Beijing tightens grip on data transfers . . .
China’s top legislature passed a new Data Security Law last Thursday, which will become the country’s first comprehensive legislation of its kind when it comes into force on September 1. Intending to create a new “data categorization and classification system,” the law includes heavy penalties for mishandling “core data of the state” and unauthorized transfers of “important data to foreign judicial or law enforcement agencies.” According to the law, “core data of the state” covers a wide range of information that concerns China’s “national and economic security,” as well as “crucial matters of people’s welfare and public interest.” This new piece of legislation follows China’s recent Cybersecurity Law and draft Personal Information Protection Law, a package of legislation expected to form the legal basis for China’s data and IT governance regime.
Tech companies already on the move . . .
Chinese tech companies, including some of the country’s most popular apps, such as WeChat, food delivery giant Meituan, and TikTok, reacted quickly to the new legislation by revising their data collection and usage policies over the weekend. Some see the new restrictions on data export and offshore storage as Beijing’s latest move in securing control of the country’s increasingly powerful private tech companies, which now possess an immense amount of personal and corporate digital data. Moreover, foreign businesses operating in China and those with extensive cross-border information exchanges could face more challenges in handling data gathered within China’s borders.
Drawing a fine line on data protection and ownership . . .
By stipulating that companies ramp up their data security and privacy protection efforts for their customers, the new law is expected to have some positive impact on helping address data breach concerns in China’s previously less regulated space. The data localization and government oversight requirements, on the flip side, may potentially conflict with relevant regulations in other jurisdictions, such as the 2018 U.S. CLOUD Act. As a result, Beijing will have to continue striking a balance in the data and tech space between managing what it deems as an essential strategic asset that China has ownership over and creating a legal environment that does not stifle innovation.
- South China Morning Post: China’s new Data Security Law promises steep punishments for unapproved overseas data transfers
- The Wall Street Journal: China’s new power play: more control of tech companies’ troves of data
- Xinhua: 中华人民共和国数据安全法