Abstract
The Data Security Law creates a tiered data classification system (core, important, general) with corresponding protection requirements. Cross-border transfers of ‘important data’ face restrictions and assessments. The state can access data for national security purposes, and organizations must cooperate with public security requests.
Summary
China’s Data Security Law of 2021 complements the Cybersecurity Law with comprehensive data governance. It establishes a classification system: ‘core data’ relating to national security receives the highest protection; ‘important data’ in regulated catalogs requires security assessments before cross-border transfer; ‘general data’ faces fewer restrictions. All data processing must serve China’s national security and development interests. Organizations must cooperate with government data requests and maintain security measures. The law has extraterritorial reach: activities outside China harming Chinese national security or citizens’ interests can be penalized. For international organizations, the Data Security Law complicates cross-border data flows—transferring data from China to headquarters may require government approval and security assessments.
No additional commentary yet. Contribute on GitHub.