Five Important Takeaways From China's Draft Data Security Law
Regulated data markets, law enforcement access, and centrally defined data classes
Blog Post
Maksim Kabakou / shutterstock.com
July 9, 2020
This analysis is part of the DigiChina Project, a joint effort of the Stanford Cyber Policy Center and New America.
China’s National People’s Congress last week released a draft of a new Data Security Law (DSL) (translated by DigiChina) with a public comment period ending August 16. The law would become a centerpiece in a growing body of technical specifications and regulations that establish a regulatory framework for data related to national security and the public interest. A separate Personal Information Protection Law focusing on citizen privacy is also in the drafting process, but so far has not been released for public comment. If finalized and enacted, the pair of new laws will become China’s highest level set of rules for data governance since its Cybersecurity Law took effect in 2017.
While the language of the draft DSL is often vague and could take years of more specific implementing regulations to flesh out, the text as it stands contains significant signals about the government’s approach to issues that are the subject of intense domestic and international debate and discussion amidst the rapid development of China’s digital economy.
In this piece we lay out five important developments in the draft DSL: national-level data classification, the government’s data relationship with the private sector, data transaction markets, who governs data security, and China’s data relationship with the world.
I. National-Level Data Classification
Among the most significant developments in the draft DSL is the formation of a data classification system at the national level that would delineate different types of data for different treatment under various laws and regulations. The key provisions read:
Article 19: The State shall implement data protection for data at different grades and classifications, according to the degree of importance to economic and social development; and according to the impact on national security, the public interest, or the lawful rights and interests of citizens or organizations if it is falsified, destroyed, leaked or illegally acquired, or illegally used.|
Each region and department, according to relevant national provisions, shall determine a regional, departmental, and industrial important data protection catalog, and undertake special protections for that which is listed in the catalog.
In short, the central government would be tasked with establishing a risk-based scheme for classifying data types, while local governments and functional agencies would lay out the specific extent of “important data”—a central concept in the Cybersecurity Law’s data governance regime, but one still not clearly defined.
This type of classification by the central government would represent a change from prior practice. In a recent essay, Hong Yanqing (a leading cyberspace law scholar who has helped shape China’s data governance system), wrote that data classification is not new in China’s regulatory regime, but the draft law marks a shift away from what he describes as “bottom-up” classification, in which organizations classify their own data assets based on security risks and potential harms stemming from breaches or misuse.
Hong deems the prior bottom-up pattern of data classification inadequate in two ways. First, it may not take into account the negative impact data incidents have for individuals and society beyond the costs to business operations. Second, it creates firm-level differences in data classification, causing difficulties for regulators who oversee a myriad of organizations. For example, a state-owned enterprise in a strategically important center might naturally regard its human resources data as a single category of data within the firm. In the new top-down data classification system under the draft DSL, however, this kind of data might be simultaneously regulated under multiple regimes handling different classes of data (e.g. personal information, trade secrets, and important data).
When it comes to defining “important data,” local and functional authorities would not be on their own. A national standard is already under development. China made its first foray into defining important data in 2017: The appendix of the Data Outbound Transfer Security Assessment Guideline laid out 27 categories of important data, but practitioners and scholars have commented that the categories remain vague, revealing the persistence of debate over the category within China.
A forthcoming “important data” standard led by Zuo Xiaodong (an influential cybersecurity expert and vice president of the China Information Security Research Institute), will aim to define what constitutes important data at a more granular level. In a speech he delivered on June 2, entitled “Research Progress on Identifying Important Data,” Zuo offered snapshots of the unpublished standard, which included items like “national strategic food storage data” and laid out a framework based on potential damage to national security and the public interest, threat vectors, responsible ministries, and where a given kind of data exists. When the standard comes out, it would likely serve as a reference point for provincial and industry data security measures required under Article 19 of the draft DSL.
In short, data classification presents a complex regulatory tangle that the government has yet to fully resolve, even as authorities seek to move forward in applying different obligations across information systems. The final configuration of the data classification system matters in part because it will determine the areas in which data controllers do and do not have leeway. It also has implications for interoperability with other regulatory regimes across the global digital economy, which could classify data types in parallel or starkly different ways.
II. The Government’s Relationship With the Private Sector
The draft law outlines the high-level principles of a procedure to be followed when national security or law enforcement authorities seek data from private data holders:
Article 32: Where public security departments and national departments need to consult data in order to lawfully safeguard national security or investigate a crime, they shall, according to relevant State regulations, undergo strict approval procedures and proceed according to the law; relevant organizations and individuals shall grant cooperation.
