China’s National People’s Congress approved a new data security law on Thursday, for the first time mapping out the country’s legislation for the handling of user data. The law will come into effect on September 1, and it has been described by overseas media as a “new power play” to rein in tech companies as well as a “necessity” by state media.
Here are four key points from the legislation that points to how the law will change the management of personal data in China.
#1: “Important data” needs to be defined by the central government
The meaning of “important” wasn’t entirely clear previously, so the NPC is placing the responsibility of defining the term on the shoulders of China’s central government. Any company that sends “important data” overseas will face fines of RMB 100,000 to 10 million, or USD 15,600 to 1.56 million. The authorities may also revoke its business license.
#2: Central and local governments will oversee “core state data”
Here’s another term that needs to be defined—“core state data” refers to any data or information that is collected for public purposes. But that doesn’t mean all of it resides on state-owned servers; some of the data might actually be held by private businesses. An example is the health QR codes developed by Ant Group and Tencent during the height of the pandemic in China.
The fines for mishandling “core state data” are heftier, running in the band of RMB 2–10 million, or USD 312,600 to 1.56 million. And, again, the authorities can also revoke the business credentials of transgressors.
#3: There is a mechanism for data outflows, but the pathway is unclear
Article 11 leaves open the possibility for data transfers to overseas entities, although it does not indicate whether this applies to the private sector or foreign governments. The evaluation process isn’t defined, and it isn’t clear how this could unfold. What’s clear is this: entities in the private sector are not allowed to provide data stored within China to foreign judicial bodies or law enforcement agencies without explicit approval from the state.
#4: This is the first step in defining “sensitive” and “non-sensitive” data in the eyes of the Chinese state
The state will conduct “data security reviews” and “national security reviews of data handling activities,” although the law does not indicate which government agency will oversee the processes.
There are still many vague points regarding the exact execution of this new legislation. The matter of consumers’ control over the data they generate has been a recent topic of contention. When the owner of a Tesla vehicle that crashed staged her protest at Shanghai Auto in April, one worry stated by her spouse was that Tesla may modify the data stored in its system and skew the conclusions in an investigation into the reason of the collision.
The Chinese government has also restricted the types of data that automotive companies can collect, reshaping how car-related R&D takes place within China overnight.