Security Law. Specifically. Since we meet and discuss global data protection on a monthly basis in the Consulegis IT & Data Protection Practice Group, we have asked them to present a brief overview of the new law in this article.

 

Scope of Data

The Data Security Law defines the scope of data and handling as the following in Article 3:

Data shall refer to any record of information in electronic or other forms.
Data handling shall refer to the collection, storage, use, processing, transmission, provision, and disclosure of data.

Data security shall refer to the ability to ensure data is effectively protected, lawfully used, and kept in a secure state by adopting necessary measures.

In practice, the Data Security Law focuses on data security, electronic and non-electronic forms, and data handling activities. The Cyber Security Law adopted on 1 June 2017 focuses on the supervision and management of information and network systems. Therefore, the scope of Data Security Law is broader and affects all companies handling online and offline data.

 

Data Classification

The Law designates the State to establish a data classification and grading mechanism based on two aspects:

• degree of importance to economic and social development.
• the level of damage to national security, public interests, organisations where the data is tampered with, destroyed, leaked, or illegally obtained or used.

For data identified as important data, a specific catalogue shall be formulated by each region and department. Regional and department shall determine and grade important data accordingly to the relevant industry and areas and establish stricter data protection obligations. Equally, national security data, the lifelines of the national economy, people’s key livelihood, and major public interests shall be classified as core data and subject to a stricter management system.

Therefore, companies should anticipate stricter data management obligations. Specifically for multinationals involved in cross-border data transfer, important or national data could be defined as controlled categories and subject to export controls.      

 

Data Security Protection Obligations

Although obligations are dependent on the type of data handled, we recommend companies appoint specific personnel or management to supervise the data management and ensure policies are correctly implemented. Moreover,  

For all companies conducting data handling activities, the Data Security Law stipulates the following obligations:

• establish and perfect a data security management system across the entire workflow;
• adopt lawful and proper methods in collecting data and obtaining data by illegal means is forbidden;
• organise and conduct data security education and training;
• adopt the corresponding technical measures and other necessary measures to ensure data security; and
• take immediate disposal measures, notify users as required and report the matter to the relevant competent department.

For companies handling data classified as important data, the following obligations are provisioned

• specify responsible personnel and management bodies for data security;
• fully implement data security protection responsibilities;
• periodically conduct risk assessments for their data handling activities;
• periodically submit a risk assessment report to the competent department
• the risk assessment shall include the categories and quantities of the important data handled by the organisation, how data is handled, any occurred data security risks, and countermeasures

Moreover, organisations and individuals are obligated to cooperate with public security and national security organs that require their data for national security or criminal investigation. In practice, data privacy policies should be revised accordingly. Where data laws of other jurisdictions may cross over, such as the General Data Protection Regulation, the application of the two could be challenging and specialised advice should be sought.

 

Extraterritorial Application

Whilst the Data Security Law applies to the data handling activities within the People’s Republic of China (“PRC”), related data handling outside of PRC could be subject to investigation. Specifically, in Article 2, where data handling outside of PRC harms the national security, public interests, or legitimate rights and interests of citizens or organisations of the PC, legal liability shall be investigated. Although specific liabilities are not mentioned, violations of the Data Security Law are subject to civil, public security administration, and criminal penalties. Therefore, companies outside of China handling related China data should still implement China-specific data compliance policies to migrate unintentional violations and risk future liabilities.

Violations of the Data Security Law are subject to fines between 50,000 RMB and 2 million RMB, and companies may concurrently be ordered to suspend relevant business or revocation of business licenses. Consequently, data security protection is significant and shall not be taken lightly.

The Data Security Law paves the significant role of the State in data development and protection, as China advances the digital economy. Mismanagement of data, specifically those handling important data could face significant liabilities for both the company and individual.