There’s a new data privacy regulation coming. On November 1, 2021, China’s new Data Security Law 2021 goes into effect. The law will dictate how data associated with Chinese citizens is to be collected, processed, protected and managed.
As with any new regulation there are details that may be ambiguous until such time as they are tested in the courts and precedents are set, but there are a few items associated with the law that bear noting. First, there will be personal liability assigned to individuals responsible for violations. Corporations who suffer a data breach won’t be able to simply pay a fine and let their insurance policy bear the brunt. Executives will be on the hook as well.
Provisions for Processing Personal Data
According to a recent Bank Info Security article on Data Security Law 2021, organizations can only process the personal information of Chinese citizens if:
- The individual being processed has consented;
- There exists a prior contract involving the individual, which warrants the processing of his/her information or for purposes of human resource management;
- Information processing is necessary for statutory obligations;
- For public health emergencies or threat to life and property;
- For purposes of news reporting or public interest; or,
- Information is processed within a reasonable scope as defined by the law.
There is also a lot in the law that addresses issues of cross-border data transfer, which is something that Coviant Software is interested in as our Diplomat MFT managed file transfer products can help manage that important process of maintaining compliance. According to Bank Info Security, Article 38 of Data Security Law 2021 stipulates that, organizations transferring personal information of Chinese citizens outside the territory of the People’s Republic of China should meet at least one of four conditions:
- A prior security assessment has been carried out by China’s cyberspace administration;
- A personal information protection certificate has been issued by a specialized institution as defined by the national cyberspace administration;
- A contract formulated by the national cyberspace administration around rights and obligations has been signed by the overseas recipient; or,
- The administrative regulations have been defined by the national cyberspace administration.
Meet the New Law; Same as the Old Law
In some ways, Data Security Law 2021 functions much like Europe’s General Data Protection Regulation (GDPR) in how the law requires data be managed, as well as the fines imposed for non-compliance. Egregious violations may cost more than $7.7 million, or 5% of the previous year’s operating revenue—whichever is higher. The business may also have operating privileges suspended in China. Individuals found responsible may be penalized with fines of more than $15,000.
Noted privacy expert Jay Cline told Bank Info Security that, “If the fining structure embedded in [law] doesn’t get the board’s attention, its personal liability for their executive teams should.”
Whether you are doing business in China and need to get your data management and security processes in line with the upcoming regulation, or if you merely want to invest in a secure, automated managed file transfer product that can make life easier for you, get in touch. Coviant Software can help. Getting started is as easy as downloading a free trial version of our software.