As China’s legislature contemplates a sweeping legal framework to overhaul the patchwork governance of China’s data sector, Chinese data security experts criticized a draft as lacking in specific details. The draft Data Security Law was opened for review by the National People’s Congress Standing Committee on July 3.

Why it matters: The draft data security law, which will be finalized by the NPC this year, is an attempt to correct years of weak regulation from a patchwork of previous laws. It tightens regulations for accessing and sharing data, creates new management responsibilities for data entities on the mainland, and promotes the use of government data—issues that earlier legislation failed to address.

  • Entities which require access to Chinese user data will need to comply with strict new data security requirements, such as establishing managing bodies and completing regular risk assessments, or risk hefty fines up to RMB 1 million.

The data security law is a foundational law that will have a major impact on China’s data security, especially in the areas of data security management, cross-border data transfer, and retaliation against discriminatory measures towards China.

— Ma Jun, Ningren Law 

Details: The new draft law signals that protecting the troves of information collected from the country’s bet on big data is a central priority for the government.

  • The draft law reaches further in scope, allowing China to take legal action against those seeking to harm the country’s national security and interests. 
  • It also promises “corresponding measures” against countries that limit data flows and technology investment into China.
  • Individual regions and departments are required to classify what counts as “important data” based on economic development, national security, and public interests. 
  • Backed by big data, provincial-level or higher level government agencies will need to create “digital economy development plans.”
  • Military data, state secrets, and personal information will be governed by separate regulations.

Data is the basic resource for building a digital economy. The value of data lies in its free flow, development, and utilization, and the premise of all this is the guarantee of data security.

— Qi Aimin, Chongqing University School of Law 

Needs work:  At a July 5 online conference (in Chinese) hosted by the China Institution of Communications, experts pointed out gaps in the law. “At present, the specific provisions of the consultation draft do not well reflect the diversified legislative objectives,” Vice Chancellor Shi Jianzhong from the China University of Political Science and Law said during the webinar. 

 “The data security law covers all aspects of data protection, but there are still deficiencies,” Li Guangqian, a researcher for the Development Research Center of the State Council, said during the conference. “In terms of protecting industry data, each kind of industry data has its special characteristics, so their security requirements are also very different.”

Li also brought up concerns about the terminology differences between “data” and “information”: Article 3 of the draft law defines data as “any record of information in electronic or non-electronic form,” conflating the two terms and potentially causing difficulties for lawyers trying to interpret this article in the future.  

Overall, the data security law is simply not specific enough to put lawyers’ minds at ease. “The provisions of the security system, clauses about obligation, and responsibility commitments need to be further refined to improve practicality,” Ma told TechNode. 

Closing the loopholes: Over the past few years, China’s data industry was managed by multiple regulations instead of a single, comprehensive law to guide the sector. These laws only regulated small portions of the industry, leaving questions unanswered and loopholes wide open.

READ MORE: Dust has yet to settle two years after China’s landmark cybersecurity law

  • The 2017 cybersecurity law mandated that users provide real-name information and required networks to store Chinese data on mainland servers. 
  • The Personal Information Security Specification took effect in May 2018 and was revised in January 2019. It specifically targets management of personal data such as real names and addresses, identification numbers, communication records, among others.
  • China’s civil code, which will come into force in 2021, guarantees individuals the right to privacy of personal information, but avoided clarifying how that was to be protected or regulated. 
  • The data security law is built upon these three regulations, and experts are concerned how lawyers will handle this overlap. 
  • The Personal Information Protection Law (in Chinese) is currently still in deliberation by the NPC. It will establish regulation and legal mechanisms for protecting individuals’ personal information. The text of the draft has not yet been released. 

Qi told TechNode that portions of the data security law dealing with personal information should instead be solely under the purview of the Personal Information Protection Law. “Otherwise, after the launch of the Personal Information Protection Law, it will cause confusion in the legislative system and the application of relevant laws relating to judicial practice,” he said. 

The civil code highlights the importance of Chinese data privacy, but Ma was pleased that the new legislation will go further in regulating the data industry itself. “The Data Security Law more clearly stipulates the principle of equal emphasis on the development of the data industry and the maintenance of data security,” he told TechNode.