China’s top legislature on Thursday passed a comprehensive data security law that stipulates how data is used, collected, protected, and developed in China. The law will affect a broad range of industries, including tech, telecommunication, transportation, finance, health, and education.

Why it matters: China is moving from one of the world’s least regulated data environments to one of its most. In the past year, China has drafted several laws to regulate tech firms’ collection and use of personal data and limit anti-competitive practices.

  • The law also creates a legal basis for the state to request data held by China’s powerful tech companies.

Details: The Data Security Law of China focuses on data that is high-level and crucial to national security, calling it “core state data,” according to a full text of the law published by state news agency Xinhua (in Chinese).

  • Formulating the Data Security Law is “a necessity” to safeguard national security, Xinhua wrote in a commentary (in Chinese) on Friday. “Data is a basic strategic resource of a nation. Without data security, there is no national security,” it wrote.
  • The law directs central and local governments to oversee “core state data,” a category that includes data held by private firms. If companies are found to have mishandled such data, they can face fines between RMB 2 million ($313,200) and RMB 10 million or be ordered to shut down. 
  • The law also directs the central government to define a category of “important data.” Companies found sending “important data” to entities overseas can be fined between RMB 100,000 and RMB 10 million, or have their business licenses revoked.
  • Companies are required to “cooperate” when authorities ask to inspect their data for “national security or criminal investigation” purposes. Those data inspection requests are subject to “strict examination and approval,” the law said.
  • The law prohibits Chinese companies and individuals from providing data stored onshore to overseas judicial bodies or law enforcement agencies without Chinese government approvals.
  • The law takes effect on Sept 1.

Context: The new data security law is a step forward in China’s push to keep important data within its borders. The 2017 Cybersecurity Law requires firms to store data collected in China locally.

  • Last October, the nation proposed a draft of the Personal Information Protection Law, which resembles the European Union’s General Data Protection Regulation (GDPR). The GDPR is a respected example for such regulation worldwide. In January 2020, China proposed an overhaul of its Anti-Monopoly law to rein in an increasingly powerful tech sector.

Wei Sheng

Wei Sheng is a Beijing-based reporter covering hardware, smartphone, and telecommunications, along with regulations and policies related to the China tech scene. He writes a monthly newsletter tracking...