Data Security Law
China passed the new Data Security Law (DSL) in June 2021. The aim of the law, which comes into force on September 1, 2021, is to protect data in China and regulate cross-border data traffic. DSL is primarily about promoting the data infrastructure and the innovative use of data by industry. Cyber security and data protection are the foundations for a functioning digital economy.
With the Data Security Law (DSL), the regulatory pressure on all companies operating in China continues to increase. The regulatory system for data protection and cyber security also applies to companies and persons outside of China when they are involved in China-related data activities. These affect the national security, the public interest, or other legal interests of Chinese citizens or organizations.
Your Partner for DSL Compliance in China
With its experts, CHINABRAND supports German and European companies in implementing the regulations of the Data Security Law in China:
- Help in drafting contracts with the recipient of data.
- Support in setting up a data security management system.
- Gap analysis and remedy plan if optimization is required.
- Coordination of the mandatory risk assessment of data sets before transferring them abroad.
- Communication with the authorities responsible for processes and permits.
- Coordination of the security review and approvals by the cyberspace authority for personal data.
- Coordination of regular reporting to the authorities.
Time To Act
The multitude of new Chinese laws is often challenging, unmanageable, and non-transparent for foreign companies, which often leads to uncertainty in the implementation in practice. Companies should review their data management and data protection measures before the law comes into force in order to be prepared for DSL and related new regulations.
"Since the beginning of 2021, the Chinabrand team has been providing us with comprehensive and trustworthy support in matters of cybersecurity law. During the requirements analysis project, we received support and input at all times from dedicated employees who also have a high level of expertise. The results were extremely confident and goal-oriented."
A client wanted to analyze the obligations its Chinese subsidiary had to face in the areas of cyber security and data protection. This analysis was required to be able to make far-reaching decisions in the development of corporate IT. We were able to assist the company with an analysis of the current legal situation by specialized Chinese lawyers and with strategic advice.
The global use of standardized computer programs is essential for many international companies. With the rollout of western software to China, not only the specific legal requirements of cyber security and data protection are relevant, but also the behavioral patterns of Chinese employees - for example the circumvention of company applications through WeChat. CHINABRAND was able to support German companies in using their software in China. Solutions were found that meet the legal and technical requirements.
Overview of Data Protection and Cyber Security in China
Cyber Security Law: Implementation of MLPS
The MLPS 2.0 represents the technical and organizational basis of data security and data protection. All companies in China are obliged to implement the MLPS - regardless of the type of data processed and the information systems used.
Data Security Law: Data Classification
The data classification system is a dominant topic in DSL. In addition to the usual data, the DSL provides "important data" and "national core data" as special data categories. Stricter regulations and stricter security measures apply to these particular categories. The DSL does not specify the "important data." Their determination largely depends on a catalog drawn up by each region and industry. We recommend paying attention to notifications from the authorities of your location and your industry.
Protection of Personal Information
Companies collect a lot of customer information in their business operations, including detailed personal information such as names, addresses, and contact details. The CSL and some ordinances already contain basic data protection regulations. The law for the protection of personal data (PIPL) is intended to further specify these regulations about personal data and is expected to come into force this year.
Data Security Training
According to both the CSL and the DSL, companies must take appropriate measures to protect their data. We, therefore, recommend that employees hold regular internal training courses on cyber security and data security.
Data Export Controls and Cross-border Data Traffic
In connection with the Export Control Act, the DSL further clarifies that the export of data, for example, technical data, falls within the scope of the Export Control Ordinance. In this case, your company may need to apply for an export permit. The law also emphasizes the requirements for cross-border data transfer for operators of critical infrastructures (CIIOs). Current regulations related to DSL indicate that restrictions on cross-border traffic may soon apply to all businesses.
Recommendations for Action
We recommend that all companies based in China and those who do business in China to tackle the issues of cyber security and data protection at short notice and quickly implement the protective measures required by law. The Chinese government has now stepped up its cyber security and privacy surveillance and is urging all companies to meet their commitments. Our experience in current projects shows that the authorities even check the implementation through unannounced penetration tests.