China Strengthens Protection of State Secrets as Revised Law Takes Effect
China Strengthens Protection of State Secrets as Revised Law Takes Effect
China’s amended Law on Guarding State Secrets (“SSL”) took effect on May 1, 2024. This amendment is part of a broader legislative push to enhance national security and data protection, aligning with other recent laws such as the Data Security Law (“DSL”), the Counterespionage Law, and the amended National Security Law.
The SSL amendments primarily impact PRC government agencies as well as enterprises that have access to state secrets (collectively “Regulated Entities”). However, multinational companies (“MNCs”) that may encounter state secrets or other sensitive information in their interactions with Regulated Entities also need to think about the requirements of the SSL, the DSL, and other legislation when handling China-based data, both in routine operations and when conducting due diligence and internal investigations.
This client alert provides an overview of the key changes introduced by the amended SSL and outlines best practices for MNCs operating in China.
Classification and Declassification. The amended SSL provides clearer guidelines and procedures for classifying and declassifying state secrets, and labelling documents to highlight the sensitivity of the information.
Digital Information and Cybersecurity. The amendments modernize the SSL by including electronic files among the types of media that can contain state secrets. They also impose specific duties on internet companies to manage user-generated information and delete information in cases of suspected breaches.
Institutional Changes. Regulated Entities are now required to set up dedicated bodies or designate specific personnel responsible for secrecy work. The SSL also now requires both local governments and Regulated Entities to allocate funds for state secret protection within their budgets.
Decentralization of Authority to Define State Secrets. Central government authorities may delegate to lower-level authorities the authority to define what constitutes a state secret in limited circumstances, such as when the urgency of a situation requires it.
Export Controls. The amendment provides for a new mechanism for overseeing the export of state secrets to overseas parties. Implementing regulations can be expected in due course, potentially adopting the framework already governing exports of data governed by the DSL.
Regulation of Data Aggregation. A new provision requires Regulated Entities to adopt security measures in its handling of data that might constitute state secrets where aggregated or connected with other data.
For MNCs operating in China, the SSL amendment further underscores the growing need to have robust data handling policies and practices to mitigate regulatory risk. Data generated or acquired through business operations or used in due diligence and internal investigations may fall within either the scope of state secrets or work secrets under the SSL or so-called “important data” under the DSL. Risks of this are higher with data related to government agencies, SOEs, and sensitive sectors.
An MNC’s data handling policies and practices can be tailored, taking into account the nature of their business in China. Those that interact with Regulated Entities, or for other reasons, are more likely to receive sensitive information through their business operations; the following strategies could be adopted:
As further explained in the Terms / Notices linked below, the information provided herein is not legal advice. Any information concerning the People’s Republic of China (PRC) is not an opinion on, determination on, or certification of the application of PRC law. We are not licensed to practice PRC law.