China to punish data exports to overseas courts as Beijing beefs up defence against US long arm
- Clause will fine Chinese companies for sharing data without permission but also shields them from foreign pressure
- New draft data laws are aimed at beefing up privacy and boosting China’s digital economy
A clause has been added to China’s draft data security law that will punish Chinese companies for handing over domestically stored data to foreign police, courts and investigators without Beijing’s consent, a move that will make it harder for overseas law enforcement agencies to get data out of China.
China’s top lawmaking body, the National People’s Congress Standing Committee, began a second review of the draft law this week, following its initial reading last June, according to Chinese state media reports.
The Draft Data Security Law along with the draft Personal Data Protection Law (PIPL), the country’s first set of rules to safeguard personal data, are part of China’s wider push to regulate the country’s vast troves of data and to shield Chinese companies from overseas pressure to hand it over.
According to the China News Service, the new clause stipulates that any Chinese company or institution could be fined up to 1 million yuan (US$154,000) if found to have handed over data to a foreign judiciary or law enforcement agency without Beijing’s consent. Any individual responsible for such unauthorised data transmissions can also be fined up to 200,000 yuan.
The new legislation, which will very likely become law, will make the regulatory framework increasingly complicated for businesses with cross-border operations. For example, under this law, any Chinese or US company holding data of US users on a server based in China, could refuse a US court request to access such data if Beijing does not give its explicit approval.
On paper, it could also be in conflict with US regulations. Former US president Donald Trump enacted the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which enables US law enforcement agencies to demand access to online information no matter what country the data is stored in.
Legal experts say this could raise many uncertainties for companies doing business in China.
“The extraterritorial scope of the application of the new [China data security] law will make companies with overseas operations sit up and think,” said Alex Roberts, a lawyer at law firm Linklaters. “Many businesses have raised concerns that the scope of the law is vague … it could potentially conflict with obligations imposed in their home markets.”
China has been bolstering its efforts to counter the effects of US long-arm jurisdiction, and has listed it as a top legislative priority for 2021. China’s Ministry of Commerce in January launched new rules that would punish global companies for complying with tighter US restrictions against Chinese businesses. Long-arm jurisdiction is the ability of local courts to exercise jurisdiction over foreign defendants.
China has already required foreign businesses like Apple to store local data within China. If the new data security law came into effect, it could mean – for example – that US law enforcement agencies may need to seek permission from the Chinese authorities to access certain data owned by Apple but stored in China.
“The new law does increase the regulatory burden for any entity – Chinese or overseas – collecting or using data in or originating from China, and it has an extraterritorial effect,” said Paul Haswell, partner at law firm Pinsent Mansions. “But this burden is essentially similar to that imposed on entities collecting or using European citizens’ personal data under the GDPR”, referring to the General Data Protection Regulation in Europe.
Data protection under Chinese law has historically been covered in a piecemeal fashion and the draft Data Security Law will likely offer some much-welcomed clarity, Haswell added.
The full text of the first draft Data Security Law was published in June 2020 to solicit public feedback, and it had gathered 671 suggestions when the public feedback period ended in August last year. But the full text of an amended draft for the second hearing has not been published. Lawmakers usually vote on new legislation after three readings.
The draft is still subject to additional changes and there is no official schedule on when the law will come into effect.
The draft aims to establish a classification system for data according to various levels of importance. Export of data collected by operators of key information infrastructure, for instance, will be subject to strict scrutiny.