On 10 June 2021, the Standing Committee of the National People’s Congress of the People's Republic of China officially passed the Data Security Law (数据安全法, "Data Security Law") which will come into effect on 1 September 2021. The Data Security Law comprises 55 Articles spread across seven Chapters, dealing with important issues such as Data Security and Development, Data Security Systems, Data Protection Obligations, and Security and Openness of Governmental Data.
Although the provisions of the Data Security Law are broad and expansive, it does address some issues which will have a substantial impact on data operators both within and outside of China. For example, Article 2 gives the Data Security Law extraterritorial powers, providing that legal liability would be pursued against data processing activities that take place outside China, if such activities would harm China's national security or public interests, or the lawful rights of its citizens and organisations; Article 33 delegates the data intermediaries as the frontline gatekeeper and requires them to request the data providers to explain the source of their data, verify the identity of the parties involved in the data trading, and maintain records of the review and transaction process.
The Data Security Law is just a prelude to the Chinese government's tightening of regulations on data security and protection. The recent investigation on DiDi, the largest ride-hailing company in China, by the Cyberspace Administration of China due to Didi's illegal collection of user data, clearly shows the Chinese government's determination and efforts to safeguard data security.
