The National People’s Congress presented the draft for the new Data Security Law (DSL) in July 2020. In contrast to the Cyber Security Law (CSL), which has been in force since 2017, the Data Security Law will regulate all data activities within the country. The scope of the new DSL law is thus exceptionally broad: In addition to the common digital data of an IT infrastructure, this law will also regulate analog offline data, including conventional paper-based data.
The draft law also stipulates that organizations and individuals outside China have legal obligations as soon as they are involved in China-related data activities. A location outside China does not necessarily mean security from the long arm of China’s data protection law.
Western companies doing business in and with China should carefully analyze their current situation and the expected future requirements of DSL. Although the law is still in the drafting stage, laws in China are very quickly finalized and validated. Requirements similar to the European DSGVO include the appointment of a department responsible for safety, risk monitoring, data impact analysis and reporting to the authorities.
Companies that have already made efforts to implement concepts in accordance with the DSGVO are at an advantage here, although the requirements of Chinese DSL usually exceed those of the DSGVO. In addition to reviewing and complying with the standards, further strategic decisions should be made on data activities in and with China.