Protection system

China considers hierarchical data classification management and protection system

data security photo file

China plans to establish a hierarchical data classification management and protection system in accordance with a draft data security regulation released by China’s cyberspace regulators on Sunday.

Industry watchers see it as a long-awaited regulation to better enable the transfer of data in a secure manner, protecting the legal rights of individuals and institutes, and preserving national security.

The Chinese Cyberspace Administration (CAC) issued a notice seeking public opinion on the proposed Data Security Management Regulations, with the aim of better regulating data processing activities, protecting human rights legal rights of persons and institutes and to safeguard national and public security. interests.

One of the highlights is that China will establish a hierarchical data classification management and protection system.

The regulation stipulates that data is classified into three categories – general, important and essential – according to their degree of impact and importance to national security, public interests or the rights and legitimate interests of individuals or organizations.

The regulation, consisting of nine chapters, is a list of detailed rules to better implement the data protection requirements stipulated by the law on the protection of personal information, the law on cybersecurity and the law on data security, Xie Yongjiang, executive director of Internet management and legislative research. Beijing Post and Telecommunications University center, the Global Times told the Global Times on Sunday.

The heart of the regulation is that it standardizes how data can be processed and transferred nationally and across borders, clarifying the behaviors of data processors, platform providers and the responsibilities of cyberspace administrators, Xie said.

The heart of cybersecurity is data security, which attaches great importance to national security, public interests and personal legal rights. The publication of the draft regulations makes China’s data protection legal system a “practical” and “enforceable” action, said Qin An, head of the Beijing-based Chinese Cyberspace Strategy Institute.

“The draft regulations not only guarantee data mobility as a key production factor, but also protect their security,” Qin said.

Qin gave an example to illustrate the differences between general data, important data and basic data – military aircraft or airport data is basic data, cargo transport in civilian airports is important data, while general flight information is general data.

Discussions on establishing a hierarchical data classification protection and management system have been going on for many years in China. Global Times on Sunday. Liu believes that the basic data may include map data of villages and towns across the country, such as the geographic location of hotspots.

Meanwhile, the regulation details how data collected inside the country will be transferred to overseas regions. Data users who provide personal information collected in China to foreign recipients should inform data owners of the name, contact details and purpose of the recipients.

According to the regulations, data users can be fined up to 10 million yuan ($ 1.56 million) in violation of the stipulations regarding the provision of data to regions outside of China.

Liu said this regulation is aimed at better regulating the collection of data from domestic consumers. “Data centers run by domestic companies that do not involve domestic users may still be allowed to be outside of mainland China,” Liu said.

Experts said that the publication of the regulations, similar to traffic rules, will not affect the normal functioning of Internet companies, as many companies have already established general classifications on data protection, and with the future launch of the new regulations, their classifications will have to match the nationals, which will make the industry more professional and orderly.

The project also proposed that risk assessments be carried out if data users wish to use biometrics for personal identity authentication. Biometric characteristics such as face, gait, fingerprints, iris and voiceprints should not be used as the only means of personal identification to compel individuals to consent to the collection of their personal biometric information.

In addition, the regulation stipulates that data security incidents will be included in the national emergency mechanism in the event of a cybersecurity incident. When a data security incident occurs, the emergency response mechanism must be activated in a timely manner and measures must be taken to prevent the expansion of hazards and eliminate potential security risks.

The project will be open to public suggestions until December 13. In June, China had 1.011 billion Internet users, with 4.22 million websites and 3.02 million applications.