China bolsters regulatory oversight with new data security law

China’s National People’s Congress (NPC) has passed its first data security law aimed at strengthening the government’s hand over the data produced and stored in the country.

According to Regulation Asia, companies that provide data to foreign judicial or law enforcement agencies without approval can have their business licenses revoked and also be penalised up to CNY 5 million.

The law – which will come into effect from 1 September 2021 – will allow the government to enforce strict penalties for unauthorised transfers of data overseas amongst other wrongdoings.

Companies who are found to transfer ‘core data’ overseas without receiving government approval will be liable to penalties of between CNY 2 and 10 million and could even be ordered to close operations. The law defines core data as any data that concerns national or economic security or people’s livelihoods and major public interests.

Furthermore, businesses that transfer ‘important data overseas without approval can face penalties of between CNY 100,000 and 1 million, with the cap raised to CNY 10 million for more serious offences.

The data security law has also called for the establishment of a National Data Security Work Coordination Mechanism which will be focused on coordinating various agencies to issue catalogues of what consists of ‘important data’.

China will handle requests by foreign judicial or law enforcement organs for the provision of data in line with international treaties or agreements in which such country participates.

Companies will also be required to strengthen their data protection practices, with firms who fail to do so and end up facing large-scale data leaks potentially incurring fines of up to CNY 2 million. Those found responsible for the leaks can be fined up to CNY 200,000.

The law will additionally require businesses to cooperate with authorities when they ask to inspect their data for national security or criminal investigation purposes. These requests will be subject to ‘strict examination and approval’ according to the law.

Regulation Asia highlighted that an aim of the law is to shield domestically stored data from the ‘long arm’ of US jurisdiction. This followed the 2018 enactment of the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) which allows US law enforcement agencies to demand access to online information regardless of where the data is stored.

Copyright © 2021 RegTech Analyst

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.