On behalf of the more than 220 members of the US-China Business Council (USCBC), we appreciate the opportunity to submit comments on the draft Data Security Law of the People’s Republic of China (hereafter referred to as “the Draft”) to the National People’s Congress (NPC).
USCBC received comments on the Draft from companies across multiple industries, including information and communications technology (ICT), automotive, service firms, and financial services.
The Draft covers an important and complex topic that many governments across the world today are debating how to best regulate in a fashion that both ensures the integrity of data protection systems, while not imposing undue or unnecessary burdens on industry. In particular, we would like to highlight the following suggestions:
- Scope and relationship with other laws: The scope of the Draft is overly broad, as it covers any data in electronic or non-electronic forms, making the potential compliance burden for companies difficult. Additionally, there are a number of existing laws, regulations, and standards that already cover some of the national security elements included in the Draft. This includes the Cybersecurity Law, Civil Code, National Security Law, the draft Data Security Management Measures, and the draft Measures for the Security Assessment of Cross-Border Transmission of Personal Information. We encourage the NPC to ensure regulatory consistency between the aforementioned laws and regulations and limit overlap between existing laws and regulations and this Draft.
- Important data: We believe the Draft could be improved by defining “important data” and “processors of important data” in a way that provides clarity, while limiting the scope and necessity of important data risk assessments. Existing regulations suggest important data will be subject to data localization and cross-border security reviews, so we recommend that the Draft’s definition aligns with the draft Data Security Administrative Measures, which states that most company data is not included in the scope of important data. Furthermore, the Draft empowers each “region and department” to create its own separate catalog, increasing the risk that different provinces and municipalities will have disparate catalogs and compliance requirements, which could impede the free flow of data necessary for companies’ day-to-day operations. Therefore, we suggest that the authority to define important data be centralized.
- Data classification and MLPS 2.0: Article 19 of the Draft states that data will be graded and classified according to its importance to China’s national security. We recommend that this classification system be harmonized with the existing MLPS 2.0 scheme to avoid the proliferation of different national security-based compliance regimes that companies will be subject to.
- Personal information and data: The Draft’s broad definition of data makes it unclear whether it is inclusive of personal information. As per the Cybersecurity Law, personal information and important data are separate concepts that have thus far been regulated separately by standards and regulations. Including personal information in the Draft’s definition of data would run counter to existing regulations and complicate companies’ present understanding of their compliance requirements. We recommend that the Draft explicitly exclude personal information from its definition of data to ensure consistency with existing laws.
- Extraterritoriality: Article 2 states that the Draft applies to organizations and individuals outside of mainland China that engage in data activities that harm China’s national security interest. It is unclear what mechanisms would be leveraged to enforce this provision nor which data activities are considered harmful to China’s national security. This contributes to concerns surrounding the increased proliferation of national security-based regulations and reviews in China’s data and cyber regulations. Furthermore, companies note that there are more appropriate laws, such as the National Security Law, to regulate the concern addressed by Article 2. We therefore recommend removing this provision.
- Oversight: The government entities responsible for supervision and enforcement of the Draft are unclear, and in some cases may have regulatory overlap, which may cause confusion. In order to avoid duplicative oversight, different government agencies should be clearly assigned respective enforcement and oversight authorities.
- Cross-border data flows: Cross-border data flows are important for multinational corporations to communicate with their headquarters and conduct day-to-day business operations such as “Know-Your-Customer” and “Anti-Money Laundering” activities. The free flow and exchange of data globally supports innovation and the global economy. We are encouraged that Article 10 of the Draft commits to promoting free data flow. Members hope to see clarity on how cross-border data security will be balanced with the need for unencumbered cross-border data flow.
We appreciate this opportunity to express our suggestions and have provided article-specific recommendations in detail below.