China has been active lately in passing several new laws and regulations relating to data privacy and security. The two recent laws which tend to focus more on those handling data national security and/or public interest are Critical Information Infrastructure or Important Data.
China passed the Data Security Law (DSL). The key focus of the DSL is the protection and security of critical data relating to national security and the public interest. The most significant element of the law is the so-called data classification system whereby the government will classify different types of data based on its level of importance and then publish a protection/security standard for each class of data.
DSL also sets out certain general security obligations for data processors at large. Given the law is broad in nature, the immediate impact for companies may be limited. People expect to see implementing guidelines and standards to follow.
DSL will have more impact on companies that possess data relating to national security and the public interest, including those with a large volume of personal data, critical infrastructure and critical industries, such as financial, medical and key technologies. Each company needs to evaluate the type of data it processes and work with legal counsel to determine the level of requirements applicable.
China has released the Security Protection Regulations on Critical Information Infrastructure (CII Regulation). The CII Regulation is an implementing rule of the Cybersecurity Law (CSL). It applies only to Critical Information Infrastructure (CI”), which refers to the network and IT system that is critical to national security and public interest but may also have implications for companies that supply or service such networks and systems.
Operators of CII are subject to much stricter rules in terms of data security and cross-border data transfer. Compared with CSL, the CII Regulation does not introduce any material new development in this regard. There are no rules or public guidelines as to what network or IT systems are viewed as CII. The relevant government authority is supposed to evaluate and make decisions on a case-by-case basis, and a company, if determined to be a CII operator, will be informed of such a decision.
Nevertheless, companies are better to conduct a self-evaluation from the following two aspects: (1) the nature of its businesses, and the type of data it processes, to evaluate the potential risk of being deemed to be a CII operator, and (2) if any of its customers may be deemed to be a CII operator, as the procurement of CII operators may be subject to a security assessment.
As reported by OpenGov Asia, China has also pass regulations on cybersecurity. Measures including monitoring, defence, and proper handling of cybersecurity risks and threats from both home and overseas will be carried out to ensure that relevant facilities are protected from attacks, intrusions, interference and sabotage. The regulation came as the country’s major IT infrastructure faces severe security challenges including frequent cyberattacks.
The regulation also called on operators of major IT infrastructure projects to bear their primary responsibility of maintaining the integrity, confidentiality and availability of relevant data. Requirements for these operators include conducting security checks and risk assessments every year and prioritising safe and creditable internet products and services in procurement.
An academician with the Chinese Academy of Engineering believes that the latest moves highlight strengthened governance in cyberspace. He, however, stressed that regulation does not mean discarding the development. It is about attaching equal importance to both sides. Strengthened governance will provide a healthier environment for the development of the internet sector, calling for greater emphasis on national security and protection of users’ rights in the process.