After two rounds of public comments, the Data Security Law (DSL) of the People’s Republic of China was formally issued on June 10, 2021. The DSL, effective September 1, 2021, establishes a series of principles and policies designed to ensure the protected and effective use of data. It governs both data activities conducted in China, and data activities conducted outside of China, that may risk China’s national security or public interest.

The DSL governs, the following matters, among others: data security obligations such as establishing a data security management system, performing data security training, and implementing technical measures to ensure data security and prevent breaches; cross-border data transfers, which are regulated by the Cyberspace Administration of China; and permits for data processing services, required for certain types of data processing (which are yet to be defined).

The law established a data protection policy based on a hierarchical classification and categorization of data. Similar to “Special Categories of Personal Data” in the GDPR, data classified as “important data” will be covered by broader protection and subject to stricter regulation. The “important data catalog” is not defined in the DSL. Each state region and governmental department must establish its own catalog and enforce it under its jurisdiction.

Although the DSL provides a wide variety of principles and policies, its impact remains unclear, since it lacks practical rules. A series of implementing rules is expected to be introduced by the Chinese legislature in the near future.

CLICK HERE to read an unofficial English translation of the new China Data Security Law.