China's new data security law, having undergone three reviews and amendments since 2020, has been passed by the NPC. It will come into effect on Sept 1 this year.

The law provides a legal framework for the country's fast growing digital economy and at its core aims to strengthen the current data protection regime to prevent data leaks and transfer of data that's considered "state core data".

Companies that transfer the “core data” overseas without proper approval from relevant authorities can face severe penalties of up to 10 mil yuan and could be forced to shut down. There will also be penalties for transfer of "important data" to foreign regulatory enforcement agencies without prior approval, of up to five mil yuan.

Whilst further clarities are still sought and likely be expanded by the authorities in the coming months, on definitions such as "important data" and "state core data", companies should start reviewing and improving existing data protection schemes to ensure they comply with the law.

This is particularly important for companies that have large/frequent cross-border operations, as there's not much time left to navigate an increasingly complicated regulatory environment and to prepare.