Focus topics

The Chinese data security law – more security or more challenge?

By Jiawei Wang

In order to be able to ensure compliance with the new regulations on handling data in China and when transferring data abroad, the companies concerned should quickly get to grips with the Data Security Act. After all, non-compliance can result in heavy penalties for companies; their representatives may face criminal prosecution.

Historically, the DSL caps a series of actions by Chinese lawmakers in recent years. In 2017, the Cyber Security Law (CSL) set the course for data handling requirements for critical information infrastructure (CII) operators for the first time in the history of the People’s Republic. Since then, the National Internet Information Administration (“Cyberspace Administration of China”, or “CAC”) has played a central role in concretizing legal measures. With the 2019 draft regulation, there has been a drastic tightening and expansion of the security assessment obligation.

Network and information security upgrade

Das neue DSL der chinesischen Gesetzgeber stellt ein systematisches “Upgrade” im Bereich Netzwerk- und Informationssicherheit sowie der Sicherheit von persönlichen Daten dar. Bemerkenswert ist vor allem der geographische Anwendungsbereich. So schreibt § 2 des neuen DSL vor, dass das Gesetz nicht nur für Datenverarbeitungstätigkeiten innerhalb Chinas, sondern auch für Datenverarbeitungstätigkeiten außerhalb Chinas gilt, wenn die nationale Sicherheit oder das öffentliche Interesse Chinas gefährdet sind.

The strong linkage with the CSL cannot be overlooked in the new DSL. Accordingly, the CSL’s security management provision continues to apply to the export of data collected or produced by operators of critical information infrastructures within Chinese territory. As an innovation, a uniform procedure in relation to security review, known as security assessment, has been created in Section 24 of the DSL. However, the scope of application and procedural details are currently unclear. Furthermore, the relationship between the data security assessment and the cybersecurity assessment also remains to be clarified.

Attention should be paid to the – quite drastic – penalties for identified violations. The legal consequences include civil liabilities, administrative penalties (e.g. fines and revocation of the business license) as well as criminal liabilities.

In parallel to the DSL, another new law is considered a key element in the field of data security: the Personal Data Protection Act, which will come into force on 1 November 2021. Data processors of personal data must comply with various compliance obligations. Similar to the DSL, the Personal Data Protection Act is also applicable extraterritorially. This set of rules is similar in many ways to the European Union’s General Data Protection Regulation GDPR; however, it is much stricter in terms of protecting public safety.

Automotive industry in focus

Legislation in individual industry sectors is also noteworthy: Interim regulations for data security management in the automotive industry will take effect on October 1, 2021. These regulations affect so-called automotive data processors, i.e., automobile manufacturers, parts and software suppliers, dealers, repair facilities, and driving service providers. Automotive data processors must comply with the provisions of these regulations when processing personal data and important data related to the design, manufacture, sale, use, operation, or maintenance of vehicles. Automotive data processors must report annually to the relevant authorities on “data security management”.

It remains to be seen how the new laws and regulations will be implemented in practice. However, it is foreseeable that numerous additions will be introduced in the area of data protection. This trend can already be observed in the area of cybersecurity. After the adoption of the Cybersecurity Law, numerous regulations and national standards were issued. The competent authority CAC is actively enforcing the law.

A case in point was the launch of the cybersecurity review of Chinese ride-hailing company Didi in early July 2021(China.Table reported). Shortly after its IPO in New York, the CAC published a draft revision of the cybersecurity review rule. According to the draft, a foreign IPO will now be subject to cybersecurity review if the company stores data of more than one million users. Foreign IPOs of Chinese companies could thus certainly become more difficult in the future.

Outlook and conclusion

The tightening of data protection legislation in China will pose a challenge to compliance regimes for China-related companies. Due to higher legal requirements, listed companies in China – including their foreign subsidiaries – are strongly affected. To reduce compliance risks, German companies with subsidiaries in China must also be fully prepared. In the event of a breach, there is not only the threat of penalties such as fines, but also the impairment of business activities. In particular, attention should be paid to whether the company or its business partner is classified as an “operator of critical information infrastructure” and whether the company processes “important data”. Internal company rules should be adapted accordingly to the new data protection provisions without delay.

Quo vadis: With DSL, the legal anchor in the area of data protection has been set in China. Certainly, further concretization of the implementing measures will follow in the coming years. The legislator’s goal is also certain: maximum security for China-related data. What is not certain, however, is how far the tightening will go. Businesses and companies will certainly face further challenges in this regard in their activities in China.

Jiawei Wang LL.M. is Legal Counsel at Rödl & Partner in Stuttgart and responsible for the China Desk. He studied law in Shanghai and Heidelberg and is admitted to practice in the People’s Republic of China as Lü Shi (lawyer under Chinese law). Wang represents, among others, German industrial companies in contract negotiations and in legal disputes with Chinese business partners. He also specialises in providing comprehensive advice to companies and managing directors on issues relating to Chinese labour law and in the areas of company compliance and white-collar crime.


    Green industries: What are the opportunities for foreign investors? (Part 2)
    China’s Green Industries: What are the Opportunities for Foreign Investors? (Part 1)
    PU letter exemption for z-work visa applicants
    China’s tax incentives for small businesses