Follow us on
Member Login
sign out
[ICT- Security] – APR 29 2021, Analyses on "China Data Security Law ( 2nd Draft for Comments)"
Uploading Date: 2021-05-14 10:54:22



On 29 April 2021, the Data Security Law (2nd Draft for Public Comments) (hereinafter as the “Second Draft”) was released for public comments. The Second Draft, based on the Data Security Law (2nd Draft for Public Comments)(hereinafter as the “First Draft”), remains put in its basic structure and has made several adjustments and supplements. The key revisions are elaborated in the main text as bellows.

 

 1. Specify the establishment of classified and graded data protection scheme and important data catalog on State level


The Second Draft specifies that “The State shall establish classified and graded data protection scheme and shall determine important data catalog, to enhance important data protection.”  The Second Draft, as opposed to the First Draft, includes “determination of important data catalog” within the scope of central instead of regional and departmental affairs. Each region and department, following the classified and graded data protection scheme, will determine specific important data catalog in its region, department, industry and related sector. Such revision may greatly contribute to the formation of a unified standard on important data determination as well as a cohesive cooperation mechanism between central and respective regional and departmental authorities. Yet the determination of important data still needs to be further clarified.

 

 2. Convergence with the Cybersecurity law and emphasize on the implementation of Multi-Level Protection Scheme (MLPS)

 

The Second Draft places great emphasis on the implementation of MPLS under the Cybersecurity Law, explicitly stating that “…establish and improve full process data security management systems regarding data processing activities based on MPLS.” , which highlights the fundamental role of MLPS implementation in cybersecurity governance in China. 

  

3. Make clear distinction between critical information infrastructure operators (CIIOs) and other data processors on cross-border transfer of important data

The Second Draft makes clear distinction between CIIOs and other data processors on legal requirements for cross-border transfer of important data, newly adds that the Cybersecurity law shall apply to such transfer by CIIOs and measures to be made by the State Cyberspace Administration departments together with relevant departments of the State Council shall apply to other processors of important data. Such provision answers the unclear requirements in practice for companies other than CIIOs conducting cross-border transfer of important data.

 

In addition, the Second Draft, in convergence with the Personal Information Protection Law (Draft for the Second Deliberation), imposes more stringent requirements and countermeasures in respond to the context of claiming data stored in the territory in the People’s Republic of China by overseas judicial and enforcement authorities and the context of restrictive measures adopted by other countries against China in terms of data utilization investment and trade and etc.

  

4. Significantly increase legal liabilities on data processing violations


With regard to the amount of fines imposed, the cap of fines on breaching entities increases from 1,000,000 Yuan to 5,000,000 Yuan, cap of fines on directly responsible persons in charge and other persons directly liable increases form 100,000 Yuan to 500,000 Yuan. The Second Draft also adds new punitive measures of suspension of relevant businesses and suspension of business operation for rectification. 

 

It is also worth noticing that the Second Draft adds two new punishable behaviors, that is, provision of data to overseas judicial and enforcement authorities without approval and refusal to cooperate with data collection requirements by public security and national security departments .protection within the regulatory scope of data processing activities. 

 

In addition to the above-mentioned key revisions, the Second Draft requires industry associations to formulate code of conduct in relation to data security and thus enhance data security protection on industry level, promoting industry self-discipline. The Second Draft also answers the current trend of platform governance and anti-monopoly enforcement by including market competition protection within the regulatory scope of data processing activities. 

 

 Summary

The Second Draft illustrates that China adopts parallel governance path for national secrets, personal information and important data and clarifies that competent State security departments will lead and coordinate data security work. Through the convergence of the Second Draft with the Cybersecurity law and other top-tier legislation and regulations, companies shall put MLPS obligations into implementation, enhance internal organizational and technical data security measures and keep a close eye on relevant qualification or certification requirements as well as any legislative developments on cybersecurity, data security, personal information protection and etc.

 

If yu need further information, please contact us 


assistant@bestao-consulting.com


Follow us on:
Email: