BEIJING — China has passed a new law that strengthens oversight of data collection within its borders, broadening authorities’ reach to include electric vehicles and factories in a move with repercussions for global enterprises.
The Data Security Law is China’s first comprehensive legislation governing the handling of digital data. The National People’s Congress standing committee approved the act on Thursday, with the law to take effect Sept. 1.
“It presents a problem if we cannot utilize the data collected inside China worldwide,” an executive at a global automaker with operations in China said.
China’s Cybersecurity Law, passed in 2017, banned the transfer of sensitive data outside the country’s borders. In contrast, the Data Security Law applies to a wide variety of data that slipped through the cracks of the previous act. The new law grants authorities greater oversight in collecting, safeguarding and transferring data.
At this stage, it is unclear which activities the Data Security Law outlaws. What is known, however, is that the fines will be steeper.
Compared with the draft bill revealed last July, the final legislation multiplies the minimum and maximum fines by a factor of between two and five. Violations harming Chinese sovereignty or national security will be subject to penalties of up to 10 million yuan ($1.56 million).
Offenders may also face criminal liability, apart from having their operating licenses revoked.
In addition, China will launch a screening process for determining the impact on data-transfer procedures and on national security. A national coordination mechanism integrating various data-security tasks, such as risk assessment and analyses, will be established under the new law.
The law covers data concerning critical sectors such as industrial production — relating to industrial robots and the internet of things — communications, transportation, finance, natural resources and health care. Because many foreign enterprises do business in China, there is mounting potential that data collected in the country could be transferred across the border.
The lack of clarity on what constitutes a violation means operators will need to be more circumspect in how they manage data.
Specifically, the new law will monitor transportation data, a category that had not been included in the original draft legislation. It appears this plank targets data collected by electric vehicles, as well as data tied to self-driving technology.
Tesla has been suspected by Chinese authorities of cross-border transfers of data gathered by its electric-vehicle cameras and sensors. EV driving data is already required to be turned over to authorities, but now image data will be subject to regulation.
On Weibo, China’s microblogging platform, Tesla has pledged to strictly abide by the Data Security Law and safeguard the interests of consumers.
Meanwhile, China also authorized a new pathway for retaliatory measures following friction with the U.S. and Europe. If a foreign government introduces provisions discriminating against China in terms of data investment and transfers, then Beijing will be empowered to reciprocate.
The scope of the new law is limited to data activity in Chinese territory. However, offshore data processing that is deemed to harm either China’s national security or the public interest will be pursued for legal accountability in accordance with the law.
China has started work on draft legislation on a personal data safeguarding act. Those rules will form the third leg of the country’s expansive controls on digital information.