Earlier this month, China’s national legislature released a draft of its future Data Security Law, which with the upcoming Personal Information Project Law will become China’s latest set of data protection and privacy regulations. The last significant legislation on the subject was the Cybersecurity Law which took effect in 2018 but has proven to be insufficient to govern the complexities and ambitions of China’s digital economy.
The draft law is currently open for public comment and is only expected to be finalised in a year from now. As the draft currently stands, many concepts are vague and require further regulation to flesh out the ideas; Chinese lawyers have also expressed it’s not enough to put their minds at ease. Nonetheless, the contents give a clear indication of Beijing’s stance on internet governance at home and abroad.
New America, an American think tank focusing on public policy issues, identified five takeaways from the draft law:
1. Consistent data classification
Article 19 suggests that the central government would classify data types and local governments would lay out the extent of “important data,” which is a key concept in the law that is not yet clearly defined. Nonetheless, what’s new is that the state will now classify data. Previous regulation laid out 27 categories of important data, but lawyers and academics have said that the categories are vague and have often made enforcement difficult.
2. A clearer relationship between the government and the private sector
Article 32 states that, “Where public security departments and national departments need to consult data in order to lawfully safeguard national security or investigate a crime, they shall, according to relevant State regulations, undergo strict approval procedures and proceed according to the law; relevant organisations and individuals shall grant cooperation.”
This article appears to set a lawful path for the state to gather data from private companies; China’s existing Cybersecurity Law instead blanketly requires companies to comply with intelligence-gathering operations if asked. However, the procedures for the state to access data, as well as the mechanisms for contesting requests, are not yet explained. Therefore, there remains the possibility that the law could leave data as easily accessible to the state as it currently is.
3. Support for data markets
Chapter 2 emphasises that national security concerns do not mean that the opportunities of data use need to be sacrificed. The law becomes what New America say is the first national law to both recognise and call for the establishment of data transaction markets.
No further details are given, but New America point out that the draft’s emphasis on data as a commodity echoes a recent State Council opinion document that designates data as the fifth factor of product after land, labour, capital, and technology.
4. Clarification of government responsibilities
Article 7 provides some details for a separation of responsibilities between the Ministry of Public Security (MPS) and the Cyberspace Administration of China (CAC). The CAC, which is chaired by President Xi Jinping, is assigned the role of coordinating policy, whereas the MPS will likely continue to be responsible for criminal investigations of data breaches. There will also be a new review system, though it is unclear whether the MPS, the CAC, or both would be in charge.
Although many have the impression of entirely centralised authority in the Chinese political system, like elsewhere in the world, Chinese ministries often fight for jurisdiction over certain issues. With the growing importance of data, it seems that Chinese legislators have decided it’s time to iron out this issue. Once again, power has been vested in President Xi.
5. Chinese data and the world
The draft law shapes the reach of Chinese jurisdiction around the world. Data control has become an increasingly contentious topic worldwide, escalating to a new high this month with the Trump administration considering a ban of the social media app TikTok, whose parent company is based in China. In this regard, New America highlights these aspects:
- Widening of jurisdiction: Article 2 states that legal liability for “data activity” that harms Chinese national security will extend beyond Mainland China;
- Export controls: Article 23 says that the state will control which types of data can be transferred out of China;
- A mandate to retaliate: Article 24 states that corresponding measures should be adopted for countries or regions that adopt discriminatory data or technology limitations towards China.
- Developing data request mechanisms: Article 33 develops rules for foreign law enforcement agencies requesting data, joining the likes of the US CLOUD Act and the EU E-evidence framework.
In many ways, the draft law builds on the existing body of data protection and privacy legislation in China, answering questions and closing loopholes. By encouraging data markets, the draft reveals that Beijing recognises the importance of data in the development of China’s digital economy. At the same time, the draft takes measures to protect individual privacy through a more robust classification of personal data and fines of up to US$150,000 for companies that fall short of their responsibilities as data controllers.
The law is understood to be the first time that China has attempted to exercise legal authority on companies outside its jurisdiction. It’s unclear whether these articles will be used as a political warning or a genuine tool for taking a tougher stance on the global stage. Yan Luo, partner at the law firm Covington & Burling in Beijing, believes it’s a way to counteract the extra-territorial effect of US law – for instance, the web of Iran sanctions that Huawei CFO Meng Wanzhou has found herself caught up in.
Encouraging retaliation to foreign restrictions also means that we should expect continued escalations of techno-nationalism if President Trump wins reelection in November. These provisions also mean that the tech exodus from Hong Kong will be likely to continue. The draft law was published within days of the Hong Kong national security law, together bringing into question the independence of data governance in the territory.