China's Standing Committee of the National People's Congress has passed a new data security law requiring companies to seek approval before transferring what it refers to as "core" data overseas.
Rule-breakers can end up paying up to ¥10m ($1.56m, £1.1m) in fines or possibly face closure.
Data under a lesser qualification of "important" that is handed to overseas law enforcement agencies without Beijing's approval will receive up to ¥5m ($781,000) and a possible business suspension, up from a previous ¥1m ($156,000) that was stated in the draft of the law.
The new law also punishes companies that suffer large data leaks with a fine of up to ¥2m ($312,000).
The law is scheduled to come into effect on 1 September, leaving 2.5 months for companies and governments to plan accordingly. Major data security decisions will be made by a central national security agency.
- China arrests over 1000 for using cryptocurrency to help launder proceeds of phone scams
- Hong Kong to explore its own digital currency and keep testing China’s Digital Yuan
- Biden cancels Trump's bans on TikTok, WeChat, other Chinese apps
- Supreme Court narrows Computer Fraud and Abuse Act: Misusing access not quite the same as breaking in
Qualifications for "core" and "important" data were left undefined, but the law did call for the development of a classification system.
Singapore Management University law professor Henry Gao, who specialises in China, trade and the WTO, tweeted that there seems to be a lot of overlap between "core" and "important", but settled on this definition for core:
Now Data Security Law creates yet another type called “core data”, which is more important than important data & subject to the most stringent restrictions. “Core data” includes those on national security, lifeline of national economy, key people's livelihood, public interests. pic.twitter.com/30yLyX2050— Henry Gao (@henrysgao) June 11, 2021
Gao told The Register via email that there are two possible reasons the law left the key terms unclear: a rushed timeline where the drafters had not yet settled on definitions and/or to give the government wide discretion over their use. He reckons it's a combination of both. Vague wording has long been a tradition in Chinese law.
It would be very hard for foreign firms to comply, as now they have to tread in a field filled with potential landmines. To be cautious, they might want to segment their Chinese operations from the rest of the world or transact with Chinese entities through third parties rather than directly.
One interesting thing to watch will be how China's new data law interacts with the United States' 2018 CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which allows law enforcement agencies to access stored data from US-based technology companies no matter where that data resides in the world. ®