After two rounds of public comments, the Data Security Law (DSL) of the People’s Republic of China was officially published on June 10, 2021. The DSL, which entered into force on September 1, 2021, establishes a set of principles and guidelines. policies designed to ensure the protection and effective use of data. It governs both data activities carried out in China and data activities carried out outside China, which may endanger national security or the public interest of China.
The DSL governs, among others, the following matters: data security obligations such as the establishment of a data security management system, data security training and the implementation of measures techniques to ensure data security and prevent breaches; cross-border data transfers, which are regulated by the Cyberspace Administration of China; and authorizations for data processing services, required for certain types of data processing (yet to be defined).
The law has established a data protection policy based on a hierarchical classification and categorization of data. Like the “special categories of personal data” in the GDPR, data classified as “important data” will be covered by broader protection and subject to more stringent regulation. The “catalog of important data” is not defined in the DSL. Each state region and government department must establish its own catalog and apply it under its jurisdiction.
Although LIS provides a wide variety of principles and policies, its impact remains unclear, as it lacks practical rules. A series of enforcement rules are expected to be introduced by Chinese lawmakers in the near future.
CLICK HERE to read an unofficial English translation of China’s New Data Security Law.