Why China’s New Data Security Law Is a Warning for the Future of Data Governance

China’s two newest data security laws—the “Data Security Law” (DSL) and the “Personal Information Protection Law” (PIPL)—came into effect at the end of 2021. Building on the 2017 Cybersecurity Law, they include new guidelines for handling data, updated enforcement measures, and additional restrictions on the transfer of data outside of China. Notably, the DSL broadly expands the extraterritorial reach of China’s existing data rules, creating a critical new set of guidelines for companies doing business with Chinese citizens—both within and outside the country’s borders—to navigate.

These new restrictions paint a complicated picture for the future of data governance, continuing a trend toward more complex regulatory regimes, competing legal frameworks, and increased restrictions on international data flows. Governments continual adoption of similar measures will increasingly disrupt an era of relatively restriction-free cross-border data flows that has been critical to the growth and expansion of many international businesses. The key points and implications from each law are broken down below.

The Data Security Law

Passed on June 10, 2021, in effect since September 1, 2021

What’s New: New data classification categories aimed at protecting national security are loosely defined, leaving interpretation up to Chinese authorities.

The DSL references two main categories of sensitive data—national core data and important data—with new guidelines for governing each.

• “National core data” is defined as data concerning national security, economic interests, Chinese citizens’ welfare, or the public interest, and is categorized as the most sensitive data type.
• “Important data” is categorized as the second most sensitive data type but is not clearly defined in the text. Instead, regulatory authorities at the local level are expected to issue additional guidelines as to what constitutes important data for their jurisdiction, but the timeline for issuing the guidelines has not yet been determined.

The new data categorization system poses two primary issues for companies operating in China. The first is the lack of definitional clarity. There are fines of up to RMB 10 million (~$1.56 million) per infraction for mishandling national core data, but compliance will be difficult given the vague definition. The same holds true for important data, where violations can include fines of up to RMB 5 million (~$780,000), but definitions are even less clearly defined. Until concrete examples of the law being applied are available, or clarifying definitions are issued, businesses will be left with unclear information to make strategic adjustments in the interim. Second, allowing local regulatory bodies to determine what constitutes important data creates another layer of compliance requirements. It will also make operating across jurisdictions more complex if different definitions are adopted. Both international and domestic companies will now be forced to navigate existing national guidelines, alongside a yet-to-be-determined number of region- and industry-specific guidelines.

Old idea, new reach: The Data Security Law builds on the provisions of the Cybersecurity Law and expands China’s extraterritorial reach over new categories of data.

The DSL expands on previous data localization and data transfer rules and imposes harsher penalties for violations. Companies that handle these types of data (for example, those operating in fields related to physical or digital infrastructure or natural resource extraction) are responsible for ensuring that all data generated within China is stored within the country. A security assessment in accordance with the Cyberspace Administration of China’s guidelines is required before any China-originated data is transferred abroad.

Critically, all data handlers are prohibited from providing any data stored in China to foreign government agencies without approval from Chinese government authorities, regardless of the data’s sensitivity level and where the data was originally collected. This guideline is widely viewed as a direct counter-measure to the U.S.’s 2018 Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”). Under the CLOUD Act, U.S. law enforcement agencies are given the legal right to demand access to electronic data, no matter which country the data is stored in. China’s new legal requirements create the potential for international companies to be caught between conflicting demands from U.S. and Chinese authorities when it comes to access to sensitive data.

How it’s enforced: Fines and legal penalties for breaching the laws are significant, but initially enforceability is likely to be inconsistent.

Companies that provide national core data to foreign officials without approval from Chinese authorities are subject to fines as well as the potential forced shutdown of their businesses and potential criminal charges. For violations regarding important data, additional penalties may be added directly to the individuals involved as determined on a case-by-case basis by Chinese authorities. There are also penalties for companies that fail to cooperate with data requests from Chinese authorities on law enforcement or national security matters, but the extent of these penalties is not clearly defined. Instead, parties found to be in violation will be prosecuted in Chinese courts.

