The state decides what data is 'important.' Once classified, it can demand access for national security — no appeal, no disclosure.
The Data Security Law (DSL) gives the Chinese state power to classify any dataset as 'important data' or 'core data' and compel its handover for national security purposes — with criminal penalties for refusal.
Enacted in September 2021, the DSL creates a tiered data classification system. 'Core data' (anything affecting national security, economic lifelines, or social stability) faces the strictest controls. 'Important data' requires security assessments before any cross-border transfer. The Cyberspace Administration of China (CAC) can demand access to any classified data. Companies cannot refuse. There is no independent judicial review.
The DSL works alongside two other laws: the Cybersecurity Law (2017) which requires network operators to store data in China and assist security agencies, and the Personal Information Protection Law (PIPL, 2021) which is China's GDPR equivalent but with massive state exemptions. Together, these three laws give the Chinese government complete legal authority over any data touching Chinese infrastructure.
Any company operating in China — or processing data of Chinese citizens — is subject to the DSL. This includes TikTok/ByteDance, WeChat/Tencent, Huawei, Xiaomi, DJI, Lenovo, and any Western company with Chinese operations. The 'national security' trigger is undefined and expandable. Data that was private yesterday can become state-accessible today with a classification change. There is no public register of what's been classified.
Didi (China's Uber) was fined 8 billion yuan ($1.2B) in 2022 after the CAC found it had illegally collected user data — but the trigger was Didi's US IPO, not user protection. The law is used to control data flows that embarrass the state. In 2021, the CAC banned several apps for 'excessive data collection' — selectively enforcing against companies that fell out of political favour. Full Truck Alliance and Kanzhun were investigated days after their US listings.
Since September 2022, any transfer of 'important data' overseas requires a CAC security assessment. This affects every multinational: if your China division holds data the state considers important, you cannot move it to your US or European headquarters without government approval. Apple stores Chinese iCloud data with state-owned Guizhou-Cloud Big Data (GCBD). Tesla built a dedicated Shanghai data centre after China flagged car cameras as a national security risk.