In the move to promote the development of the digital economy and protection of individual data, a new data security law in China was introduced and undergoes review.
China’s top lawmaking body begun reviewing the security law submitted by the National People’s Congress Standing Committee on July 2. For security experts, this law depicts China’s control over legal authority on companies outside of its jurisdiction.
On Sunday, July 5, a first reading was done, confirmed by news agency Xinhua.
According to lawmakers, the new law, is passed, aims to protect the ‘legitimate rights of individuals and organizations’ over data use, and to promote the development of a digital economy. Rumors said this new law will be implemented next year, after a series of review and revisions.
NPC Legislative Affairs Committee spokesperson Yue Zhongming said they are determined to complete the review by the end of 2020. The usual legal proceedings allow lawmakers to vote on the new legislation after three readings.
The security law received a lot of attention from international media, as it will reportedly require companies to disclose cyber-security preparations outside China. This means all companies with Chinese operations need to provide information about their network security in other countries.
“China is considering allowing the law to have an extra-territorial effect that we have not seen before. They want to counteract the extra-territorial effect of U.S. law,” said Covington & Burling partner Yan Luo.
Data Health and National Security
China calls the new security law important as any data leaked can harm the country’s national security, economic security, social stability, and public health. In light of this, companies operating in China are required to have their cybersecurity operations certified.
Besides disclosing cybersecurity operations in China, companies also need to disclose network security information overseas, in order to qualify for the certificate.
During the legislation review, the Chinese central and regional government bodies will define what important data is, and the metrics for granting companies a certification. A government-appointed body will take over the certification process starting in 2021.
If companies fail to comply with the security standards, they are subject to fines up to $150,000, in violation of the cybersecurity law. In addition to fines, companies can be closed down for failing to comply with the law.
Law experts such as Luo believe this isn’t only about protecting data but could also involve political elements. The draft includes China can take retaliatory actions against any country that act in a discriminatory manner against China, in the subject of data-related trade or investment.