China is issuing the second version of the draft data protection law

On April 29, 2021, China published a second draft of the Data Protection Act (“Draft DSL”). The DSL draft can be publicly commented on until May 28, 2021.

While the scope of this version of the DSL draft is the same as the previous version published on July 3, 2020, we summarize the main changes in the second version of the DSL draft below.

Privacy policy based on hierarchical classification and category

Article 20 provides for a data protection directive to be established at national level based on the hierarchical classification and categorization of data and the “catalog of important data”. However, the draft DSL does not include a definition of key data that may be included in future implementing rules.

Management of cross-border data transfer

Article 30 distinguishes how the cross-border transfer of important data by operators of critical information infrastructures (“CII”) and other data processors is to be treated. In particular, China’s Cybersecurity Law would apply to managing the transfer of critical data collected and generated by CII operators while doing business in China. The Cyberspace Administration of China, together with the relevant department of the State Council, would establish relevant rules for the cross-border transfer of important data by other data processors.

Licensable data processing service

Article 33 provides that service providers are given permits for relevant data processing services as required by laws and regulations. However, the DSL draft does not list the specific computing services that require a license.


Article 44 increases the severity of the sanctions considerably. In the event of non-fulfillment of obligations in connection with data security, fines between 50,000 and 500,000 RMB as well as correction and warning orders are imposed on data processors. In addition, fines between RMB 10,000 and RMB 100,000 are imposed for the personnel directly responsible for data processing and for other persons responsible for data processing. In cases where no corrections are made or serious consequences arise, data processors will be fined between 500,000 and 5 million RMB. In addition, these processors may be subject to suspensions or downtime, or the revocation of permits or business licenses. In the relevant cases of violations, persons directly responsible for data processing and other persons responsible for data processing will be fined between 50,000 and 500,000 RMB.

Article 46 provides penalties for the following types of data processing activities: (1) data processors deny access to data by public security and / or state security agencies under law in order to maintain national security or conduct criminal investigations; and (2) data processors make data available to a foreign judicial body or a law enforcement agency without the consent of a competent authority.

In addition, the DSL draft clarifies the definition of “data processing” and “data security” and deals with antitrust issues in connection with platforms, tiered obligations to protect cybersecurity and self-discipline rules in the industry.

Comments are closed.