Last June, China adopted its new data protection regulation, the Data Security Law (DSL). This law comes as a supplement to other laws that are already implemented in different aspects of data security. Briefly, the DSL, which will come into force on the first of September, asks for a classification of data according to the degree of harm they can cause to China, and regulates cross-border data transfers, thus elevating the data security in China to a strategic importance level. As this new classification (Important data & National Core Data) adds on to the previous ones (such as State Secrets), businesses will have to comply with the requirements of all the different existing laws.
There is therefore a clear challenge for businesses and investors to adapt. How will they be impacted and what will they have to consider implementing in order to comply with more and more stringent laws?
This question is all the more relevant as the DSL will have extraterritorial reach “to the extent that data processing activities outside China harm or damage national security, the public interest or the rights and interests of any Chinese citizens or organizations”.
A propitious context…
The DSL will come into force at a time of strengthened international data security regulation. Indeed, markets have already worked to ensure that solid measures were taken, and are therefore well accustomed to data security requirements.
However, the DSL is mostly principle-based, so its implementation and actual impact are yet to be seen.
It is interesting to note that the DSL specifies China’s ability to adopt countermeasures if discriminatory measures were taken by authorities against Chinese investment or trade relating to data.
… But a persistent requirement for investors and businesses to adapt
For sure, foreign investors considering Chinese investment targets would do well to consider the need to carefully apply and comply with the Chinese data regulations. Although it may not always be possible to eliminate risks, in part due to the evolving nature of the legal framework (as underlines Akin Gump Strauss Hauer & Feld’s group), investors ought at least to seek assurances as to the ability of a target group to cope with and adapt to regulatory requirements and should factor these risks appropriately into the structuring of their investments.
As for (local) businesses, given the environment of increasingly complex data-related laws, they must seek to manage compliance risks at an early stage. They will have to implement a comprehensive data categorization (if it is not already the case) to be able to differentiate the risk related to “important data” and “national core dara”. As the law firm Akin Gump Strauss Hauer & Feld reminds us : “Businesses will also need to be mindful of the prohibition on the provision of data stored in China (without consent) to foreign agencies”.
Now more than ever, both investors and businesses will face ever stricter scrutiny when it comes to data collection and processing. While the DSL is only a drop in the ocean of strengthening regulation, it appears clearly that it will not be impact-free for investors and businesses …
 Akin Gump Strauss Hauer & Feld LLP. “Impact of the New China Data Security Law for International Investors and Businesses.” JD Supra, 26 July 2021, www.jdsupra.com/legalnews/impact-of-the-new-china-data-security-8455781/.
 Same as 1
 Same as 1
 Same as 1
Akin Gump Strauss Hauer & Feld LLP. “Impact of the New China Data Security Law for International Investors and Businesses.” JD Supra, 26 July 2021, www.jdsupra.com/legalnews/impact-of-the-new-china-data-security-8455781/.
Fougeron, Mathilde. “China Introduces the Data Security Law.” Agnostik, 15 June 2021, agnostik.fr/china-introduces-the-data-security-law/.