Here, the draft DSL seeks to define a lawful path to specify how the state (e.g., the Ministry of State Security, the Ministry of Public Security, etc.) lawfully may access data from private sector platforms. This move could mark a step toward limiting the broad scope of China’s National Intelligence Law, for example, which in Article 14 states that organizations and citizens must support state intelligence work without providing any guardrails for what this obligation may entail.
Whether this provision of the draft DSL effectively installs barriers to unconstrained government access to privately held data, however, depends on answers to several questions: What specifically would be the relevant regulations and procedures for accessing private data? What oversight mechanisms and pathways for contestation are possible, beyond the kind of negotiations that take place with companies out of view? And, as always, to what extent can written legal procedures be expected to constrain national security authorities in their demands and data holders in their voluntary or coerced compliance?
The draft law separately would result in several new compliance requirements for private companies, both domestic and Chinese, related to conducting security risk assessments. Article 28 would require new risk reports covering “the categories and quantities of important data controlled by said organization; how data is collected, stored, processed, and used; the data security risks faced and countermeasures.” Not only would the draft law create new government authorities, but it would require firms to do their part in enacting the new regime.
III. Data Transaction Markets
The draft DSL makes explicit that security and development must be balanced in China’s cyberspace governance system. This is the focus of an entire chapter of the law (Chapter 2), which emphasizes that national security objectives do not mean sacrificing the opportunity to use data to fuel innovation and the digital economy. A manifestation of this approach, the DSL would be the first national law that recognizes and even calls for the establishment of data transaction markets (数据交易市场). The draft offers no details, but the mere recognition of the idea of a data transaction market grants legitimacy to the concept of a trade in data resources. The development of a data classification system could also help establish what data can be legally traded by whom. Unregulated or illegal data brokers have long been a prominent data security risk factor in China, and a regulated data market system might help control that risk.
The draft’s language data markets echoes a recent State Council opinion document that designates data as the fifth factor of production—after land, labor, capital, and technology—and it also reflects ongoing discussions in China about establishing industry databases to pool data from firms. Chinese policymakers are following international economic research on the value of data sharing and the productivity gains from allocation of data resources, and many do not want China’s vast trove of data to sit idle.
The draft law’s recognition of the economic interests as well as security interests in data governance suggests that the most conservative security-focused interpretations could be balanced against commercial interests, producing both uncertainty and flexibility down the line.
IV. Who Governs Data Security?
The draft DSL addresses longstanding interagency turf battles by attempting to delineate roles among sector-specific regulators, especially the Ministry of Public Security (MPS) and the Cyberspace Administration of China (CAC):
Article 7: All localities and all departments [i.e. local authorities and sectoral regulators] bear primary responsibility for the data created, collected, or processed through the work of that locality or department as well as for data security. Supervising bodies are responsible for the supervision of data security in trades or sectors such as: industry; telecommunications; natural resources; hygiene and health; education; national defense science, technology, and industry; finance; etc.
Public security bodies and national security bodies [i.e. the MPS, the Ministry of State Security, etc.] are, according to the provisions of this Law and relevant laws and administrative regulations, responsible for the supervision of data security within their respective scope of duties.
The national cybersecurity and informatization department [i.e., the CAC] is, according to the provisions of this Law and relevant laws and administrative regulations, responsible for the comprehensive coordination of online data security and related supervision work.
There are not a lot of details on the issue, but the CAC (formally the administrative office of the Central Cybersecurity and Informatization Commission, which is chaired by Xi Jinping) is assigned a policy coordination role in the draft, reinforcing its authority as an interagency tie-breaker and a battleground, as well as a turf war combatant in its own right. The MPS has been responsible for criminal investigations of data breaches and is likely to continue in this capacity. Sector-specific regulators largely focus on day-to-day oversight and matters specific to their field. But remaining overlaps could still lead to conflicts, especially if the MPS takes a more hardline security approach in contrast to more commercially oriented regulators, for instance the financial sector power center at the People’s Bank of China.
