The second draft of the PRC Data Security Law ("Second Draft DSL") was released on 29 April 2021 for the public's comment. The consultation period will last until 28 May 2021. As discussed in our previous article on the first draft of the DSL (“First Draft DSL”) issued in July 2020, the Data Security Law (“DSL”), together with the Personal Data Protection Law (“PIPL”, the second draft of which was released the same day with the Second Draft DSL, as discussed in our latest article here), represent the two most critical and highly anticipated laws in the area of data protection to be promulgated by the highest legislative body in China in the near future.
Although the Second Draft DSL has not introduced sweeping changes to the First Draft DSL, some of the changes are nevertheless significant. Considering that most Chinese laws will in general undergo no more than three rounds of readings by the legislative body, the Second Draft DSL will be an important indicator as to the extent to which the provisions under the current draft will be adopted. We summarise in this newsletter the key changes set out in the Second Draft DSL.
1. State-level "important data" catalogue
As discussed in our previous article, the First Draft DSL sets out a "skeleton" of tiered system for data security, while the parameter of "important data" under such a system has been left to be addressed by local regulators. Unlike the First Draft DSL, Articles 20-21 of the Second Draft DSL provide that the "important data" catalogue is to be formulated by the State, while regional and sectoral regulators will issue specific important data catalogues applicable to relevant sectors and industries. This State-level unified approach, if finally adopted, would be welcomed by organisations as the catalogues, when published, will assist in determining, with potentially greater legal certainty and consistency, whether their data processing will involve "important data" in China.
2. Emphasizing the MLPS implementation
Article 26 of Second Draft DSL emphasises that a comprehensive data security management system should be established on the basis of the multi-level protection scheme (“MPLS”), which is an important set of data security requirements enshrined under Article 21 of the Cybersecurity Law (“CSL”). In fact, ever since the effectiveness of the CSL in 2017, regulators have released a number of rules and guidelines on the MLPS and businesses were penalised for failing to comply with the MLPS. By emphasising the MPLS, the Second Draft DSL reinforces a tightened trend in enforcing the implementation of the MLPS. Businesses are recommended to self-check whether there exists any gap in complying with these legal requirements.
3. Expanded scope of the cross-border data transfer rules
With respect to the cross-border transfer of important data (which was not discussed in the First Draft DSL despite highly anticipated), the newly added Article 30 of Second Draft DSL establishes a separate framework for cross-border transfer of "important data" by Critical Information Infrastructure Operators (“CIIOs”) and non-CIIOs, with the former complying with rules established under the CSL and the latter complying with separate rules to be published by Cyberspace Administration of China ("CAC") and the State Council.
As explained in the legislative note, the expanded scope of important data export restrictions from CIIO to non-CIIO is to meet the practical needs in the data security supervision. This echoes the stricter data export requirements under the draft Data Export Security Assessment Measures and the draft Data Security Management Measures released in 2017 and 2019 respectively. However, in the absence of any further clarification on important data export rules relating to non-CIIOs, businesses will likely encounter a legal dilemma where their export of important data could be subject to much legal uncertainty.
4. Enhanced Penalty
Article 44 of the Second Draft DSL significantly enhances the penalty for violating data security obligations in the following three aspects:
Apart from the above, the Second Draft DSL includes two new sub-provisions in relation to penalty on data provision, but from different angles: enterprises will be punished for failure to cooperate with PRC authorities regarding data access requests and will also be punished for unauthorized provision of data to foreign law enforcement agencies without PRC authorities' approval.
The Second Draft DSL emphasises that "data protection" in China extends beyond personal data protection and it is critical to also consider "important data" protection. As a whole, the Second Draft DSL has responded to some key and hot-button issues and tightened the provisions under the First Draft DSL, as evidenced by, for example, further regulations on the export of "important data" by both CIIOs and non-CIIOs, enhanced penalties and tightened restrictions on the provision of data to overseas law enforcement agencies. Nevertheless, there remains some unresolved issues, e.g. the absence of "important data" export rules, in particular for non-CIIOs. While further clarifications would be most welcome to enable companies to understand and comply with the new law, it appears that the finalised DSL will be coming soon.