The Standing Committee of the 13th National People’s Congress deliberated on and passed the PRC Data Security Law in its 29th session on 10 June 2021. The PRC Data Security Law lays the foundation and framework for establishing the requisite systems on data regulation in China. Specifically, the PRC Data Security Law clarifies the multiple basic systems to be established, which involve i) different data protection measures based on different data ranking and classification results; ii) identification and protection of critical data and national core data; iii) control of data related risk; iv) handling of data related emergencies; v) data inspection for national security purposes; vi) a company’s obligation to preserve data security; vii) security appraisal on data to be transferred abroad; etc. Although the PRC Data Security Law now mainly sets forth the principal rules for data security and requires support from more detailed regulations in the future, its promulgation has marked the beginning of a new era for China’s data regulation. The PRC Data Security Law will come into effect as of 1 September 2021.
Key Action Points for Human Resources and In-house Counsel
The PRC Data Security Law is believed to have a profound influence on China’s data regulation. Under the new regulatory regime, it is advisable for employers in China, especially those in the key sectors of finance, telecoms, transportation and natural resources, to perform a self-evaluation and assess the status of data compliance before this new law takes effective.