Understanding the Chinese Data Security Law

On 10 June 2021, the Data Security Law of the People’s Republic of China (hereinafter the “DSL”) was adopted at the 29th session of the Standing Committee of the 13th National People’s Congress, effective as of 1 September 2021. The DSL is the fundamental law in the data security sphere and, together with the Cybersecurity Law (hereinafter the “CSL”) and the Personal Information Protection Law (hereinafter the “PIPL”), outlines the data regulatory framework in China. The DSL contains seven chapters and 55 articles that widely cover data security mechanisms, obligations and liabilities at both State administration and data handler levels. In this article, the key contents of the DSL together with the intensively promulgated supplemental laws and regulations will be analyzed to provide a comprehensive grasp of data security supervision in China. Specifically, section one explains the basic concepts of the DSL, section two highlights the key data security protection mechanisms such as the Important Data protection and data cross-border transfer and section three will summarize the main compliance obligations for companies to effectively put laws into actions.

1. Data Security Law of the People’s Republic of China, Article 2.

2. Data Security Law of the People’s Republic of China, Article 5, Article 6.

3. Data Security Law of the People’s Republic of China, Article 21.

4. JR/T 0158—2018, published by the China Securities Regulation Commission (“CSRC”), effective as of 27 September 2018.

5. JR/T 0197—2020, published by the People’s Bank of China, effective as of 23 September 2020.

6. For the purpose of the Provision, Important Data refers to the data that may endanger national security, public interests or the legitimate rights and interests of individuals or organizations once tampered, damaged, leaked, illegally obtained or illegally used, including: (a) geographic information, passenger flow, vehicle flow and other data of important sensitive areas such as military administrative zones, entities of science, technology and industry for national defense, and CPC and government organs at the county level or above; (b) data reflecting economic operations such as vehicle flow, logistics, etc.; (c) operational data of the automobile charging network; (d) video and image data outside the vehicles that contain face information, license plate information, etc.; (e) the personal information of more than 100,000 persons as the subject of personal information is involved; (f) other data that may endanger national security, public interests or the legitimate rights and interests of individuals or organizations as determined by the relevant authorities including the CAC, NDRC, MIIT, MPS and the Ministry of Transport.

7. Data Security Law of the People’s Republic of China, Article 27.

8. Data Security Law of the People’s Republic of China, Article 30.

9. Data Security Law of the People’s Republic of China, Article 31.

10. Data Security Law of the People’s Republic of China, Article 45, 46.

11. Data Security Law of the People’s Republic of China, Article 11.

12. Several Provisions on Automotive Data Security Management (for Trial Implementation) Article 3, Automotive data processors refer to organizations carrying out automotive data handling activities, including automobile manufacturers, parts and software suppliers, distributors, maintenance agencies and travel service providers, etc.

13. Data Security Law of the People’s Republic of China, Article 3, for the purpose of this law, the term “data” refers to any recording of information by electronic or other means.

14. Personal Information Protection Law of the People’s Republic of China, Article 39, Article 55. As regard the obtainment of separate consent under cross-border transfer of PI, currently one interpretation is that separate consent is only required where such handling is conducted on the basis of consent, as Art. 13 para. 2 specifies that where other legal bases suffice, consent is not required. Another interpretation is that separate consent herein prevails other legal bases. Further clarification may need to be provided.

15. Security Protection Regulations for Critical Information Infrastructure, Article 2.

16. Security Protection Regulations for Critical Information Infrastructure, Article 9.

17. Data Security Law of the People’s Republic of China, Article 25.

18. Export Control Law of the People’s Republic of China, Article 2.

19. Data Security Law of the People’s Republic of China, Article 24.

20. Cybersecurity Review Measures (Draft Revision for Comment) Article 2, Article 6.

21. Cybersecurity Review Measures (Draft Revision for Comment) Article 10.

22. Data Security Law of the People’s Republic of China, Article 48.

23. Data Security Law of the People’s Republic of China, Article 26.

24. Data Security Law of the People’s Republic of China, Article 22, Article 23.

25. Data Security Law of the People’s Republic of China, Article 19, Article 51.

26. Data Security Law of the People’s Republic of China, Article 3.

27. Data Security Law of the People’s Republic of China, Article 28.

28. Data Security Law of the People’s Republic of China, Article 32.

29. Data Security Law of the People’s Republic of China, Article 32.

30. Data Security Law of the People’s Republic of China, Article 27.

31. Data Security Law of the People’s Republic of China, Article 27.

32. Data Security Law of the People’s Republic of China, Article 30.

33. Data Security Law of the People’s Republic of China, Article 29.

34. Data Security Law of the People’s Republic of China, Article 35.

35. Data Security Law of the People’s Republic of China, Article 36.

36. Data Security Law of the People’s Republic of China, Article 34.

37. Data Security Law of the People’s Republic of China, Article 33.

Authors and Affiliations

1. Zhong Lun Law Firm, Beijing, China

   Jihong Chen & Jiabin Sun

Corresponding author

Correspondence to Jiabin Sun.

Reprints and permissions