China’s cybersecurity watchdog, the China Cyberspace Administration, has released a set of draft regulations to protect the security of the nation’s Internet data.
In this context, China seems to be trying to divide data into three categories: common, critical, and core, depending on its importance to national security, public interest, and personal privacy.
It states that “the state will focus on personal and critical data and strictly protect core data” and that local departments will be responsible for classifying local data into the required categories.
The proposed rule runs for many pages, but many of the exact details are unclear, such as what constitutes a national security concern. According to the commentary, a wide range of “critical data,” from unpublished government information to economic data, could be considered a national security concern.
The new regulation “applies to the supervision and management of data processing activities and network data security within the territory of the People’s Republic of China,” the draft says, and applies to individuals and organizations outside China that provide “products or services in China.
Companies that analyze or evaluate the behavior of individuals or organizations in China, or are involved in the processing of critical data in the country, will be bound by the new regulations, the draft says.
This means that foreign companies such as Google, Meta, and Twitter will have to comply with the new rules even if they do not have operations in China.
The regulation also addresses cybersecurity, for example, data processors will be required to establish a data security emergency response mechanism, which will be triggered in the event of a breach.
“Data processors must notify the Security Incident Team of any security incident that results in damage to an individual or organization and must ensure that corrective action is taken within three business days.
If a security incident is suspected of being a crime, the data processor must report it to the public safety authorities in accordance with regulations.
Also, in the case of a major information breach involving critical data or the personal information of more than 100,000 people, data processors are required to report the incident to the municipal authorities within eight hours of discovery and submit a report on the cause, consequences and remedial measures to the local network department within five working days.
This new rule will be open for public comment until December 13, 2021.