Understanding the Chinese Data Security Law: Explaining the Measures Japanese Companies Should Take
The Chinese Data Security Law is a legal framework in the data sector of China, which came into effect in September 2021. It applies to all data processing activities conducted within China, necessitating companies that operate or plan to expand into China to review and revise their existing regulations and management policies. However, there are those who may not fully understand the law or are uncertain about the measures they need to implement.
In this article, we will explain the key points to understand about the Chinese Data Security Law, its penalties, and the strategies for compliance in Japan.
What is the Chinese Data Security Law?
The Chinese Data Security Law (中华人民共和国数据安全法) is a law concerning data security in China that came into effect in September 2021. It was enacted for the purpose of safeguarding national security, similar to the Chinese Cybersecurity Law that was implemented in June 2017.
Chinese Cybersecurity Law: A law to protect the security of China’s “networks”.
The objectives of the Chinese Data Security Law are outlined as follows (Article 1):
- Regulation of data handling activities
- Ensuring data security
- Promoting the development and utilization of data
- Securing the legitimate rights and interests of individuals and organizations
- Protecting the sovereignty, security, and development interests of the nation
While the Chinese Cybersecurity Law regulated electronic data, the Chinese Data Security Law is personalityized by its inclusion of non-electronic data, such as paper documents, within its regulatory scope (Article 3). The Chinese Data Security Law stipulates the classification of data, the establishment of a security certification system, and the obligations to protect data security.
Key Points to Understand the Chinese Data Security Law
The Chinese Data Security Law encompasses a variety of provisions that may be challenging to fully comprehend. In this section, we will elaborate on the following five key points of the Data Security Law.
- Scope of Regulation
- Establishment of Data Classification and Grading Standards
- Data Security Management
- Regulations on Data Transfer
- National Security Review
Regulated Entities
All data processing activities conducted within China are regulated by law. Even when data processing activities take place outside of China, they are subject to regulation if they harm the national security, public interest, or the interests of citizens and organizations of China.
The term “data” refers to records of information by electronic or other means, and it is important to note that this includes paper records. “Data processing” encompasses the collection, storage, use, processing, transmission, provision, and disclosure of data. Those who engage in these activities are referred to as “data processors.”
About the Establishment of Data Classification and Grading Norms
Data processors must ensure data security based on a grading protection system. The grading protection system is a public evaluation system for network security management structures, and the required measures vary depending on the grade. Furthermore, data must be classified based on the extent of damage it could cause to national security, public interest, or to individuals and organizations in the event of destruction or leakage.
Classification is divided into three categories: “General Data,” “Important Data,” and “Core Data.” The “Japanese Network Data Security Management Regulation (Draft for Public Comment)” defines important data as “data that, if tampered with, destroyed, leaked, illegally acquired, or used unlawfully, could potentially harm national security or public interests.” Core data refers to data related to the nation’s security, the lifeline of the national economy, the vital interests of the citizens, and major public interests (Article 21).
As of the time of writing, there are no specific catalogs for important or core data, so it is advisable to classify the data you handle based on the examples of important data listed in the “Japanese Network Data Security Management Regulation (Draft for Public Comment).” It is also crucial to monitor the catalogs published by the relevant departments.
About Data Security Management
As a data processor, the following are required:
- Implementation of data security education and training
- Protection obligations for data security based on the graded protection system
- Continuous risk monitoring
- Establishment of a safety management system throughout the data lifecycle
- Appointment of a responsible person
- Technical measures
Essentially, these requirements are similar to those of the Information Security Management System (ISMS), but it is important to note that management measures must be taken according to the classification of the data.
In the event of an incident, immediate measures must be taken, and reports must be made to both users and the authorities. Furthermore, when processing critical data, it is necessary to conduct regular risk assessments and submit risk assessment reports to the relevant jurisdictional departments.
Regulations on Data Transfer
Regulations apply to the transfer of data, particularly when it involves important data. It is stated that the provisions of the Cybersecurity Law apply when operators of critical information infrastructure facilities transfer important data acquired or generated within China across borders in the course of their domestic operations.
Critical Information Infrastructure Facilities: Operators of facilities in sectors (such as energy, transportation, finance, public services, etc.) that, if damaged, could threaten national security, and where damage or data leakage could significantly harm national security, the public’s livelihood, and the public interest.
If you are a data processor not classified as an operator of critical information infrastructure facilities, you must undergo a safety assessment review by the authorities in accordance with the ‘Regulations on the Security Assessment of Cross-Border Data Transfer’ and pass it before transferring data.
According to the ‘Network Data Security Management Regulations (Draft for Comment)’, even when transferring non-critical data abroad, the following cases require a safety assessment review by the authorities and must pass it:
- When the cross-border data includes important data
- When operators of critical information infrastructure facilities, or data processors handling personal information of more than one million individuals, provide personal information abroad
Furthermore, the following obligations are listed for those transferring data abroad:
- Not to provide personal information abroad beyond the purpose, scope, method, type, and size of data specified in the Personal Information Protection Impact Assessment Report submitted to the network information department
- Not to provide personal information and important data overseas beyond the purpose, scope, type, and size specified in the security assessment by the network information department
- To accept and process complaints related to data export from users
- To retain relevant logs and data export approval records for more than three years
- If the data export harms the legitimate rights and interests of individuals, organizations, or the public interest, the data processor is liable under the law
When transferring data abroad, there is also an obligation to create a Data Export Security Report and report it to the local network information department.
