How China’s New Data Security Law Impacts U.S. Industry

Intelligence Giant wall of red pixel dots

If your company works in China or with Chinese entities, you should pay attention to a new law that came into effect on September 1. The law is called the Data Security Law (DSL), and it regulates how data is collected, processed, stored, used, and transferred in China. Sounds harmless, right? Well, not quite. The DSL has severe implications for U.S. industries operating in China or business dealings with Chinese entities, especially those involving sensitive data or technologies.

What is the DSL?

The DSL is a comprehensive law that claims to safeguard China’s data security and sovereignty, promote data development and utilization, and protect data subjects’ lawful rights and interests. The DSL applies to all data activities within China’s territory and those outside China that harm China’s national security, public interest, or the lawful rights and interests of Chinese citizens and organizations.

The DSL introduces a data classification system that categorizes data into different levels of importance and sensitivity and imposes additional obligations and restrictions on data handlers according to the data level. For example, data related to national security, public health, or public order is classified as essential data, and data related to personal information, trade secrets, or intellectual property is classified as sensitive data. Data handlers must store crucial data within China and obtain approval from relevant authorities before transferring such data overseas. Data handlers must also implement data security measures, such as encryption, anonymization, backup, and audit, and report data security incidents to the authorities.

The DSL also grants broad powers to Chinese authorities to access, inspect, and confiscate data from data handlers and impose administrative penalties, criminal sanctions, or even nationalization of data assets for violations of the law. The DSL also compels data handlers to cooperate with Chinese authorities in data security investigations and inspections and to provide data access and assistance when requested.

How does the DSL impact U.S. industry?

The DSL poses significant challenges and risks for U.S. industries operating in China or dealing with Chinese entities, especially those involving sensitive data or technologies. The DSL could expose U.S. industry to data breaches, data theft, data manipulation, data espionage, data sabotage, or data coercion by Chinese actors, who could use the data for economic or military advantage or undermine U.S. national security and interests.

Some of the scenarios that U.S. industry could face under the DSL are:

  • Data Localization: U.S. industries that collect or generate essential data in China, such as data related to defense, aerospace, energy, or biotechnology, would have to store the data within China and obtain approval from relevant authorities before transferring the data overseas. This could limit the ability of U.S. industry to access, use, or share the data with their U.S. counterparts or partners and could increase the risk of data leakage or compromise by Chinese authorities or third parties.
  • Data Protection: U.S. industry that handles sensitive data in China, such as data related to personal information, trade secrets, or intellectual property, would have to implement data security measures, such as encryption, anonymization, backup, and audit, and to report data security incidents to the authorities. This could increase the cost and complexity of data management and compliance for U.S. industry and could expose the data to scrutiny or interference by Chinese authorities or third parties.
  • Data Compliance: U.S. industry that stores data in or transits data through China must comply with data security standards, guidelines, and best practices issued by Chinese authorities and perform regular data security assessments and audits. This could create conflicts or inconsistencies with U.S. data security laws and regulations, such as the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST) Framework, or the Defense Federal Acquisition Regulation Supplement (DFARS). This could also subject U.S. industry to additional regulatory burdens and liabilities in China.
  • Data Cooperation: U.S. industries that operate in China or have business dealings with Chinese entities would have to cooperate with Chinese authorities in data security investigations and inspections and provide data access and assistance when requested. This could compromise the data’s confidentiality, integrity, or availability and expose the U.S. industry to legal or ethical dilemmas, such as whether to comply with Chinese requests or protect U.S. interests.

What can U.S. industry do to mitigate the risks and challenges posed by DSL?

The DSL is a complex and evolving law that requires U.S. industry to be vigilant and proactive in protecting their data security and privacy in China. Some of the recommendations and best practices that U.S. industry can follow to mitigate the risks and challenges posed by the DSL are:

  • Review and update data security policies and procedures to align with the DSL requirements and expectations.
  • Conduct data mapping and inventory to identify and classify data according to the DSL data levels and categories.
  • Implement data security controls and safeguards, such as encryption, anonymization, backup, and audit, to protect data from unauthorized access, disclosure, or loss.
  • Seek legal advice and guidance from experts and authorities on China’s data security compliance and cooperation issues.
  • Avoid or minimize data transfers to or from China, especially for significant or sensitive data, and obtain approval from relevant authorities before doing so.
  • Report any data security incidents or breaches to the authorities and stakeholders as soon as possible.

The DSL is a new law with significant implications for U.S. industries operating in China or dealing with Chinese entities. The DSL could expose the U.S. industry to data security threats and challenges that could harm their interests and reputation or jeopardize their national security and sovereignty. U.S. industry should be aware of the DSL and its impact and take appropriate measures to protect their data security and privacy in China.

Related News

Shane McNeil has a diverse career in the US Intelligence Community, serving in various roles in the military, as a contractor, and as a government civilian. His background includes several combat deployments and service in the Defense Intelligence Agency (DIA), where he applied his skills in assignments such as Counterintelligence Agent, Analyst, and a senior instructor for the Joint Counterintelligence Training Activity. He is a Pat Roberts Intelligence Scholar and has a Master of Arts in Forensic Psychology from the University of North Dakota. He is currently pursuing a Doctor of Philosophy degree in National Security Policy at Liberty University, studying the transformative impacts of ubiquitous technology on national defense. All articles written by Mr. McNeil are done in his personal capacity. The opinions expressed in this article are the author’s own and do not reflect the view of the Department of Defense, the Defense Intelligence Agency, or the United States government.