Skip to main content
Top Button
China’s Data Security Law and Privacy Law Highlights China’s Data Security Law and Privacy Law Highlights

China’s Data Security Law and Privacy Law Highlights

China has recently taken several more steps toward a comprehensive and more demanding regulatory approach to cybersecurity and data privacy, creating more challenges for companies that operate in China or have significant business activities there. On June 10, 2021, the Data Security Law of the People’s Republic of China (“DSL”) was officially passed and will come into effect on September 1, 2021. Similarly, on August 20, 2021, the Standing Committee of China’s National People’s Congress promulgated China’s Personal Information Protection Law (“PIPL”), which will take effect November 1, 2021. While the PIPL has a number of similarities with the EU’s General Data Protection Regulation (“GDPR”), there are some differences. 

When a new law is passed there are inevitably more questions than answers, and the DSL and PIPL are no exception. However, China recently published new draft measures aimed at bolstering the DSL, including definitions of what would be considered "core" and "important" data.

Data Security Law of the People’s Republic of China (“DSL”) 

The DSL applies to all types of data processing activities, including collection, storage, use, refining, transmission, provision, and disclosure of data carried out within the territory of China. 

The DSL creates three categories of data which include “ordinary data,” “important data,” and “core data.” The language within the DSL itself is ambiguous and companies likely to be impacted by the DSL have been asking the Chinese authorities for more clarity. Recently published draft rules describe ordinary data as data that has a minimal ability to impact society at large, or data that will only affect a small number of individuals or enterprises. [1] Important data is described as data that poses a threat to China’s national and economic interests or data that impacts the rights of individuals and organizations, and data that has an “obvious cascading effect” across a range of industries and enterprises. [2] Core data is described as data that poses “serious threat” to China’s national and economic interests. Dependent on the type of data at issue and a number of other factors, there is a range of requirements for data processing activities. 

To comply with the DSL, companies also need to consider whether they are “critical information infrastructures (CII),” which refer to infrastructure in important industries and sectors, such as public communications, information service, energy, transport, water conservancy, finance, public service, and e-government, as this creates additional obligations. CII operators need to store important data locally. If cross-border transfer is necessary, the CII operator must perform a security assessment and seek approval from appropriate authorities. 

The DSL provides for various fines, taking into consideration the nature of the incident, the parties involved, and the impact of the incident.

China’s Personal Information Protection Law (“PIPL”)

The PIPL will govern personal information processing activities carried out by entities or individuals within China. Importantly for US companies, PIPL extends its territorial scope to the processing of personal information conducted outside of China, provided that the purpose of the processing is: (i) to provide products or services to individuals in China, (ii) to “analyze” or “assess” the behavior of individuals in China, or (iii) for other purposes to be specified by laws and regulations. PIPL provides a number of data subject rights, including rights of access, correction, and deletion of personal information. 

The PIPL requires companies processing personal information outside of China to establish a “dedicated office” or appoint a “designated representative” in China for personal information protection purposes. Operators and entities that are considered critical information infrastructure (“CII”) and that process a certain volume of personal information must: (1) locally store the personal information they collect and generate in China; and, (2) pass a government security assessment to the extent they seek to transfer personal information outside of China.

Violations of the PIPL can lead to fines of up to 50 million RMB (roughly $7.8 million USD) or 5% of an organization’s annual revenue for the prior financial year.

Please contact Guillermo Christensen or Rachel Spiker for more information. Guillermo is the office managing partner of Ice Miller’s Washington DC office and practices within the Data Security and Privacy and White Collar Defense Groups. Rachel is an associate in the Data Security and Privacy Group.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

[1] See, “China drafts new data measures, defines "core data"”, Reuters, September 30, 2021, at 
[2] Id. 
View Full Site View Mobile Optimized