The Personal Information Protection Law

Passed on August 20, 2021, in effect since November 1, 2021

What it’s based on: Modeled after the EU’s General Data Protection Law (GDPR), the Personal Information Protection Law is China’s first comprehensive data protection law covering personal data.

The PIPL covers all data activities related to the personal information of Chinese citizens, whether it is originally collected within China or abroad. The law governs data collection from both public and private companies and includes provisions mandating that Chinese government agencies notify and obtain consent from individuals. However, the provisions related to Chinese government data collection do not apply in situations where it is necessary for “acting in the public interest.” In practice, this means that the law is unlikely to end the Chinese government’s extensive data collection practices ranging from collecting biometric data from facial recognition software to the myriad data points that make up citizens’ social credit scores.

Similar to the GDPR, the PIPL includes provisions granting the right to limit or refuse processing of personal information, the right to refuse automated decisions regarding personal data, and the requirement to obtain explicit consent before transferring personal data to third parties. It also includes more severe penalties for violation than the GDPR. Companies found in violation of the law face fines up to RMB 50 million (~$7.8 million) or 5 percent of revenue and risk suspension of their operations. Additionally, the legal ramifications may be reflected in companies social credit scores, which impacts their ability to access financing. Individuals can also be held liable for violations, with monetary fines up to RMB 1 million (~$157,000) as well as additional discipline determined by legal authorities.

Why it’s concerning: New deletion requirements on personal data and transparency rules could disrupt business models that rely on collecting and selling consumer data.

Under the PIPL, data handlers are now required to delete personal data after the stated purpose for collection has been completed. How this will be determined is left ambiguous, making it unclear whether this represents a legitimate data privacy benefit for individuals. Depending on when data needs to be deleted, and the stringency with which this provision is enforced, it could disrupt data economy companies that rely on storing, analyzing, and selling user data. Additional restrictions for safeguarding individuals’ data are determined based on the company’s categorization—whether it is a “major internet service platform,” has a “large number” of users, or engages in “complex business activities.” With these categories not clearly defined in the text, like many parts of the PIPL and DSL, they are likely to be interpreted at the discretion of Chinese authorities.

What this means: Transferring personal data outside of China is more difficult under the PIPL, and its adoption encourages other countries to enact similar personal data protection measures.

Transferring personal data within China or overseas now requires the data subjects’ informed consent. This is similar to a provision in the GDPR, which forced many businesses to add consent forms and update their data collection policies. For overseas transfer, companies are responsible for ensuring that the country that data is being sent to has data protection requirements at least as stringent as the PIPL. This requirement has been included in a variety of personal data protection laws globally, including in the GDPR, and EU authorities have enforced significant fines on companies that violate this provision. As more countries adopt similar provisions in their data protection laws, the pressure to pass comprehensive data protection laws globally mounts. The PIPL includes an additional restriction on companies that are deemed to be in possession of a “large volume” of personal data. For those companies, a mandatory security review by the Cyberspace Administration of China must be completed before transferring any data overseas.

The Big Picture and Implications for Businesses

The addition of new data classifications, legal jurisdictions, and data storage requirements imposes another layer of regulatory complexity for businesses operating in China.

China’s new data security laws increase the complexity of the data governance regulatory landscape. The size and significance of China’s economy, as well as the addition of both national- and regional-level guidelines, will potentially require major adjustments for data economy companies doing business in China.

China now joins the EU as a major economy with a comprehensive data governance framework, with India likely to be the next major economy to follow suit—its comprehensive Data Protection Bill is expected to be passed in the first half of 2022. As more countries pass data protection laws, effectively navigating the web of regulations will become a prerequisite for operating in the global digital economy.

For a full breakdown of the global data governance regulatory landscape, see FPA’s Global Data Governance Policy Database. And for a comprehensive breakdown of the key factors determining the future of international data governance, see FPA’s Global Data Governance Power Map.