China's data security law

Together with the Cybersecurity Law and the forthcoming Personal Information Protection Law (PIPL), the DSL will provide a framework of obligations for parties that process data – to include the collection, storage, use, processing, transmission, provision, and disclosure of data – even if that party does not have an office in China.  Under the DSL, parties that process data can be subject to a wide range of obligations, including conducting internal data security management, monitoring, and risk assessment of data processing activities, and complying with approval processes and requirements from Chinese authorities.  The DSL calls for the promulgation of administrative measures providing detailed guidance on some of these obligations.

Obligations will vary depending on each company’s circumstances.  Interested parties should consult with local experts to assess actions required for compliance with the DSL.  

Previous market intelligence related to earlier drafts of the DSL can be found here and here.   For more information, please contact Office.Beijing@trade.gov.