On 28 June 2020, the draft Data Security Law was submitted for its first reading at the 20th session of the Standing Committee of the 13th National People’s Congress. The draft was also published online for public comments on 3 July: comments can be submitted until 16 August 2020.
The Data Security Law aims to regulate data and to incorporate data security and utilisation into the national governance system; it thus marks the official establishment of data security legislation in China. Specifically, the draft is comprised of 51 articles grouped under seven sections, including: data security jurisdiction and regulatory framework; data security standardisation system; data protection classifications and grades; management of key data; data security risk alert and emergency response mechanism; national security review mechanism for data activities; and obligations to protect data activities. The draft signals that China will continue to put equal emphasis on safeguarding data security, and on promoting data development and utilisation; it aims to further boost the progress of the data industry through better data security systems and protection.
The following points of the draft Data Security Law relate to standardisation:
- Establishment of a data security standardisation system
In March 2020, SAC issued the Main Points of National Standardisation Work for China in 2020, outlining the overall requirements for the establishment of a new generation information technology standard system. Various data-related technical standardisation projects have recently been launched, covering areas such as face recognition technology and intelligent and connected vehicles. On this basis, the draft Data Security Law stipulates that China will advance the establishment a standard system that will cover data development and utilisation technologies, products and data security.
- Support the development of evaluation and certification services
The draft points out that China will further facilitate the development of data security testing, evaluation and certification services, and that it will support professional institutions to carry out such services in accordance with the law – i.e. based on the Detailed Rules for the Implementation of Safety Certification of Key Internet Equipment and Internet Security Products published by CNCA in July 2018; and the Detailed Rules for the Implementation of Safety Certification of Mobile Internet Applications published by SAMR and the Cyberspace Administration of China in March 2019.
In addition, the draft reveals a supportive attitude towards safe and free cross-border data flows. Nonetheless, it clearly stipulates that China will have the ultimate right to impose export control measures over data that falls into the category of “controlled items”, namely items relating to the fulfilment of international obligations and the safeguarding of national security. In this regard, China can take countermeasures against discriminatory measures taken by other countries pertaining to data activities. It is noteworthy that the draft targets special scenarios, without reference to regulation over cross-border data flows in general business scenarios. The draft also stipulates that China will conduct national security reviews on data activities that affect or have the potential to affect national security, although no specific jurisdictions and scope of scenarios are defined.
In conclusion, the draft Data Security Law is a basic law for data security in China. Its objective is to improve the data security standard system, to boost cross-border data exchange, and at the same time to support the establishment of a protection mechanism to safeguard national security and data sovereignty. Together with the Cybersecurity Law and the Personal Information Protection Law, it forms a key part of China’s legal framework for data regulation and governance.