China, home to the world’s largest number of internet users, officially issued the full text of Data Security Law, after it was approved during the 29th session of the Standing Committee of the 13th National People’s Congress on Thursday.
Experts and industry insiders said on Friday that the law, which has undergone three reviews and amendments since June 2020 and will take effect in September this year, shows that China’s legal system will continue to be improved in terms of network and information security, providing strong legal support for individual privacy as well as the safe and healthy development of the digital economy.
The law will be applicable to data processing activities and security supervision within China’s territory. Data processing activities outside China’s territory that harm China’s national security, public interests will be pursued for legal responsibility in accordance with the law.
The provisions of the Cybersecurity Law apply to the security management for exporting data collected or produced by the operators of critical information infrastructure inside China’s territory, according to the law.
Besides this, China will establish a “centralized, unified, efficient and authoritative” mechanisms for data security risk assessment, reporting, information sharing, monitoring and early warning, according to the law.
Upon the law’s official release, US electronic vehicle maker Tesla said in a Weibo post on Friday that it will strictly abide by the newly-unveiled data security law in China and protect consumers’ data-related rights and interests.
In April, Tesla’s use of in-car cameras raised more concerns among the public in China and elsewhere.
For international companies like Tesla, the law means localization of the data. For example, as Tesla sets up factory in China, the data generated will be kept in China, and be subject to supervision of related cyber data regulator, Zhu Wei, a communications researcher at the China University of Political Science and Law in Beijing who specializes in cyberspace security, told the Global Times on Friday.
According to the new data security law, those who violate it, like provide important data to overseas actors, may face fines of no less than 100,000 yuan ($15,660) but no more than one million yuan; but if circumstances are more serious with core state data being mishandled or national sovereignty being endangered, a fine may be issued up to 10 million yuan and their business or business license may be suspended or revoked.
Alongside China’s Cybersecurity Law, which was enacted in 2017, and personal information protection law which is still under review, “the adoption and enactment of Data Security Law marks the basic establishment of a legal framework for data and information security in China.”
Wu Yunkun, president of a leading Chinese cyber security company, Qi An Xin Group, told the Global Times on Friday that the law on data security clarifies the responsibilities of government, enterprises, social groups and operators in assuring data security, eliminating the “gray zone” in the industry.
It is a timely move to curb unregulated sharing and spreading of data that is closely linked to national key information and people’s livelihoods, Wu said, “This will ensure that authorities, key infrastructure managers, entrepreneurs, and relevant data operators will prioritize security while undergoing digital transformation.”
The passage of the law on data security will prompt governments, institutions, and companies to increase investment in data security to build a better protection system, so as to promote innovation in the cybersecurity industry, Wu said.
More players will come to fill market void in terms of data security management, data access control, and protection of data, Wu said.