China looks to classify online data in draft security laws

Cyberspace Administration of China is seeking public opinions on draft regulations it just released that seek to classify, and secure, online data into three main categories based on their importance to national security, public interest, and business interests.
Written by Eileen Yu, Senior Contributing Editor

China has released draft regulations that seek to classify online data based on their importance to national security and public interest, amongst others. Data protection requirements then will be tied according to this classification. 

The Cyberspace Administration of China (CAC) on Sunday unveiled a set of laws that included a proposed data classification and security framework. It is seeking public feedback on the draft legislation through to December 13. 

The regulator said the proposed rules would better safeguard the legal rights of individuals and institutes as well as national security and public interests, reported state-owned newspaper Global Times

Under the draft regulation, data would be classified into three main categories--core, important, general--according to their impact and importance to national security, public interest, or legal rights and interests of individuals and organisations. 

Citing industry observers, the report noted that data from a military aircraft or airports would be classified as core data, while cargo transportation information at civil airports would be important data, and data on general flights would be considered general data. 

The proposed legislation, which comprised nine chapters, further detailed requirements on how data must be secured according to their classification. 

It also outlined how data collected inside China should be transferred overseas, including notifying the owners of such data with details about the recipients, such as their name and contact information as well as the purpose for the data transfer.

The draft law further stipulated that fines of up to 10 million yuan ($1.56 million) could be meted out, if rules governing the transfer of data to markets outside of China were breached. 

The use of biometric data, such as face, fingerprint, gait, and voice, also should not be used as the only means of personal identification, according to the draft legislation. This aimed to restrict efforts to compel individuals to provide their personal biometric data. 

The proposed law also stated the inclusion of data security incidents as part of the national cybersecurity incident emergency mechanism, which meant such measures should be activated and rolled out in a timely manner to mitigate potential damage and security risks.

In addition, organisations must not refuse to provide services or "hinder" normal services, should data owners choose not to consent to the collection of their personal information not deemed necessary for the provision of such services. 

IPOs in Hong Kong may require cybersecurity review

The draft regulation also would require organisations, which data-processing activities would or might influence national security, to undergo a cybersecurity assessment if they were looking to list in Hong Kong, reported South China Morning Post (SCMP). If passed, this could introduce another regulatory oversight for Chinese tech companies such as Bytedance and Didi Chuxing that might be considering an IPO in Hong Kong. 

The proposed laws did not detail criteria that would constitute as national security concerns, but listed a range of "important data" that might be considered as such, including unpublished government data, scientific research, data on genetics, and data on key sectors such as telecoms and energy, SCMP noted.

The legislation was designed to be implemented alongside China's other regulations that governed data use and collection, namely, the 2017 Cybersecurity Law as well as the Data Security law and Personal Information Protection Law (PIPL) that were passed this year. 

Passed in August, PIPL came into effect November 1, laying out ground rules around how data is collected, used, and stored. It applies to foreign organisations that process personal data overseas for the purpose of, amongst others, providing products and services to Chinese consumers as well as analysing the behaviours of Chinese consumers. They also will have to establish designated agencies or appoint representatives based in China to assume responsibility for matters related to the protection of personal data. 

PIPL encompasses a chapter that applies specifically to cross-border data transfers, stating that companies that need to move personal information out of China must first conduct "personal information protection impact assessments".

Violators that fail to comply with orders to rectify the breach will face fines of up to 1 million yuan ($150,000), while the person responsible for ensuring compliance can be fined between 10,000 yuan ($1,500) and 100,000 yuan ($15,000). For "serious" cases, Chinese authorities also can dish out fines of up to 50 million yuan ($7.5 million) or 5% of the company's annual turnover for the previous fiscal year. In addition, its business operations may be suspended or business permits and licences revoked. 


Editorial standards