Français
English 
Español 
China’s data protection laws are in a period of change lately and there has been significant progress in the field of data protection and data privacy legislation this year. Here are two of the recent laws which tend to focus more on those handling data national security and/or privacy.
The National People’s Congress, China’s top legislative authority, recently passed the People’s Republic of China Data Security Law (DSL), which will come into force on 1 September 2021. It is the first comprehensive data security legislation in China.
The DSL aims to regulate a wide range of issues in relation to the collection, storage, processing, use, provision, transaction and publication of any kind of data, and becomes a key supplement to the PRC Cybersecurity Law which has been effective since 1 June 2017.
The most significant element of the law is the data classification system whereby the government will classify different types of data based on its level of importance and then publish a protection/security standard for each class of data. DSL also sets out certain general security obligations for data processors at large.
In addition to activities conducted within China, the DSL will also apply to and regulate any data processing activities outside China if those activities would be detrimental to the national security or public interest of China or the lawful rights and interests of any Chinese citizen or organisation, including companies with a large volume of personal data, critical infrastructure and critical industries, such as financial, medical and key technologies.
In short, the enactment of the new DSL will create more challenges for companies that have a global business presence and are subject to data security requirements in multiple jurisdictions. While waiting for further implementation rules, we recommend that each company with data originated from China evaluates the type of data it processes to determine the level of requirements applicable.
The Personal Information Protection Law calls for companies to get users’ consent before collecting personal data and has rules for how companies should ensure that users’ data is protected when it is transferred outside of China. Companies that handle personal information must have a designated person tasked with overseeing its protection and must conduct regular audits to be sure they are complying with the law.
This law also requires that there must be a “clear and reasonable purpose” for handling personal information and organizations must aim at the “minimum scope necessary to achieve the goals of handling” data. PIPL applies to all companies that work with Chinese citizens, including foreign and domestic entities.
PIPL resembles the European Union’s General Data Protection Regulation (GDPR) in many ways. However, it differs in one major aspect, which is that Chinese authorities are expected to maintain their access to people’s personal information.
The Personal Information Protection Law, along with the Data Security Law, marks two major regulations set to govern China’s internet in the future.
Should you have any concerns regarding the data collection and management systems in your company, please do not hesitate to contact our team at contact@orbis-alliance.com.