Exclusive | China will in time use machines to execute Data Security Law, senior scientist with role in policymaking says

Identification of key data ‘cannot lean on human power forever’, scientist commissioned by Beijing to formulate data security policy says
Primary challenge is making sure standards of defining ‘key data’ are ‘scientific and rational’, Beijing-based data privacy lawyer says

Science

Dannie Peng

Published: 10:01pm, 12 Sep 2023

Why you can trust SCMP

China will gradually replace humans with machines in the implementation and execution of its Data Security Law, a senior scientist commissioned by Beijing to identify data critical to national security said.

The law, in effect since September 2021, is the country’s first legislation designed to regulate the processing and utilisation of data.

“China has always relied on manual judgment to discern important data from general data,” the core expert involved in formulating China’s data security policy told the Post. The university professor asked to remain anonymous as he is not authorised to speak to the media.

He said although government officials had talked about standards and specifications, ways to identify key data remained uncertain in practice.

“The premise of safeguarding key data is to firstly identify it, which definitely cannot lean on human power forever as the data volume to be dealt with is astronomical,” he said.

02:28

Beijing raids offices of consulting firm Capvision in widening crackdown over national security

This is about to change. Although he did not give details on how the process would be automated, the scientist stressed that the crux of the technology was to transform key data into objects that could be identified, registered, monitored, and reported by computers.

The accurate, comprehensive understanding of “key data” was to put it in the context of national security, he said. Key data is non-classified but likely to influence national security.

The concept of “key data” was first seen when China’s Cybersecurity Law took effect in 2017. Two critical new rules introduced then have had far-reaching implications for overseas companies operating in China.

First, companies considered critical information infrastructure operators must store data collected in mainland China locally; and second, these firms must also undergo a security assessment for approval to send any of that data overseas.

However, more detailed explanations regarding “key data” were not provided at the time.

China’s foreign investors concerned over tightening grip on national security

It has been formally laid down in the Data Security Law, but the concept still haunts foreign-funded companies and overseas-listed Chinese firms because of its vague definition and uneven local implementation.

In its annual white paper report released in June, the Japanese Chamber of Commerce and Industry in China urged Chinese authorities to provide further specific guidance on the implementation of laws and regulations related to cross-border data flow.

The chamber – representing more than 8,300 Japanese firms operating in China – said industries like information and communication, cars and aviation, as well as banking and finance, were most directly affected.

Companies in these sectors called on Beijing to promptly enact detailed enforcement guidelines, including clarifying the category of “key data” applied, the paper said.

In July, during a visit to the pilot free-trade zone in Shanghai, Chinese Premier Li Qiang emphasised that cross-border data flow and management were issues of great concern, and efforts should be made to explore a new managerial model.

In the financial sector, the People’s Bank of China recently called for greater state scrutiny of cross-border financial data, and the setting of clearer boundaries and accountability in the central bank’s own data-processing activities.

“China has become one of the world’s strictest regulators and entered the era of strong data compliance,” He Jingjing, a researcher at the Chinese Academy of Social Sciences told mainland news outlet Caixin last month, referring to the roll-out of the Cybersecurity, Data Security and Personal Information Protection laws in recent years.

The three laws place the onus on companies to adopt measures to secure their data, including training staff to classify, back up and encrypt important data.

Technology-based identification is expected to ease their burden, but experts said this was not the main concern.

“The primary challenge is to make sure standards of defining ‘key data’ are scientific and rational,” Beijing-based data privacy lawyer Xiong Dingzhong told the Post.

“Once the standards are clarified, whether the identification work is done by humans or machines doesn’t matter much.”

How China’s new data laws will make cross-border business much harder

Meanwhile, two documents – titled “Guidelines for identification of key data” and “Security requirements for processing of key data”- being drafted by authorities in Beijing to provide guidance are now nearing completion.

As for how data security related rules might affect research in areas seen as sensitive, such as nanotechnology or quantum physics, especially for projects involving international collaborations, many scientists said the influence would be relatively limited because scientific data was usually open for sharing.

“I am not concerned with such problems in my research,” a quantum communication professor in the southern city of Guangzhou said, but refused to elaborate because of the sensitivity of the issue.

“We have training on data processing and sharing regulations, and only declassified data can be used for international collaborations.”

The policymaking scientist said the laws were evolving with the times.

“International scientific collaboration is a type of normal activity, but in today’s context, it involves significant data transfer, and thus it’s imperative to ensure the safety of cross-border data.”