How does the “Data Security Law” build “four beams and eight pillars”?

On June 10, 2021, after the third trial, the 29th meeting of the Standing Committee of the 13th National People’s Congress deliberated and passed the “Data Security Law of the People’s Republic of China” (hereinafter referred to as the “Data Security Law”). Officially implemented on the 1st.

The law consists of seven chapters and 55 articles, which are divided into general provisions, data security and development, data security system, data security protection obligations, government data security and openness, legal responsibilities and supplementary provisions. The “Data Security Law” coordinates development and security, and clarifies the top-level design and “four beams and eight pillars” of my country’s data security governance system in the form of the Basic Law, ensuring development with security, boosting the construction of digital China, and helping my country’s digital economy compete internationally.

  Adhere to the overall national security concept

  Clarify the top-level design of the data security governance system

The “Data Security Law” adheres to the overall national security concept, and clarifies that my country’s data security governance adopts the top-level design of the highest decision-making and collaborative governance, and responds to national security risks in the non-traditional field of data.

First, data security is a matter of national security. From the perspective of national strategy, Article 5 of the law specifies that the central national security leading agency is responsible for the decision-making and coordination of national data security work, and to study, formulate and guide the implementation of the national data security strategy and related major Guidelines and policies, coordinate major matters and important tasks of national data security, establish a national data security work coordination mechanism, and realize the highest decision-making.

Second, data security risks have widely penetrated into various industries and fields, and data security governance has both commonalities and differences between industries. Article 6 of the law explicitly authorizes industry, telecommunications, transportation, finance and other competent authorities to monitor data security in their own industries and fields. At the same time, Articles 21 and 22 of the Law specify that the National Data Security Work Coordination Mechanism shall coordinate the formulation of important data catalogues, the acquisition, analysis, research and judgment, and early warning of data security risk information by various departments. The departmental coordination working mechanism ensures major issues of data security governance, takes into account the consistency of data security governance standards between industries and the particularity of the industry, and also avoids disputes over departmental interests that damage national data security interests.

The third is that data security and network security are related. The law continues the mandate of the Cybersecurity Law, and it is clear that the national network information department is responsible for coordinating network data security and related supervision work. At the same time, public security organs and national security organs are responsible for their respective responsibilities Responsible for data security supervision within the scope.

  Adhere to the risk management path

  Build a data security governance system with “four beams and eight pillars”

The first is to build a data security supervision system with data classification and grading as the core. Article 21 of the “Data Security Law” states “the importance of data in economic and social development” and “once it is tampered with, destroyed, leaked, or illegally obtained or used illegally, it will affect national security, public interests or the legitimate rights and interests of individuals and organizations. The degree of harm caused” is the standard, and the data is protected by classification and grading. On this basis, catalogue management is adopted for important data, and the national data security work coordination mechanism will coordinate relevant departments to formulate catalogues of important data, and at the same time authorize each region and department to determine the specific data of important data in this region, this department, and related industries and fields. Directory, and strengthen the data security protection obligations of important data processors, and strengthen the protection of important data. In addition, during the third trial of the law, the concept of “national core data” was proposed for the first time. Data security risks, detailed system arrangements, etc., reserve system interfaces.

The second is to clarify the management requirements for risk assessment, monitoring and early warning, and emergency response, and strengthen the prevention and response of data security risks throughout the process. Article 22 clarifies that the state establishes a data security risk assessment, reporting, information sharing, monitoring and early warning mechanism to realize pre-event risk assessment, reporting and information sharing, as well as in-process monitoring and early warning; Article 23 clarifies that the state establishes a data security emergency response mechanism, Emergency handling to prevent the expansion of the harm of data security incidents and eliminate potential security risks. At the same time, data processors are required to perform corresponding obligations such as risk monitoring, data security incident reporting, and data security risk assessment.

The third is to strengthen the implementation of the data security protection obligations and responsibilities of various types of data processing activities. Chapter IV of the Law stipulates the data security protection obligations of various data processors. General data processors should establish and improve the whole-process data security management system, strengthen risk monitoring, report data security incidents in a timely manner, and at the same time require that data processing activities should conform to social morality and ethics, and must not steal or illegally obtain data; important data The processor is also obliged to clarify the person in charge of data security and the management agency, regularly conduct risk assessment of data processing activities and report it to the competent authority, etc., and shall comply with the requirements for exit security management. For institutions engaged in data transaction intermediary services, it is clarified that they have the obligation to review the identities and data sources of both parties to the transaction, and to keep review and transaction records. Finally, the “Data Security Law” clarifies that data processing service providers should obtain administrative licenses in accordance with the law, which provides a higher-level legal basis for the implementation of access qualification supervision in the data processing service market access link in the future.