Overlapping jurisdiction on data protection also runs the risk of creating multiple, redundant security review regimes without identifying who is in charge. Article 22 would introduce a new security review (the “data security review system”) without specifying the lead regulator. This system would join the existing cybersecurity review for products and services used by “critical information infrastructure” (led by the CAC) and the Multi-Layer Protection Scheme certification system (led by MPS). Since the law offers no details about this new review system, other than vaguely stating that “the State will establish” it, either CAC or MPS or both could be in charge, adding a new dimension to their existing conflict.
V. China’s Data Relationship With the World
Several parts of the law focus on China’s data relationship with foreign governments and foreign companies. Control over data has become a geopolitical flashpoint in recent years, not just in the U.S.-China technology relationship but also across nations large and small, including major developments in Europe, India, and elsewhere.
A set of rules in the draft DSL would shape the reach of Chinese jurisdiction around the world, the way cross-border data transfers are scrutinized in the context of export controls, how data-related trade and investment discrimination is handled, and procedures for foreign law enforcement to gain access to data in China.
We discuss these elements of the draft in turn:
Data activities outside China
Article 2: Where organizations or individuals outside of the mainland territory of the People’s Republic of China engage in data activities that harm the national security, the public interest, or the lawful interests of citizens or organizations of the People’s Republic of China, legal liability will be investigated according to the law.
For outside observers, Article 2 is one of the most concerning parts of the draft DSL, because it would extend legal liability beyond the territory of mainland China—including Hong Kong, for instance, or anywhere else in the world. The language is vast, covering any “data activity” that harms Chinese national security and interests anywhere in the world. As with all Chinese law, this broad language could be weaponized as a political tool, but it could just as easily be a defensive mechanism that lays dormant.
Export controls on data
Article 23: The State implements export controls according to law on data belonging to controlled categories to carry out international duties and safeguard national security.
Applying export controls to data follows the logic of classifying data types based on their risk to national security and interests, which implicitly acknowledges the power embodied in access to or control of data. It also could add a layer of legal considerations for those who wish to transfer data out of China.
Codifying reciprocity on ‘discriminatory’ barriers to doing business
Article 24: For any country or region that adopts discriminatory prohibitions, limitations or other such measures toward the People’s Republic of China with respect to investment or trade related to data, data development and use, or technology, the People’s Republic of China may, according to the actual circumstances, adopt corresponding measures toward that country or region.
By explicitly establishing legal grounds for retaliation in investment and trade related to data, the draft DSL would give officials the power to respond in the name of reciprocity if, for instance, the Committee on Foreign Investment in the United States (CFIUS) were to halt an acquisition over the data access it entails, or in a variety of other scenarios where foreign governments might enact restrictions based on data issues related to China. This provision appears in part to target the expansion of CFIUS to review transactions involving sensitive U.S. data, and it would also have implications given reports that the U.S. government is seeking to restrict the business of companies like TikTok or the Chinese drone-maker DJI based on data security risks.
Circumscribing foreign law enforcement access to data
Article 33: Where foreign law enforcement bodies need to consult data stored within the mainland territory of the People’s Republic of China, relevant organizations and individuals shall report the matter to the relevant competent department, and may only provide it after having obtained permission. Where the People’s Republic of China has concluded or joined an international treaty or agreement with provisions on foreign law enforcement bodies consulting domestic data, those provisions shall be followed.
Hong Yanqing, whose essay on the draft data classification regime is discussed above, has separately written about U.S. and European Union regimes and how they handle “security, control, and access” across borders. If enacted, the DSL would join the likes of the U.S. CLOUD Act and the EU’s E-Evidence framework in a thickening tangle of cross-border law enforcement data access rules.
Conclusion
In many ways, the draft DSL is continuous with trends in Chinese cyberspace regulation dating to the 2014 establishment of the CAC and up through the build-out of the Cybersecurity Law regime following its implementation in 2017. A nominally risk-based approach to data security is also continuous with efforts to build out the personal information security regulatory system and the forthcoming Personal Information Protection Law.
The context for the new draft, however, casts some of its provisions in a different light. The draft was released within days of a separate new “national security” law for Hong Kong that was pushed through by the central government in Beijing and has prompted enormous international opposition. Amongst other pressing matters for the future of Hong Kong, that law also seriously calls into question the city’s relatively separate status in terms of data governance. Meanwhile, closer to the heart of the draft DSL’s content, great uncertainty remains in U.S.-China bilateral disputes over market access and security around products or services from companies like Huawei or TikTok. This context will doubtless shape both advocacy about the law as it undergoes comment and revision, as well as how the law’s internationally relevant provisions are used if finally enacted.