China passes new data security law

15. June 2021

China’s “National People’s Congress”, the Chinese legislative body, approved the new “Data Security Law 2021” on June 10th, 2021 (unofficial English translation here). The new law gives President Xi Jinping the power to shut down or fine tech companies. The law will go into effect on September 1st, 2021.

The law applies to data processing activities and security surveillance within China’s territory. Data processing activities outside China’s territory that threaten China’s national security and public interests are also covered by the law.¬†For international companies, the law means they must localize data in China. For example, data generated in factories in China must be kept in China and be subject to cyber data oversight.

Companies that leak sensitive data abroad or are found “mishandling core state data” can be forced to cease operations, have their licenses revoked, or fined up to 1.6 million US$, and companies who provide electronic information to foreign law enforcement authorities can be fined up to approx. 150.000 US$ or forced to suspend their business.

While the Chinese government is increasing its financial involvement in tech companies it is also producing new legislations to tighten its grip on such companies. The new data law is expected to provide a wide outline for future rules for Internet services and to ease the tracking of valuable data in the interest of national security. This may include directives that certain types of data must be stored and handled locally, as well as requirements for companies to track and report the information they hold.

A personal information protection law is still under review in China.