  Improve data export risk management

Responding to global data competition

First, the “Data Security Law” supplements and improves the requirements for data export management, and strengthens the risk control of domestic data export. Article 31 stipulates the regulation of the export of important data: on the one hand, it clarifies the important data collected and generated by operators of critical information infrastructure in domestic operations, and continues to apply Article 37 of the “Cyber ​​Security Law” on data export security management requirements; on the other hand On the one hand, additional exit security management is added to the important data collected and generated by other data processors in domestic operations, and the national cybersecurity and informatization department is authorized to formulate corresponding exit security management measures in conjunction with relevant departments of the State Council. In addition, Article 25 of the “Data Security Law” adds data export control, which clearly implements export control on “data belonging to controlled items related to the maintenance of national security and interests and the performance of international obligations”, and improves the framework of my country’s data export supervision system.

Second, the “Data Security Law” makes responsive provisions in response to the global data competition situation. First, in response to the issue that relevant foreign legislation generally has extraterritorial application effect and expands domestic legislative jurisdiction, such as the EU’s General Data Protection Regulation, Article 2 of the “Data Security Law” takes actual consequences as the standard, and clearly will “damage China”. People’s Republic of China’s national security, public interests, or the legitimate rights and interests of citizens and organizations” overseas data processing activities shall be investigated for legal responsibility. Second, in response to recent foreign legislation authorizing domestic law enforcement agencies to retrieve data across borders, which may infringe my country’s data sovereignty and threaten my country’s data security, such as the US “Cloud Act”, Article 36 of the “Data Security Law” clearly stipulates that without the With the approval of my country’s competent authorities, domestic organizations and individuals are not allowed to provide data stored in my country to foreign judicial or law enforcement agencies. Third, in response to the unequal treatment of China’s cybersecurity and informatization enterprises that are frequently subjected to national security reviews of other countries during the process of going overseas, Article 24 of the “Data Security Law” clarifies that my country has established a data security review system to deal with data that affects or may affect national security. Article 26 clarifies that if any country or region adopts discriminatory prohibitions, restrictions or other similar measures against my country in terms of investment, trade, etc. related to data and data development and utilization technologies, my country may, according to the actual situation Take reciprocal measures against the country or region.

  Accelerate the construction of supporting systems

Support the implementation of the “Data Security Law”

The implementation of the “Data Security Law” is imminent. In the process of its implementation, it is necessary to speed up the implementation of the various systems of the law, and also strive to solve the problems between the various systems and the “Cyber ​​Security Law”, “Personal Information Protection Law” and other legislations. system connection issues.

On the one hand, the positioning of the basic law of the “Data Security Law” and the legislative style of “should be coarse and not fine” make many provisions of the law too principled, and its implementation depends on the refinement of supporting administrative regulations, departmental rules, and national standards. Although the law puts forward requirements for data classification and grading protection, important data catalog management, and important data exit security management, etc., the specific content of each system and detailed regulations on how to implement it are lacking, which will inevitably affect all kinds of data processors. Data security protection obligations. In the future, supporting administrative regulations and departmental rules should be promoted as soon as possible to clarify the specific content and unified requirements of the aforementioned systems, and provide detailed guidelines for corporate compliance through national standards and industry standards.

On the other hand, many systems in the “Data Security Law” also urgently need to clarify the connection with the existing legal system. After the promulgation of the “Personal Information Protection Law”, my country will form a situation in which the three laws of “Network Security Law”, “Data Security Law” and “Personal Information Protection Law” are parallel, and there is a certain overlap between various systems. For example, the cybersecurity review in the “Cybersecurity Law” also includes the review of data risks in products or services; under the current situation where personal information is the main element of the data market, systems such as data security incident reporting and important data export management are closely related to the “Personal Information”. There is also overlap between personal information leakage incident reporting and personal information exit in the Information Protection Law. In this regard, it is urgent for the competent authorities to clarify the applicable boundaries of the aforementioned systems and establish an appropriate optimization mechanism, so as to avoid the waste of regulatory resources and corporate compliance costs due to overlapping between systems.

The Links:   AA065VB01 STE07DE220