2021.05.13 DONG, Xiao (Marissa)、Yuan, Qiong
After a review by the 28th Session of the Standing Committee of the Thirteenth National People’s Congress, the Data Security Law (Second Draft for Solicitation of Comments) (the “Second Draft”) was issued on April 29, 2021.
Data Security Law (Draft for Solicitation of Comments) (the “First Draft”) was issued on July 3, 2020 after discussion on the 20th Session of the Standing Committee of the Thirteenth National People’s Congress. The Second Draft has made certain adjustment and supplements on the basis of the First Draft.
Data Security Law, upon its official enactment, will become an important part of the state security legal framework represented by the State Security Law. Together with the Cybersecurity Law and the Law on the Protection of Personal Information (whose second draft was issued on the same date), they will form the basic legal framework within the information sector.
Similar to the First Draft, the Second Draft also has seven chapters. It has 53 provisions, only two more provisions than the First Draft.
Some of the major amendments are:
The First Draft mentioned that the State should implement a categorized and tiered protection of data. The Second Draft more specifically requires that the State shall establish a tiered data protection system and protect data by its classification, formulate important data catalogue and strengthen the protection of important data (Article 20);
The Second Draft emphasizes the implementation of Multi-level Protection Scheme (“MLPS”) as provided under the Cybersecurity Law, requiring that an administration system shall be established with respect to the conduct of data processing activities based on MLPS (Article 26);
As a new provision, the Second Draft requires that a security assessment shall be conducted in accordance with the Cybersecurity Law with respect to the export of important data by the operators of critical information infrastructures, and special administrative measures will be issued with respect to the security of the export of important data collected and generated within China by other data processors (Article 30). However, the Second Draft does not specifically define important data, which will be confirmed by the aforesaid catalogue of important data;
The First Draft restricts a foreign law enforcement organization from collecting data in China, while the Second Draft imposes additional restrictions on the collection of data by foreign judicial organizations in China, requiring that such data may only be exported with the approval of the competent authority (Article 35);
The Second Draft significantly increases the amount of fines for a breach of the obligations of data security protection: the maximum amount of fines for an enterprise for the breach of the obligations of data security protection has increased from RMB 1,000,000 to RMB 5,000,000, and the enterprise may also be ordered to suspend its business, stop business for rectification, or have its permit or business license revoked; the maximum amount of fines on persons directly responsible for the breach has increased from RMB 100,000 (as specified in the First Draft) to RMB 500,000 (Article 44);
As a new provision, the Second Draft provides for the legal liability for the failure to cooperate with a public security body and the State security departments in data collection. This includes fines of up to RMB 500,000 and the persons directly responsible for such a violation will be subject to fines of up to RMB 100,000 (Article 46); and
As a new provision, the Second Draft provides for the legal liability for the provision of data to a foreign judicial or law enforcement organization without approval. This includes fines of up to RMB 1,000,000 and the persons directly responsible for such a violation will be subject to fines of up to RMB 200,000 (Article 46).