The New Chinese Data Security Law And Its Strategic Impact

China's highest legislative body passed the Data Security Law on 10 June that is set to take effect on 1 September 2021. While the Communist Party ruled country is taking regulatory actions to control tech giants such as Didi Global and Ant Group, companies need to be aware of the new game plan of Beijing as the firms that process critical data are required by the new law to conduct risk assessments and submit reports. Even annual reviews are required of organisations that process data that affects national security.

The Data Security Law in China establishes a system of government data control directed by China's central national security leadership agency and overseen by China's public, as well as national security organisations, in which all regional and departmental governments claim authority over data gathered and generated inside their borders. More specifically, it creates a legal framework for Chinese government control over domestic data, as well as a foundation for the Chinese Communist Party (CCP) to claim ownership of—and oversight of—data, including that of private firms. Industry, telecommunications, transportation, finance, natural resources, health and education, as well as research and technology, appear to be included in the bill's scope.

Reports also claimed that a separate proposal of the Personal Information Protection Law has also been circulated, and it is expected to be passed and implemented by the end of 2021.

As per the Xinhuanet, in terms of the Data Security Law Article 1: "This law is formulated in order to regulate data processing activities, ensure data security, promote data development and utilisation, protect the legitimate rights and interests of individuals and organisations, and safeguard national sovereignty, security, and development interests." The Article 2 declares that "anyone who conducts data processing activities outside of the People's Republic of China harms the national security, public interests of the People's Republic of China or the legitimate rights and interests of citizens or organisations shall be investigated for legal responsibility in accordance with the law".

According to the report, Article 26 states that if any country or region responds to China's data control with the trade or investment restrictions, "the People's Republic of China may take measures based on actual conditions".

Unlike Beijing's Cybersecurity Law of 2016 and the Personal Information Protection Law—both of which allowed organisations doing business in China to implement their own security measures to protect personal data and data traversing organisations' networks—the Data Security Law will require certain security measures for any record of information in electronic or other forms (including physical copies) that has regulatory implications for national or other security.

However, nothing about the Data Security Law should come as a surprise to anyone. It has taken a long time as the National People's Congress released the first draft in September 2018, followed by a second proposal in June 2020. Moreover, the Law is actually part of a bigger, strategic Chinese endeavour to mould the future industrial revolution's design and control its most important resource, which is information.

The world has recognised the onset of a new industrial revolution, and China has grasped the significance of this—the introduction of new production factors defines industrial revolutions. Land and labour came first, followed by capital, and now it is all about information that CCP is striving to bring under control on a worldwide scale.

According to a Guangming Daily article: "Production factors are an ever-evolving historical category. Land and labour were important production factors in the era of the agricultural economy. After the industrial revolution, capital became an important factor of production in the era of the industrial economy. [And now] with the advent of the digital economy, data elements have become the new engine for economic development. Data is a new production factor, a basic resource, and a strategic resource".

For the first time in 2019, the Fourth Plenary Session of the CCP's 19th Central Committee advocated that data be deemed a production element.

The Goal

Experts believe China's efforts to capture data for national security concerns are simply one part of a larger strategy to build a state-supervised market for such data to help boost flagging economic growth. According to Kendra Schaefer, head of tech policy research at Beijing-based consultancy Trivium China: "Overseas IPO audits, cross border transfers and open access to certain types of data stand in the way of Beijing's goal to not only take over supervision of the county's vast data assets but to commoditise them".

Samm Sacks, who is a cyber policy expert at the think tank New America said: "It's not just a national security policy, it's a much more deliberate plan asking 'how do we really tap into the value that flows from data from an economic standpoint?"

Governments throughout the world have been grappling with how to handle internet platforms and their tremendous influence, which is based on their vast collection of user data. In China, where private firms are tightly regulated, such initiatives are, in theory, more straightforward. As per Sacks, "The government long wanted to regain control over data that's held by these private platforms as a strategic asset and then Didi gave them the perfect opportunity because they flouted these important stakeholders who weren't ready for the IPO". But according to Sacks these efforts are risky. It is claimed that the broad definition of "national key data" under the data law is ambiguous, adding to the uncertainty for businesses, their customers and investors.

However, as per the Data Security Law, any disclosure of data maintained in China by a Chinese entity or individual in response to a request from a foreign judicial body or law enforcement authority must be approved by the relevant authority beforehand. Since this law also enables for countermeasures to be taken in response to any discriminatory actions made by foreign countries or regions against China's data or data development-related investment or trade, this obligation may have an impact on multinational companies' data submissions to the United States Securities and Exchange Commission, the Department of Justice, or similar foreign law enforcement or regulatory bodies.

According to a report, multinational organisations with a presence in China or that engage with Chinese individuals or organisations will face a complicated landscape of data governance, categorisation and export regulations.

With the Data Security Law and data localisation measures, as well as the new infrastructure programme that supports large-scale construction of 5G base stations, data centres and other physical structures of this era of the digital revolution; with control over, platform internet companies and with a national strategy to set emerging international standards, the CCP is gaining such influence. If Beijing succeeds, it will gain so much power that the Chinese government will be able to put everything under surveillance and become the most powerful nation in the world.

However, recently the Group of Seven or G7 (inter-governmental political forum consisting of 7 countries—Canada, France, Germany, Italy, Japan, the United Kingdom and the United States) came together under a common narrative, criticising China for human rights violations ranging from forced labour to Hong Kong occupation to South China Sea aggression.

Even the North Atlantic Treaty Organization (NATO) officials said that Beijing poses a systemic challenge to the international community. As per the latest reports, to combat the worldwide threat posed by Chinese state-sponsored cyberattacks, NATO member nations, the European Union, Australia, New Zealand and Japan have formed a new cooperative effort.