Please enable JavaScript.

Coggle requires JavaScript to display documents.

Chinese Data Law - Coggle Diagram

- - - - Article 2 of the DSL stipulates that data activities conducted within the PRC shall be subject to this law. For the purpose of the DSL, the term "data" refers to any record of information in electronic or non-electronic form and the term "data activities" refers to activities which, among others, collect, store, process, use, provide, trade or publish data. Since both are very broad terms and the CSL already addresses similar concepts such as "network data" – ie various electronic data collected, stored, transmitted, processed and generated through network – there will be discernible overlaps between the two laws.
        
        It is clear that any data activities within the PRC shall be regulated by this law, according to Article 2 of the DSL. What is important to know is that the DSL is taking a "long reach" approach by stipulating in the same article that legal liabilities shall also be pursued against any organisation or individual outside the PRC that conducts data activities jeopardising national security, public interest or legitimate interest of citizens and organisations of the PRC. Such a provision could expose international companies to considerable legal uncertainties, provided their routine course of business touches upon data processing activities (which is inevitable in today’s digitalised world)
        
        Explicit obligations outlined by the DSL include those below, which for many international companies should not sound unfamiliar, since these requirements are very close to those under the European GDPR:
        
        to establish a full process, organize training and take measures, including technical means to manage and ensure data security
        
        to appoint a special position or department to take care of data security and to assume respective security responsibilities (as well as liabilities)
        
        to strengthen risk monitoring and fix deficiencies/backdoors immediately when known, and to notify users and competent authorities in a timely manner in case of any data breach
        
        to conduct regular data impact assessment and submit a respective report to the authorities
        
        to collect data in a legitimate and justified way, and not to collect or use data beyond the necessary extent
        
        for data trading agents, to implement a KYC process (eg clarifying source of data, verifying identities of trading parties, record keeping), and
        
        to cooperate in investigation cases launched by police departments or security agencies of the
  - - - Chinese police will have powers to issue fines of $150,000 on companies that are in violation of Chinese cyber-security laws and could potentially close organisations down that fail to comply.
        China is expected to go beyond a technical audit of a company’s cyber security and to consider whether, for example, overseas firms are complying with US sanctions that could damage China’s national security.
- - - - The Multi-Layer Protection Scheme (MLPS) applies to virtually all organisations in China and is a significant cyber security compliance concern for domestic and international companies that operate in the country. At the end of 2019, a substantial update to the original MLPS was finalised. This second iteration of the MLPS, known as MLPS 2.0, was developed to fix what regulators saw as a significant problem in China’s rapid adoption of technology – poor cyber security. The regulation was developed and is enforced by the Ministry of Public Security (MPS) via its district-level Public Security Bureaus (PSB – the local police).
        
        MLPS 2.0 is a complex technology standard that requires companies to assess the current state of their information and operations technology systems and the risks associated with them. While the standard is largely aligned with cyber security best practices, its scope is broader, covering management and governance, among other things, and its requirements are proscriptive. The control requirements are not limited to technology; they include business and management functions such as governance and human resources.