Regarding National Security Review
It is important to note that if data processing activities are deemed by the Chinese government to harm the national security of China, a National Security Review will be conducted. The results of the National Security Review are final, and it is not possible to challenge the decision through administrative appeals or litigation.
Penalties Under the Data Security Law
Violations of the Data Security Law can result in corrective orders and warnings, fines, suspension of business operations for rectification, suspension of related business activities, and revocation of business licenses.
For instance, failure to fulfill obligations stipulated in Articles 27, 29, and 30 of the Chinese Data Security Law may lead to corrective orders and warnings. Additionally, fines ranging from 50,000 to 500,000 yuan may be imposed on the directly responsible person(s) and other directly liable individuals.
It is important to note that in the event of a violation of the Data Security Law, not only the corporation but also the directly responsible person(s) and other staff members bearing direct liability are subject to penalties. Given that penalties for violations can have a significant impact on the entire organization, it is essential to take measures to comply with the law.
Measures Japanese Companies Should Take for Data Security Law Compliance
The Data Security Law applies to all data processing within China, which means many Japanese companies must take action to comply. This article provides a detailed explanation of the measures Japanese companies should implement in response to the Data Security Law.
Data Management
First, we will review data management. It is crucial to clarify what kind of data is being generated, accumulated, and deleted within your company and to understand the current data handling situation. Prior to taking necessary actions for each data classification, it is important to perform data mapping to check the classification of data, the status of data transfers outside of China, and the current data management measures.
Under the Chinese Data Security Law, specific protective measures are required for important and core data. Therefore, it may be necessary to redefine the confidentiality classifications of information according to these categories.
However, at this point, the security levels for each classification are unclear. Since these may be specified in the future, it is essential to monitor the catalogs published by the Chinese regulatory authorities. At the same time, it is advisable to establish security levels that take into account the classifications, including access control, authentication, communication security, and physical measures.
In addition, review your security policy and apply policies that align with the data classifications identified through data mapping.
Risk Assessment and Reporting
If data mapping reveals that your company handles important data, you must conduct a risk assessment for data processing and report the results to the authorities.
Since risk assessments must be conducted regularly, it is important to establish rules to ensure they can be carried out consistently.
Employee Education
In China, security-related regulations are being implemented one after another. Moreover, data management and risk assessment are not one-time tasks. Therefore, regular reviews and improvements are necessary, and educating employees to ensure these practices are embedded within the company is also required.
Not only the legal and general affairs departments but also the risk management department and others will be involved, so collaboration across departments is crucial. Although the law still has some ambiguities, there have been cases where penalties were applied for violations, making compliance with the Data Security Law indispensable.
Features of the Chinese Cybersecurity Triad
The term “Chinese Cybersecurity Triad” refers to the collective name for three laws enacted by China: the “Cybersecurity Law,” the “Data Security Law,” and the “Personal Information Protection Law.” The Cybersecurity Law aims to counter cyber-attacks, the Data Security Law focuses on data preservation, and the Personal Information Protection Law is designed to strengthen the security of personal information.
Related article: What is the Chinese Cybersecurity Law? Explaining the Key Points of Compliance[ja]
While each law has its differences, a common feature is that they all stipulate administrative penalties, civil damages, and criminal liabilities for violations. Furthermore, these laws apply not only to corporations but also to the individuals directly responsible. Violators may face prohibitions from engaging in the same business activities and could be listed in the country’s database of offenders.
Summary: Keep a Close Eye on China’s Data Regulations and Respond Swiftly
The Chinese Data Security Law is a legal framework that applies to data processing in China, setting out rules for data classification, grading protection, and risk assessment. Alongside the Cybersecurity Law, various other laws have been published, including the ‘Personal Information Protection Law’ and ‘Regulations on the Management of Security Vulnerabilities of Internet Products.’ Compliance with these laws is indispensable.
While there are still unclear aspects, such as the lack of specificity in the security levels for different classifications, there have been instances of fines imposed for violations. Therefore, it is essential to comply with the law. It is crucial to monitor China’s regulatory landscape and take the necessary actions as soon as possible.
If you are operating or planning to operate a business in China, we recommend consulting with a lawyer who is well-versed in Chinese law.
Guidance on Measures by Our Firm
Monolith Law Office is a law firm with extensive experience in both IT, particularly the internet, and legal matters. In recent years, global business has been expanding increasingly, and the need for legal checks by experts is growing more than ever. Our firm provides solutions for international legal affairs, including those related to China, the United States, and EU countries.
Areas of practice at Monolith Law Office: International Legal Affairs & Overseas Business[ja]