China’s Data Security Law (DSL), which came into effect on 1 September 2021, is a central pillar of the country’s data governance framework, working alongside the Cybersecurity Law (CSL) and Personal Information Protection Law (PIPL). For foreign companies operating in or with ties to China, understanding the DSL is critical – not only for compliance, but for mitigating risk and maintaining market access.

This article unpacks the core provisions of the DSL, examines its implications for international businesses, and outlines practical compliance strategies.

Key Objectives of the DSL

The DSL is designed to:

• Protect national data sovereignty
• Safeguard economic and social stability
• Prevent misuse or leakage of sensitive or important data

Unlike the PIPL (which focuses on personal data), the DSL primarily regulates non-personal data, including industrial, economic, scientific, and technological information – especially when it’s deemed “important” or “core” to national interests.

Core Concepts and Definitions

• Data Categorisation: Data is classified into ordinary, important, and core. The latter two categories are subject to heightened controls, including storage and export restrictions.
• Data Processing Activities: The DSL regulates the collection, storage, use, processing, transmission, and disclosure of data.
• Territorial Scope: The law applies not only to entities operating within China, but potentially to foreign organisations if their data processing harms China’s national security or public interest.

Obligations for Businesses

Foreign companies and joint ventures operating in China should be aware of several key obligations:

1. Data Risk Assessment and Classification

Businesses must categorise data they handle and assess risks based on the importance and sensitivity of that data.

2. Establishing Data Security Mechanisms

Organisations are required to establish internal management systems, technical safeguards, and emergency response plans for data security incidents.

3. Cross-Border Data Transfer Controls

Important and core data may be subject to governmental review before being transferred outside China. This applies to both cloud-based transfers and physical exports.

4. Data Export Reviews

Companies may need to undergo security assessments by Chinese authorities prior to exporting certain types of data – especially if considered important or generated in critical industries.

5. Mandatory Cooperation

Entities must cooperate with government investigations into data security breaches, which could include turning over internal records or suspending certain operations.

Penalties for Non-Compliance

Violations can lead to:

• Fines of up to ¥10 million (approx. USD $1.4 million)
• Suspension or revocation of business licenses
• Blacklisting from public procurement or access to financial support
• Civil or criminal liability in serious cases

Practical Compliance Tips

Foreign companies can adopt the following measures:

• Conduct a full data inventory and identify what qualifies as “important” or “core” data under DSL definitions.
• Localise data where required, using onshore servers or hybrid infrastructure.
• Train staff on DSL obligations and breach response protocols.
• Coordinate with legal and IT departments to establish data lifecycle controls.
• Monitor regulatory updates, as sector-specific rules (especially in finance, energy, or tech) are frequently revised.

How It Interacts with the PIPL and CSL

While the CSL governs network and infrastructure security and the PIPL focuses on personal information, the DSL bridges the gap by targeting non-personal, strategic, and industrial data. Companies must ensure that all three frameworks are harmonised in their compliance strategies.

Final Thoughts

China’s Data Security Law signals a more assertive stance on digital sovereignty and regulatory enforcement. For foreign companies navigating this evolving environment, proactive compliance is not just about avoiding penalties – it’s a strategic imperative for long-term success in the Chinese market.

Legal teams, IT departments, and executive leadership must work together to develop comprehensive data governance policies tailored to China’s regulatory expectations.

If your organisation is handling cross-border data, facing operational uncertainty, or simply looking to strengthen compliance, our team is here to help. We offer clear, commercially grounded advice to support your data strategy – whether you’re entering the market or scaling operations.

Contact us to explore how we can support your business with practical, end-to-end solutions.