China’s Data Security Law was officially passed on June 10 and will take effect on September 1. This is a basic law on data security, outlining the Chinese Government’s fundamental ideas on data security and supervision.
In the age of big data, countries around the world are paying increasing attention to the protection of data sovereignty and security. So far a lot of countries and regions have enacted laws on data security. The European Union (EU) implemented the General Data Protection Regulation in May 2018, and countries like the United States, Japan and Singapore, too, have issued their own laws and regulations on data and private information protection.
As a pioneer in global data development, China has promulgated its own data security laws in a bid to standardize this industry and ensure its security.
Legally speaking of ‘data’
Following the booming of the Internet and its relevant applications, the term “data” is frequently thrown around in all of modern daily life. But what exactly are data? And what kind of data will gather under the umbrella of the Data Security Law? There was no explicit legal definition of the term available before the passing of the Data Security Law, and its absence will inevitably cause trouble in the real world.
For example, in April, Tesla’s use of in-car cameras raised a lot of concerns among the public in China and elsewhere.
Complications, both moral and legal, abound in this regard. For example, should apps be allowed to collect user information? What kind of accountability should the
related business entities take if their users’ privacy is leaked? How to define the responsibilities on data protection? As a matter of fact, when the concept of Internet Plus first made its debut in a 2015 government report, these questions were already hot topics.
China began its investigation on data security to pave the way for this final legislation in 2018. The passing of this law signifies that there is a consensus on data protection and its supervisory measures across the industry are in place.
So, circling back to the initial question: What are data? In line with Article 3 of the law, the term “data” signifies any record of information collected in electronic or any other form. “Data processing” shall include the collection, storage, use, processing, transmission, provision and public disclosure of data. “Data security” means that basic,
essential measures are carried out to safeguard the effective protection as well as lawful utilization of data and guarantee a continued state of security.
The law will mainly serve the following areas: The establishment of basic systems on data management and risk assessment in different categories and at different levels; defining the obligations that organizations and individuals should undertake in data security when involved in data-related businesses; the creation of effective measures to balance data security and development; the organization of systems and measures to promote government data security and openness.
A significant law in national security
Data security not only relates to the interests of individuals and organizations, but is closely related to economic and social development, as well as national security. Consequently, the formulation of the Data Security Law is a powerful prerequisite for national security.
Data security is an important part of the country’s security on the whole. It’s not even an exaggeration to state that without data security, there is no guarantee for national security. To step up data security legislation and enhance the country’s capability of safeguarding data security will help the country effectively cope with unconventional risks and challenges in the realm of data, in turn facilitating the improved protection of national security, interests and sovereignty.
The digital economy is already fully entangled in people’s daily ongoings, offering a lot of instant convenience, such as online shopping, online bookings—from travel to medical appointments, entertainment, education, and so on.
According to statistics from the China Academy of Information and Communications Technology, China’s digital economy reached 35.84 trillion yuan ($5.6 trillion) in 2019, which accounted for 36.2 percent of the GDP. Meanwhile, the digital economy is stacking up controversies, one after the other. Bouts of privacy leaks, corporate espionage, online fraud, and so the list continues, have triggered a strong public backlash in recent times. It’s high time to standardize digital life and protect data through legislation. With such a law at hand, the legitimate rights and interests of the people are guaranteed while the digital economy can continue to operate efficiently.
As far as data operators are concerned, the Data Security Law is vital to the healthy development of the data industry. China is striving to turn itself into a strong cyber power, and develop a digital China featuring smart cities. Due to thriving undertakings based on data, the competition in data is becoming an important part of international competition. The Data Security Law stresses both security and development. Data-related activities should be standardized and data be well protected; throughout the process of data development, the lawful rights and interests of individuals and organizations must receive proper protection, while national sovereignty and security, too, be safeguarded.
This law is applicable to the conduct of data activities within the territory of the People’s Republic of China (PRC).
International influence
The Data Security Law is not only applicable in China, but is also globally influential as the Chinese economy is increasingly integrated with the rest of the world, mainly from two aspects.
First, according to the Data Security Law, the state implements export controls in line with laws on data belonging to controlled categories to carry out international duties and safeguard national security. As China’s Cybersecurity Law has pointed out, personal information and important business data collected and produced by critical information infrastructure operators during their activities within the territory of the PRC shall be stored within the territory; where due to business requirements it is truly necessary to provide it outside China, a security assessment shall be conducted according to the measures jointly formulated by the national cyberspace administration and the relevant departments of the State Council. Where foreign law enforcement bodies need to consult data stored within China, the relevant organizations and individuals shall report the matter to the competent department, and may only release it after having obtained permission. Where China has conducted or joined an international treaty or agreement with provisions on foreign law enforcement bodies consulting domestic data, those provisions shall be followed.
Second, the law is a way to counter sanctions on Chinese businesses abroad. According to the Data Security Law, for any country or region that adopts discriminatory prohibitions, limitations or other such measures toward China with respect to investment or trade related to data, or the development and use of data, or technology, China may, according to the actual circumstances, adopt corresponding measures toward that country or region.
Chinese technology companies like Huawei and ZTE, as well as short video platforms such as Douyin and Tencent’s WeChat, have all undergone extraterritorial law enforcement paired with firm sanctions. The Data Security Law will make it possible for China to take reciprocal measures against countries and territories that come down heavily on Chinese enterprises under various pretexts.
– The Daily Mail-Beijing Review News exchange item