The two draft laws have been released in China for public comment. The "Data Security Law" (DSL) will govern the handling of "important data" and the "Personal Information Protection Law" (PIPL) will regulate the processing of personal information.
In the age of global commerce, Chinese companies operating internationally need to comply with the laws and regulations in other jurisdictions. Sometimes these judicial matters or regulatory enquiries require companies to disclose certain information either to a regulatory bodies or to opposing party in a litigation. Navigating these local legal requirements governing data review and transfer has always required close collaboration between advisers, in-house and external counsel and the businesses themselves to work within state secrets law and personal data privacy. However, the release of the new draft laws will complicate data export further.
Certain provisions in the laws require that if "important data" stored in China is requested by a foreign judicial or regulatory agency companies must first obtain the approval of the Chinese authorities before exporting the data, or face potential penalties including large fines.
It is widely expected the new laws will be finalized soon. Companies should continue to evaluate a number of factors including existing data storage and handling practices and to seek counsel advice.