Key takeaways from the second draft of data security law

来源:君合法律评论

文章摘要
After a review by the 28th Session of the Standing Committee of the Thirteenth National People’s Con

After a review by the 28th Session of the Standing Committee of the Thirteenth National People’s Congress, the Data Security Law (Second Draft for Solicitation of Comments) (the “Second Draft”) was issued on April 29, 2021.
在提交至第十三届全国人大常委会第二十八次会议审议后,《数据安全法(草案二次审议稿)》(“《二审稿》”)于2021年4月29日正式发布向社会征求意见至2021年5月28日。
Data Security Law (Draft for Solicitation of Comments) (the “First Draft”) was issued on July 3, 2020 after discussion on the 20th Session of the Standing Committee of the Thirteenth National People’s Congress. The Second Draft has made certain adjustment and supplements on the basis of the First Draft.
《数据安全法(草案)》(“《一审稿》”)为第十三届全国人大常委会第二十次会议讨论后于2020年7月3日发布,二审稿在此基础上进行了相应的调整和补充。
Data Security Law, upon its official enactment, will become an important part of the state security legal framework represented by the State Security Law. Together with the Cybersecurity Law and the Law on the Protection of Personal Information (whose second draft was issued on the same date), they will form the basic legal framework within the information sector.
《数据安全法》出台后将成为以《国家安全法》为代表的国家安全法律体系的重要组成部分,也将与《网络安全法》及同日发布《二审稿》的《个人信息保护法》一起组成信息领域的基础性法律体系。
Major Amendments made by the Second Draft《二审稿》重大变化
Similar to the First Draft, the Second Draft also has seven chapters. It has 53 provisions, only two more provisions than the First Draft.
相比《一审稿》,《二审稿》依然保持了原有的总共七章的体例,全文共53条,相较《一审稿》仅增加了2条。
Some of the major amendments are:
其中比较重要的改变包括:
The First Draft mentioned that the State should implement a categorized and tiered protection of data. The Second Draft more specifically requires that the State shall establish a tiered data protection system and protect data by its classification, formulate important data catalogue and strengthen the protection of important data (Article 20);
《一审稿》提出国家应对数据实行分类分级保护,而《二审稿》更明确提出国家建立数据分类分级保护制度,对数据进行分级保护,并确定重要数据目录,加强对重要数据的保护(第二十条);
The Second Draft emphasizes the implementation of Multi-level Protection Scheme (“MLPS”) as provided under the Cybersecurity Law, requiring that an administration system shall be established with respect to the conduct of data processing activities based on MLPS (Article 26);
强调《网络安全法》下的网络安全等级保护制度,规定开展数据处理活动应当在网络安全等级保护制度的基础上,建立相关管理制度(第二十六条);
As a new provision, the Second Draft requires that a security assessment shall be conducted in accordance with the Cybersecurity Law with respect to the export of important data by the operators of critical information infrastructures, and special administrative measures will be issued with respect to the security of the export of important data collected and generated within China by other data processors (Article 30). However, the Second Draft does not specifically define important data, which will be confirmed by the aforesaid catalogue of important data;
新增关键信息基础设施运营者重要数据出境将按照《网络安全法》开展安全评估,对其他数据处理者在境内收集和产生的重要数据亦将制定专门的出境安全管理办法(第三十条)。但重要数据仍未明确定义,而是留待上述重要数据目录予以确认;
The First Draft restricts a foreign law enforcement organization from collecting data in China, while the Second Draft imposes additional restrictions on the collection of data by foreign judicial organizations in China, requiring that such data may only be exported with the approval of the competent authority (Article 35);
《一审稿》提出了限制境外执法机构调取境内数据,《二审稿》在此基础上新增了对境外司法机构调取境内数据的限制,要求必须经过主管机关批准后方可提供出境(第三十五条);
The Second Draft significantly increases the amount of fines for a breach of the obligations of data security protection: the maximum amount of fines for an enterprise for the breach of the obligations of data security protection has increased from RMB 1,000,000 to RMB 5,000,000, and the enterprise may also be ordered to suspend its business, stop business for rectification, or have its permit or business license revoked; the maximum amount of fines on persons directly responsible for the breach has increased from RMB 100,000 (as specified in the First Draft) to RMB 500,000 (Article 44);
违反数据安全保护义务的罚款金额显著提高,《二审稿》下违反数据安全保护义务的企业的罚款金额上限从《一审稿》的人民币100万元提高至人民币500万元,并可责令暂停业务、停业整顿、吊销许可或营业执照,对直接责任人员的罚款金额从《一审稿》的人民币10万元上调至人民币50万元(第四十四条);
As a new provision, the Second Draft provides for the legal liability for the failure to cooperate with a public security body and the State security departments in data collection. This includes fines of up to RMB 500,000 and the persons directly responsible for such a violation will be subject to fines of up to RMB 100,000 (Article 46); and
新增不配合公安、国安调取数据时的法律责任,最高处人民币50万元罚款,直接责任人员的罚款最高为人民币10万元(第四十六条);
As a new provision, the Second Draft provides for the legal liability for the provision of data to a foreign judicial or law enforcement organization without approval. This includes fines of up to RMB 1,000,000 and the persons directly responsible for such a violation will be subject to fines of up to RMB 200,000 (Article 46).
新增未经批准向境外司法、执法机构提供数据的法律责任,最高为人民币100万元罚款,直接责任人员的罚款最高为人民币20万元(第四十六条)。

技术驱动法律,专业成就未来