The proposed Data Security Law has a broad jurisdictional scope and will expand the PRC’s regulatory framework for information and data.

By Hui Xu, Gail E. Crawford, Jennifer C. Archie, Kieran Donovan, and Aster Y. Lin

On July 3, 2020, the Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) issued the draft Data Security Law (DSL) for public comment. Once finalized, the DSL, together with the PRC Network Security Law and the proposed PRC Personal Information Protection Law, will form an increasingly comprehensive legal framework for information and data security. Key developments to note in the DSL include:

  • Extends the territories, subjects, and objects of data regulation beyond the PRC Network Security Law and related regulations and national standards.  In particular, the DSL provides broader extraterritorial jurisdiction than the current legal framework. The territorial scope of the Data Security Law will extend beyond the PRC and will apply to both: (1) any data activities conducted within the territory of the PRC, and (2) any data activities conducted outside of the PRC that may “harm the national security or public interests of the PRC, or the legitimate rights of Chinese individuals or entities.”
  • Introduces a set of general data protection systems to ensure data security and to promote the orderly flow of data, such as a class-based data protection system. Consistent with the PRC Network Security Law, the DSL proposes to classify and protect data based on the importance of data to the state’s economic development and the harmfulness to the state’s national security, public interests, or the legitimate rights of individuals and entities if data is tampered, destroyed, disclosed, or illegally obtained. Using the class-based system as a guide, the DSL emphasizes the protection of important data. In particular, the DSL empowers regional and industrial authorities to formulate specific catalogs on important data and requires the protection of important data listed in such catalogs. Processors of important data also need to comply with additional requirements for the protection of important data.
  • Imposes a set of obligations on entities and individuals who carry out data activities. For instance, the DSL requires: (1) online data processing operators to obtain business permits or complete filings for their business operations, and (2) data transaction intermediaries to request data providers to explain the sources of data, verify the identities of the parties, and retain verification and transaction records.

Read more on China’s Draft Data Security Law.

This Client Alert relates to legal developments in the People’s Republic of China (PRC), in which Latham & Watkins (as a foreign law firm) is not licensed to practise. The information contained in this publication is not, and should not be construed as, legal advice, in relation to the PRC or any other jurisdiction.