Eye Record

I. The Scope of Application of the Data Security Law and Its Impact on Enterprises

II. Compliance Tasks Enterprises Can Start Preparing for Now

III. Matters to Be Clarified Through Supporting Legislation

Since June 28, 2020, the Data Security Law has undergone three rounds of deliberation and revision, finally being adopted at the 29th Meeting of the Standing Committee of the 13th National People's Congress on June 11, 2021. It will officially come into effect on September 1, 2021. The Data Security Law is regarded as one of China’s three foundational laws governing cyberspace and information security, focusing on balancing data security with economic development from the perspective of fostering China’s burgeoning digital economy. It emphasizes that promoting data security should be driven by the development and utilization of data, while robust data security measures, in turn, support and accelerate both data-driven innovation and industrial growth.

Data security encompasses multiple interrelated attributes. The enactment of the Data Security Law not only establishes institutional management requirements at a macro level to safeguard national security and uphold national sovereignty, but also sets out fundamental guidelines—and corresponding legal responsibilities—for organizations and individuals in fulfilling their obligations to protect data security. For businesses, the arrival of this new "Data Security Law" regulatory era marks a shift that parallels the rise of "cybersecurity oversight," signaling significant changes ahead.

To help businesses easily understand the new regulations and swiftly grasp the compliance measures required under the Data Security Law, StarLawyers has compiled this comprehensive compliance checklist, enabling companies to promptly implement the necessary steps and gain full confidence in managing their data security effectively.

I. The Scope of Application of the Data Security Law and Its Impact on Enterprises

1. Scope of Application

The scope of application of the "Data Security Law" can be summarized by "three comprehensives":

First, the scope of regulation covers all forms of information—specifically, under this law, "data" refers to any record of information stored electronically or through other means.

Second, regulatory activities cover the entire data lifecycle—specifically, the Data Security Law encompasses security management requirements for all stages of data handling, including collection, storage, use, processing, transmission, provision, and disclosure (collectively referred to as "data processing activities").

Third, the law applies both domestically and internationally, providing dual coverage of jurisdiction—both within the territory of the People's Republic of China, where it governs data-processing activities and their security oversight, and beyond China’s borders as well. It introduces a uniquely Chinese "long-arm jurisdiction" provision: even when data-processing activities take place outside the PRC but result in harm to China’s national security, public interests, or the legitimate rights and interests of citizens and organizations, this law will still apply.

Therefore, the Data Security Law has a broad scope of application: any Chinese enterprise whose daily operations or business activities involve any stage of the data lifecycle—and even foreign companies engaged in data processing activities with connections to China—will fall under its regulatory framework.

2. Impact on Businesses

The Data Security Law, as the first specialized legislation targeting the data security sector, clearly outlines a series of institutional frameworks and management obligations. In addition to general requirements for all enterprises, the law specifically introduces tailored measures for a particular category of businesses. First, companies operating in critical sectors such as finance, telecommunications, transportation, and natural resources—especially those handling potentially sensitive data—are urged to closely monitor their data classification practices and implement robust systems for protecting important data. They must also designate dedicated data security officers and establish clear governance structures to ensure accountability for data protection efforts. Second, data trading platforms are required to rigorously verify the origins of data and the identities of both parties involved in transactions. Failure to comply with these obligations could result in legal penalties directly tied to any illegal gains, marking a significant departure from previous fixed-amount fines.

II. Compliance Tasks Enterprises Can Start Preparing for Now

Under the Data Security Law, data security is defined as ensuring that data remains effectively protected and legally utilized through the implementation of necessary measures—and also possesses the capability to maintain a continuously secure state. From this definition, it’s clear that the Data Security Law requires enterprises to meet two key standards when fulfilling their data security protection obligations: first, the company must demonstrate its own management capabilities, proving it has the means to safeguard data security; and second, the focus must be on achieving outcomes—namely, ensuring that data is both effectively protected and used in compliance with the law.

Based on these two key areas, we have carefully outlined the actionable tasks that companies can start preparing for at this stage, drawing from the clear set of systems and obligations stipulated under the Data Security Law. We’ve also identified internal management practices that businesses can develop and implement promptly. First, we recommend that companies make the most of the roughly three-month transition period before the law takes full effect, proactively conducting self-assessments, identifying areas for improvement, and promptly addressing any compliance gaps. Second, establishing robust management systems—and ensuring their strict enforcement—will not only help companies demonstrate their commitment to lawful operations and prudent management in the event of an inadvertent data security incident but also serve as solid internal evidence of compliance with regulatory requirements.

III. Matters to Be Clarified Through Supporting Legislation

In addition to the obligations and regulatory requirements already outlined, the Data Security Law includes several key areas that businesses should pay close attention to. Although current supporting legislative rules are still incomplete, making it impossible for companies to fully implement specific compliance measures at this stage, we still recommend that organizations start preparing in advance by closely monitoring the following legislative developments. Once the complementary regulations are released, businesses will be better equipped to smoothly adapt to the new, stringent regulatory environment.

1. Protection of Critical and Core Data

Article 21 of the Data Security Law stipulates that the national data security coordination mechanism will oversee and coordinate relevant departments in developing a catalog of critical data, thereby strengthening protection measures for such data. Data pertaining to national security, the lifeline of the national economy, essential public services, and significant public interests are classified as the nation's core data and will be subject to an even stricter management regime. All regions and departments are required to establish specific catalogs of important data within their respective jurisdictions and areas of responsibility—taking into account the region-specific and sector-specific data classification and grading system—and ensure that data listed in these catalogs receive prioritized protection.

Since the Cybersecurity Law came into effect, "critical data" has been a key focus across various industries—yet unfortunately, the concept and scope of critical data remained unclear until now. The Data Security Law has now introduced specific requirements for safeguarding critical data, mandating complementary rules to clarify these aspects. On one hand, it calls for central guidance to local authorities in refining the "Catalogue of Critical Data Protection," thereby defining precisely what constitutes critical data. On the other hand, it imposes comprehensive measures to ensure robust protection, such as designating dedicated data security officers and management bodies, conducting regular risk assessments—and promptly submitting risk assessment reports—as well as implementing stringent security controls for the cross-border transfer of critical data.

Enterprises are advised to continuously monitor the release of key data protection catalogs and the criteria for defining core data. Once the data controlled by the company falls under the categories of "important data" or "core data," the organization should promptly upgrade its current compliance management practices.

2. Cross-border Data Flows

As Chinese enterprises have surged onto the global stage in recent years, cross-border data flows have become a pressing demand in business practice—and also a key focus for national legislation and enforcement efforts. Currently, China’s regulations on cross-border data transfers remain largely at the level of general principles, with no specific, operational legal documents yet issued or enforced to provide practical guidance on how such flows should be managed.

While the Data Security Law clearly signals the nation's proactive stance on cross-border data flows—highlighting the country's commitment to actively engaging in international exchanges and cooperation in areas such as data security governance, data utilization, and development—it also underscores the importance of ensuring data security as a prerequisite for fostering secure and free cross-border data movement. Notably, the law explicitly emphasizes that the state will enforce export controls, in accordance with the law, on data classified as controlled items when such data is linked to safeguarding national security and interests or fulfilling international obligations. This clearly demonstrates that even critical data flows remain subject to stringent regulatory oversight.