How Could China’s New Data Security Law Affect Other Territories?
On June 10, 2021, China’s National People’s Congress passed the People’s Republic of China Data Security Law (DSL). The law, which will take effect on Sept. 1, is the nation’s first comprehensive data protection legislation. It will also have implications that reach beyond China’s borders.
The DSL follows a trend of increasing Chinese data regulations, most notably 2017’s Cybersecurity Law. While it’s not the first time the nation has addressed privacy, it’s certainly the widest and most in-depth China data law yet.
What does the Data Security Law include?
The Data Security Law focuses mainly on data’s impact on national security. Organizations within China that handle information that could affect the country’s security or public interests must designate security personnel and monitor for potential risks. Failure to comply could result in hefty fines and even revocation of an entity’s business license.
The Chinese government will require different levels of security, depending on the sensitivity of the information. Companies involved in data trading must note the source and keep detailed records of all transactions.
While parts of the DSL resemble other nation’s data laws, like the EU’s General Data Protection Regulation (GDPR), it specifically sets itself apart from them. It prohibits providing information stored in China to other countries’ regulatory bodies without approval from the Chinese government.
Similarly, China’s new data law reemphasizes the localization requirement of the Cybersecurity Law. Under this regulation, any statistics collected or generated by critical information infrastructure operators must be stored in China. These entities must also perform security assessments before transferring anything overseas.
How could the DSL impact non-Chinese companies?
The Data Security Law has many implications for non-Chinese entities, some more explicit than others. Perhaps most notable is the clause about foreign regulatory bodies. If you collected data in China but used it in Europe, you could run into legal complications.
The GDPR may require you to provide this data to EU authorities, but under the DSL, you’d need Chinese approval first. This could delay operations or limit what you can do in the EU with Chinese information. It could dissuade multinational businesses, which already face changing international trade regulations from pursuing data-gathering operations across borders.
The DSL also applies to data processing activities outside of China if the nation deems it could affect its security or the rights of its citizens. Consequently, the Chinese government may require non-Chinese companies to meet higher security standards if they gather data from or about its nation’s customers.
How could the DSL influence other legislation?
China’s data laws could also affect other territories by spurring similar actions. When California passed the Consumer Privacy Act in 2018, other states proposed similar regulations soon after. The same type of trend could happen in response to China’s DSL.
The DSL is the latest and one of the strictest instances of a growing international data privacy laws movement. Other countries without a comprehensive nationwide data protection law, like the U.S., may pass similar legislation in response. Alternatively, regulations like the GDPR may shift in response to the DSL’s foreign regulation provisions, either making the process easier or becoming stricter.
How the rest of the world will react to the DSL remains uncertain. However, what is certain is that international businesses with dealings in China have significant regulatory changes ahead of them.
Chinese legislation extends far beyond China
China is one of the world’s largest markets, and as such, has a substantial impact on the global economy. As a result, Chinese legislative changes like the DSL impact companies and regulatory bodies around the globe. Staying abreast of these developments is crucial for any company doing business across borders.
