China’s latest draft Data Security Law suggests that the coming law is unlikely to answer many of the most pressing questions facing the domestic and foreign tech industries. Rather than providing specific security requirements for the collection and transfer of data, the draft lays out only a loose framework for the regulation of ‘data activities’ at the broadest level.
Chinese laws are often written at a high level of abstraction, relying on lower-level authority, interpretations, and agency implementation rules to refine general principles into workable mechanisms, but this draft law reads as if it is not intended to become a stand-alone operational law on its own at all. It is more of a planning document, delegating responsibility, and authorizing further rule-making, and that general structure is unlikely to change in the finalized law.
The content of the draft is laid out in the chart below, but a few things worth noting:
- Article 4 provides for ‘an overall national security perspective’ in preserving data security. This means that while the draft calls for equal emphasis on data security and data use, both of these are to be viewed through the lens of potential security impact.
- Although the scope is more limited as suggested in the titles of the authorizing regulations, the public security organs already have broad powers for internet security reviews, laid out in detail in the “Provisions on Public Security Organs’ Internet Security Oversight and Inspections” and the CAC has authority for national security reviews under the “Measures for the National Security Review of Network Products and Services (Provisional)”
- Article 24 anticipates retaliatory measures against those discriminating or restricting Chinese entities, authorizing tit for tat attacks on foreign products and services.
- Article 32 restricts public security organs and state security organs’ collection of data by requiring ‘strict approval formalities’. This language is taken from the “technological investigation measures” section of the Criminal Procedure Law, and the related article 12 of the Counter-Espionage Law (formerly the National Security Law) provisions requiring ‘strict approval formalities’ for techniques such as wiretaps and electronic surveillance, and generally requires that the measures be for a limited time and aimed at specific targets. The use of the language here may mean that data collection is being designated a ‘technical investigation’, but given that the ‘data’ here is defined as any recorded information, this seems a bit extreme.
- Upcoming revisions of the criminal code expand protections for violations of ‘commercial secrets’ including increased punishments, a broader definition, and expressly mentioning electronic trespass as a means of infringement.
- Chapter V’s provisions on government affairs data disclosures seem out of place in a law generally concerned with protecting information. China has an existing regulation (a lower level of authority) on disclosure of government information, and it is probably adequate to say that nothing in this Law should impact existing disclosure obligations.