How the Data Security Law Sets the Stage for the Tech Industry in China and Beyond

By Jacqueline Lee

 On June 10, 2021, the People’s Republic of China (PRC) published the final version of their Data Security Law (DSL)[1], a new legislation that enhance the state’s data regulatory powers. Taking effect on September 1, 2021, the expansive law will potentially impact all business operators in China. Since the DSL was announced, the government’s pressure on Big Tech in China has become increasingly evident, taking the form of regulatory pressures, enhanced scrutiny of company operations, and outright bans. In the last few months, the PRC has built upon the DSL’s framework with additional guidelines and rules including protections for critical information infrastructure and personal information. With this, an examination of the regulatory foundation set by the DSL is warranted to understand how China is managing its data and the tech companies that are processing it.
Extraterritorial Scope
The DSL applies to any data processing activities carried out within the PRC and beyond its physical boundaries if they “harm the national security, the public interests, or the lawful interests of citizens or organization” of the PRC. Violators of these provisions are subject to fines ranging from ¥10,000-10 million, suspension of business services, license revocation, and general civil and criminal liability.
Data Categorization
The DSL distinguishes data into three categories, depending on its importance for economic and social development and the risk its circulation can bring to national security, social, and legal interests. The broader category is “important data,” which is not defined by the DSL. Instead, the law requires that a mechanism be set up to outline a catalogue of important data. Recent developments have added some clarity by defining important data for cars as geographical information and traffic data from important and sensitive areas including military regions, state-owned defense and technology companies and government offices. Important data for other sectors remain to be determined. “National core data” includes all data related to “national security, the lifeline of the national economy, important people’s livelihood, vital public interests, and other aspects.” Lastly, the DSL categorizes some data as “controlled items” – data for which export controls will be in place to protect national security and interests and to fulfill international obligations.  For example, although the DSL pertains to data stored or otherwise processed in China, it requires PRC approval before such data can be shared with foreign judiciaries as may be required for multi-national corporations based outside China.
Market-based Goals
The DSL outlines Beijing’s intentions to establish a state-cultivated and state-regulated data trading market. It plans to do this through a centralized and authoritative “mechanism” for data security risk assessment, reporting, information sharing, supervision, and warning and a data security review system.
Scattered throughout the DSL are references to the PRC’s goal to grow all industries through the application of data. The “big data strategy” calls for all sectors to incorporate digital economy development; participate in the formulation of standards for data use and security; develop education, training, and data security assessment and certification services for data development, security, and use technologies.  This governmental crackdown has already resulted in a significant $823 billion drop in aggregate market value for Chinese technology firms, reflecting decreased investor confidence due to the uncertain regulatory environment. 
While the broader effects of the DSL may only be observable once it fully comes into effect, the state’s motivations and goals can be appreciated in the legislation and governmental actions that have followed the DSL. For instance, on July 10, 2021, the CAC released a draft revision of its Cybersecurity Review Measures incorporating the DSL. Notably, they added the China Securities Regulatory Commission (CSRC) to the national cybersecurity work mechanism, which includes 12 other national agencies, any of which can initiate a cybersecurity review according to experts. Other important amendments include the stipulation that critical information infrastructure operators and data handlers of information of more than 1 million users that plan to list their firm on a foreign market must report for cybersecurity review, and the inclusion of foreign listings as a data processing activity that may bring about national security risks. The CAC specifically mentions the risk that “core data, important data or large amounts of personal information’ can be “stolen, leaked, damaged, or illegally used or exported.”
The DSL and updated Cybersecurity Review Measures both significantly expand the government’s ability to restrict Chinese companies’ market activities. This enhanced scrutiny is not limited to Chinese companies in foreign markets. In July, WeChat — in order to “align with relevant laws and regulations”— temporarily suspended registration for new users from mainland China. After Alibaba’s Ant Group’s record-breaking $37 billion IPO, China’s antitrust regulators promptly cancelled the offering. And most recently, securities regulators tightened scrutiny over IPO price-setting in the technology-focused STAR Market stock exchange, punishing 19 institutions, citing “weak internal controls” and “non-compliance with stipulated procedures.”  Some analysts interpret these measures not only as proof of the Chinese government’s concern over the potential for leaked data, but also over how foreign markets can be used by tech companies to bypass domestic controls and economic limitations. If this is the case, the government’s “show of force” of their control over domestic tech companies may be sending a wider message on their extraterritorial power over this market for data.   
What China’s regulations on technology and data will ultimately mean for foreign companies and the world market can only be hypothesized at this point with more clarification expected from the state in the coming months according to various experts and authorities in the field.   Still, the outcomes of these opening battles currently playing out on the stage set by the DSL will provide key lessons in what to expect for companies and countries looking to engage with the Chinese market.

Jacqueline Lee is a research intern with the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, DC.
The Strategic Technologies Blog is produced by the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
[1] Unofficial English translation available here