New Heights in Data Protection: What Companies Need to Know About China's Data Security Law

Summary:

|

• Some clauses in the DSL have extraterritorial effect and therefore apply to foreign companies.

|

• Processors of "important data" will face strict regulatory requirements.

|

• Multinational companies may face a legal compliance dilemma when there is a conflict between the rules in China and a foreign jurisdiction.

|

• Given that the DSL will take effect on Sept. 1, 2021, multinational companies should immediately take proactive actions to self-review and self-assess their data processing activities. 

|

• We anticipate implementing rules and industry standards to supplement the DSL.

Less than one year after the publication of the first draft of the PRC Data Security Law (the DSL) (中华人民共和国数据安全法) and after two rounds of revisions and public comments, on June 10, 2021, the Standing Committee of the National People's Congress of China passed the finalized law. As one of the highest-level laws governing data security and protection in China, the DSL, together with the Cybersecurity Law (网络安全法) that came into effect on June 1, 2017, form the legislative basis for data security protection in China.

The DSL takes effect on Sept. 1, 2021, leaving companies with a grace period of less than three months to conduct self-evaluation and self-correction. As summarized below, the DSL contains a number of core obligations on data security protection for entities engaged in data processing activities in China.