Aug 18, 2020 08:31 PM

Legal Experts Want New Data Security Bill Revamped

The top legislature has collected a total of 651 comments on the bill, including experts’ concerns about lack of judicial review, vague content and overlapping jurisdictions.
The top legislature has collected a total of 651 comments on the bill, including experts’ concerns about lack of judicial review, vague content and overlapping jurisdictions.

Legal experts have called for a revamp of China’s draft Data Security Law (DSL), the latest regulatory framework for the country’s fast-growing digital economy, as the top lawmaking body on Sunday finished soliciting public feedback.

The National People’s Congress (NPC) has collected a total of 651 comments, including experts’ concerns about lack of judicial review, vague content and overlapping jurisdictions, on the high-profile draft since it was issued on July 3 amid Beijing’s escalating tech conflicts with Washington.

According to Article 19 of the draft, the law empowers central government agencies, local governments, and industries to designate their own catalogs of important data for protection.

Article 22 also says the “state” – without elaboration on which authority it refers to – will establish national security review mechanisms to examine and have final say on data activities that may cause national security risks.

Yuan Zhijie, associate dean of Beijing Normal University’s Law School, told Caixin that allowing the government to judge all data activities by companies is obviously detrimental to improving the business environment, given that almost all big companies today are involved in such activity and their normal operations could be significantly impacted by the national security review decisions.

Wang Xizi, professor of administrative law at Peking University, also questioned the absence of judicial review in a DSL-related seminar on July 24. “It is not the case that the exercise of executive power is not subject to court review as long as it involves national security, according to our country’s existing legal practices … so why is it ruled out here?” Wang said.

Wang also pointed out that the subject of such a security review and the criteria to decide whether data activities affect national security are both unclear under the draft.

According to the NPC’s drafting instructions, DSL, as a cornerstone in China’s data-related laws and regulations, must link up with the existing Network Security Law and the proposed Personal Information Protection Law.

But Yuan was worried about whether the DSL could effectively frame China’s data governance landscape along with the two similar laws.

“The three kinds of security laws are by nature hard to separate. If they try to maintain both abstract security for legislative purposes and concrete security, I’m afraid they will fail to cover either of them completely in the end,” he said.

As the draft allows each region, each industry, and each department to designate their own catalog of important data for protection and to carry it out, experts are concerned that it might result in overlapping jurisdictions and inconsistent standards.

Xu Ke, executive director of the Internet Rule of Law Research Center at the University of International Business and Economics, told Caixin that devolving the catalog-designating power to local authorities will lead to legal circumvention in trans-regional data processing.

According to Xu, the inconsistent catalog will have two consequences: first, it will guide companies to concentrate their data in areas with the loosest regulatory rules; second, it will break the unified data market, resulting in the localization and fragmentation of data.

Yuan echoed Xu’s opinions that leaving the power to determine the data protection catalog to different sectors and regions will ultimately lead to a mess in the standards and treatment of data, despite its good starting point of providing personalized protection for data.

“How will those trans-regional and cross-industry companies meet the requirements?” Yuan asked.

To address the problem, Xu urged Beijing to provide both guidelines and detailed regulations for designating the catalog, and in the meantime allow local authorities to draft secondary standards for specific data.

Xu also called for a dispute resolution mechanism under which businesses affected by the security decisions will be given the right to administrative review by a higher-level authority in the case of possible wrong or unfair decisions made by local authorities.

Contact editor Joshua Dummer (

Download our app to receive breaking news alerts and read the news on the go.

You've accessed an article available only to subscribers
Share this article
Open WeChat and scan the QR code